Over 1 million tech questions and answers.

Potential Worm Activity Detected

Q: Potential Worm Activity Detected

Hi, strange emails are being sent from my computer to random email addresses with subjects advertising prescription drugs and I keep receiving alerts from McAfee saying Potential Worm Activity Detected. I ran Hijack This and have posted my log below. Any help on what to do to stop these emails would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 14:32:56, on 21/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spmsg2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Kontiki\KHost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Carl Zeiss\MTB 2004\MTB Server Console\MTBService.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\spmsg2.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {6187A0A7-557F-46F7-82F0-CE13E30598EC} - C:\WINDOWS\system32\bizituw.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [hyytk] C:\WINDOWS\system32\c1yuupgg.exe
O4 - HKCU\..\Run: [kfwwri] C:\WINDOWS\system32\oojaavmmhy.exe
O4 - HKCU\..\Run: [pklgccx] C:\WINDOWS\system32\zuu6gg6sy.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: xgfrwa ctboof.dll wpqjqb.dll abqybu.dll jfrcpw.dll C:\WINDOWS\system32\genakoso.dll C:\WINDOWS\system32\gikatuma.dll C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\system32\__c001A599.dat C:\WINDOWS\s
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: MTB2004 Server (MTBService) - Carl Zeiss - C:\Program Files\Carl Zeiss\MTB 2004\MTB Server Console\MTBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12251 bytes
Thanks

RELEVANCY SCORE 200
Preferred Solution: Potential Worm Activity Detected

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Potential Worm Activity Detected

If anyone could check my hijack that log I would really appreciate it.
Thanks

Read other 1 answers
RELEVANCY SCORE 106

Hi,

I've seen other forums on this topic but none of them have really helped me.

My McAfee Virusscan keeps popping up with

Potential Worm Activity Detected!
The last few sent e-mails contained similar subject or body content
E-mail Subject: Can you imagine that you are healthy

I ran my McAfee, Ad-Aware and also Spy Sweeper but none of them has helped. On another forum i saw a program called VundoFix so i downloaded and ran that but it hasn't helped. Ive posted my hijackthis logfile below, I'm Fairly computer Illiterate so please try to dumb it down , thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:13 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\... Read more

A:Potential Worm Activity Detected!... Please Help.

Closing duplicate thread, please continue here: http://forums.techguy.org/security/578825-my-mcafee-keeps-popping-up.html#post4766708
 

Read other 1 answers
RELEVANCY SCORE 106

When I am trying to e-mail individual pictures - the e-mail in Outlook Express in the "sent" folder keeps staying in there and my computer keeps trying to send it. Then a pop-up from McAfee comes on saying:

"Potential Worm Activity Detected! The last few sent e-mails contained similar subject or body content. Then it gives the E-mail Subject and then it says I want to......
Stop this e-mail
Find out more information
or Continue what I was doing."

Even though I am just sending it to one person, not multiple addressess - that box comes up.

What is causing this and how do I correct this problem? I've never had this problem in the past. When I send pictures as "attachments" this does not happen. The only time this happens is when I try to send an e-mail with the pictures being shown in the message.
 

A:Potential Worm Activity Detected ?

Download hijackthis and do a scan then copy and post the log here for someone to analize. as well do a scan here. .
 

Read other 3 answers
RELEVANCY SCORE 106

My McAfee is driving me crazy, it keeps popping up saying "Potential Worm Activity Detected" and it says that emails are being sent out. It also keeps blocking a trojan but not getting rid of it. I've done a full system scan it could not recognize it, i also did spybot s&d, lavasoft ad-aware, the trend online scan and the multi_av scan. I don't know what's going on. I'll give you my hijackthis log. I would really appreciate if someone could help me.

Logfile of HijackThis v1.99.1
Scan saved at 11:30:24, on 04/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Autodesk Shared\Ser... Read more

A:Potential Worm Activity Detected

Read other 6 answers
RELEVANCY SCORE 106

I've seen several other members experience the same problem, where McAfee keeps telling me that "Potential Worm Activity Detected!". It goes on to say "The last few sent e-mails contained similar subject or body content." and the subjects are random, as well as the emails they are sent to. Here is a copy of my HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:21 AM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mcafee.com\vso\mc... Read more

A:potential worm activity detected

Hiya and welcome to Tech Support Guy

Are you still having this problem? If so, do the following:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click &q... Read more

Read other 1 answers
RELEVANCY SCORE 106

Please help me. I'm running Windows XP, and McAfee VirusScan. My system won't stop sending emails

"Potential Worm Activity Detected! The last few sent emails contained similar subject or body content."

I'm given three options

1. Stop this e-mail
2. Find out more information
3. Continue what I was doing

No matter which option I choose, a similar message will subsequently appear. I can't seem to get out of this endless loop.

I ran AVG antivirus, and cleaned detected infections. but it has not solved the problem.
I then have Norton antivirus installed on the system. But similar messages of email being sent keep popping up. Please help as I am in a desparate situation.

The following is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:19 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
... Read more

Read other answers
RELEVANCY SCORE 104.8

Often on my computer McAfee pops up an alert saying that "5 e-mails have been sent within the last 30 seconds. This condition might indicate a worm is attempting to send e-mail." I ran a virus scan and spyware scans but they didnt turn anything up.

These emails are being sent to addresses i have never seen before and the email subject is always something "sexually-explicit"

I'm pretty sure the problem is similar to this one

Here is the HJT log i just ran...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:28:53 PM, on 6/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DO... Read more

A:McAfee: Potential Worm Activity Detected

Bump, any help is appreciated!!
 

Read other 3 answers
RELEVANCY SCORE 104.8

I have Mcafee Internet Security 2006.

I repeatedly get the potential worm activity detected message from McAfee VirusScan. It says 2 emails have been sent within the last 25 seconds. This condition might indicate a worm/virus is attempting to send email. The email subject varies from "about your health", "Your health, your care", to viagra messages. I use outlook and it is not open. I have run McAfee virus scan, CA-etrust online virus, and downloaded AVG virus software to identify this virus. But have not been able to identify it or fix it.

Windows xp professional sp2. I would appreciate any help you can offer.
I've pasted my HI Jack log below.

Logfile of HijackThis v1.99.1
Scan saved at 7:10:35 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Gri... Read more

A:Solved: Potential Worm Activity Detected

Read other 6 answers
RELEVANCY SCORE 104

Hi,

I've seen other forums on this topic but none of them have really helped me.

My McAfee Virusscan keeps popping up with

Potential Worm Activity Detected!
The last few sent e-mails contained similar subject or body content
E-mail Subject: Can you imagine that you are healthy

I ran my McAfee, Ad-Aware and also Spy Sweeper but none of them has helped. On another forum i saw a program called VundoFix so i downloaded and ran that but it hasn't helped. Ive posted my hijackthis logfile below, I'm Fairly computer Illiterate so please try to dumb it down , thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:13 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\... Read more

A:My McAfee keeps popping up with Potential Worm Activity Detected! Please help

hi, welcome to TSG.


Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Download AVG Anti-Spyware

http://www.ewido.net/en/
* Once you have downloaded AVG Anti-... Read more

Read other 3 answers
RELEVANCY SCORE 84.4

I have Mcafee Internet Security 2006.

I repeatedly get the potential worm activity detected message from McAfee VirusScan. It says 5 emails have been sent within the last 25 seconds. This condition might indicate a worm/virus is attempting to send email. I use outlook and it is not open. I have run McAfee virus scan, XSoftspy SE & Registry Mechanic and cannot get rid of it...once I close outlook, I can't even open it again till I reboot.

I ran Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:01:45 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C... Read more

A:Potential worm activity...

Read other 16 answers
RELEVANCY SCORE 84.4

My computer is sending mass emails and the mcafee warning is driving me crazy. I have looked at other posts with my situation. It seems that I need to give my hijackthis log. Here it is. If anyone can see what I need to get rid of, please let me know.
Windows xp
Service Pack 2

This v1.99.1
Scan saved at 4:22:28 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1126029153\EE\aolsoftware.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\McAfee.com\VSO\mcvs... Read more

A:Potential worm activity...

Read other 11 answers
RELEVANCY SCORE 84.4

I got this Potential Worm Activity Detected from McAfee that I installed. I did full scan with several antivirus but it didn't cure the problem. I used McAfee, Lavasoft Adware, AVG anti spyware, AVG 7.5. My OS is Windows XP professional SP 2. Following is logfile of Hijack This v.1.99.1. I would really appreciate if someone could help me. Thank you in advance.

PS: in the log file you can see "Yahoo!???????" which is Yahoo Messenger Japan.. The question marks due to Japanese characters not properly appeared.

Also, "O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing" is because the AVG quarantined the msnetax.dll.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:16 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGE... Read more

Read other answers
RELEVANCY SCORE 83.6

Hi

I am hoping someone will be able to help me i keep getting a message "5 e-mails have been sent within the last 30 seconds. This condition might indicate a worm (/virus) is attempting to send e-mail. I ran HJT and got this log. Any help would be very much appreciated

Thanks
John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:10:21, on 10/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Smart PDF Converter Pro\sspdfagentd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\TEMP\ugpfwlqbwq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Progra... Read more

A:Potential Worm Activity Dected!

bump
 

Read other 1 answers
RELEVANCY SCORE 81.6

I have McAfee VirusScan 2006.

I repeatedly get the potential worm activity detected message from McAfee VirusScan. It says 5 emails have been sent within the last 30 seconds. This condition might indicate a worm/virus is attempting to send email. The email subject is mostly read "ACR0BAT 8 PR0 & 0FFICE 2OO7 $79 NOW at <varies of first name> WebShop". I never use Outlook Express and MicroSoft Outlook 2003. I have run McAfee virus scan to identify this virus. But have not been able to identify it or fix it even though it is cleaned before VirusScan. I have no other virus along with it. Everything is fine except that dang pipsqueak "Potential Worm Activity" notice from McAfee repeatly.

This is from my Toshiba Laptop Satellite
Intel(R) Celeron(R) M
processor 1.50GHz
240 MB RAM

MicroSoft Window XP
Service Pack 2

************************************************

Here is my laptop hijack log below:

Logfile of HijackThis v1.97.7
Scan saved at 9:38:41 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxtray.ex... Read more

A:Solved: Potential Worm Activity frequently by McAfee...Please Help.. Thanks

Read other 16 answers
RELEVANCY SCORE 80.8

Hello, I am new to this forum and was wondering if someone could help?

I have run Mcafee virus scan 9 and it detected nothing. On restart I keep getting the pop up "Potential Worm Activity Detected!"- it appears my computer is trying to send emails to a range of email addresses I do not know.
I ran the scan in safe mode nothing was detected.

Here is my HJT logfile - can anybody help?

Thanks
Logfile of HijackThis v1.99.1
Scan saved at 10:37:24, on 04/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\HPConfig.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C... Read more

A:Newbie! Run Mcafee virus scan still have potential worm activity!

sorry iam not a pro so i can't help you with your virus but you have a lot of program on your startup [04] you don't need. here are 2 websites to help you trim it.
http://www.netsquirrel.com/msconfig/

http://www.castlecops.com/StartupList.html
 

Read other 3 answers
RELEVANCY SCORE 78

I am getting this popup from myy McAfee virus scan multiple times a day. But when I run virus scan, nothing is found.

Potential Worm Activity Detected
The last few sent emails contain similar subject or body content
Email Subject - Susan 5982 - Clipboard
sent to [email protected]

I haven't sent any emails with that subject and I don't know anyone with that email address.

What should I do?

Thanks,
Susan

A:Help - Potential Worm Actvity Detected

It would appear you have a keylogger or similar which is emailing your keystrokes or a record of visited sites etc to this email address.
You need to immeadiately run the following scans and fix what they find and then post a hijackthis log on the hijackthis log board.Moderators please move this to hijackthis log board


Please download
Mcafee stinger multivirus removal tool
Install and run

Spybot search and destroy
Ad aware personal form Lavasoft
Install, update,run, check for problems , fix problems.
A Squared trojan remover
Download, install, update, scan and fix.

Read other 15 answers
RELEVANCY SCORE 74.8

How do I get rid of this message - can't send email at all
 

A:Possible worm activity detected with McAfee

Hi huff0623

Welcome to Tech Support Guy Forums!

Does McAfee point to an email message containing the worm?

If so, have you tried deleting the message?

Run an online antivirus check from at least one and preferably 2 of the following sites
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://security.symantec.com/default.asp?
http://www.ravantivirus.com/scan/
Allow them to clean/delete any spyware/malware or viruses/trojans they may find.

If you do not already have these programs,
Download:
Ad-Aware SE 1.05
Spybot-S&D (ver. 1.3)

Install Ad-Aware SE and Spybot-S&D and check each of them in turn for updates.

For Ad-Aware SE click on Full System Scan and deselect Search for negligible risk entries.
Let Ad-Aware SE remove what it finds.
Run Spybot-S&D and have it fix what it finds marked in Red.

After running your online virus scans and running Ad-Aware SE and Spybot S&D,
close all programs and reboot to complete the removal process.

If you are still receiving this message and are unable to send emails, try turning off email scanning in your Anti-virus program and check your firewall to make sure it is allowing your messaging program access to the internet.

Let us know what happens.
 

Read other 2 answers
RELEVANCY SCORE 60

Last night I acquired the spymalware doctor and microsoft essentials alert virus. I tried to get rid of it all using some malware and virus scans. But for the first time ever,I have this rundll32exe ilaquawamoh.dll program running at startup,even after i delete it. What tools can i use to mae sure this junk is out of my sysytem? I have already run hijack this and malware bytes...Something just doesnt seem right

A:Help with potential virus activity

Hi .

Based on the various logs which have come through here before...what you have posted seems to be only a partial log, with most of the normal data reflected missing.

Since it seems to be very incomplete...I will move your thread to the Am I Infected forum for proper guidance and assistance.

Louis

Read other 3 answers
RELEVANCY SCORE 57.2

I have scanned with spybot, adaware, super anti-spyware, mcafee stinger, and all the others recomended by this forum and still have the same problem. I get the message "Windos Security Alert - Warning Potential Spyware Operation - Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unathorised access to your files! Clik YES to download spyware remover ... and of couse I click no to cancel. It ties to reset my homepage to google.com and disables the control panel and the task manger. Here is the hijack this log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:20:01 PM, on 11/1/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exec:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exeC:\WIND... Read more

A:Windows Security Alert - Warning Potential Spyware Activity

Hello dannic and welcome to BC My name is SNOWHITE and I will be helping you with your Malware problem.Please follow the steps below exactly in the order they are written:Step #1We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.To disable Real-Time Protection:Go to "Tools" | "General Settings" Scroll down to "Real-time protection options" Uncheck "Turn on real-time protection (recommended)"Remember to reactivate this feature when we have finished all our work.Step #21. Download combofix from one of these links:Link1Link22. Double click combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log in your next reply and new HijackThis log.Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Regards,

Read other 10 answers
RELEVANCY SCORE 57.2

Hi..Something has happenned to my system. I donot see the control panel on my start menu. Has removed me as the computer Administrator, and there is a message box that returns every 5 minutes which says: Windows Secuity Alert, Warning! Potential Spyware Operation!, Your computer is making Unauthorized copies of your system and internet files. Run full scan now to prevent any unauthorised access to your files! Click YES to download spyware remover.... At the bottom of the pop-up there is a Yes and a No button, and if you push yes you are taken to some web site that offers to sell you a spyware removal program that will make every thing ok.I can't also access my my computer propeties. I tried to reach my Control Panel buy right clicking my desktop, then clicking on properties. None of it worked. When I clicked on properties I was told : "The operation has been canclled due to restrictions in place on this computer. Please contact your system administrator".I have already AVAST Anivirus/spyware removal v4.7 installed in my system. It had showed some troan infections.. but nothing has worked out. Also installed SmitfraudFix.exe and executed in safe mode.. and then consecutively excuting the "SUPERAntiSpyware" spyware removal tool. But still no use. Please find the log created by the Trend Micro HijackThis v2.0.2. Please HELP!!My Initial Investigation: I ran MSCONFIG and got the programs/applications which are in the STARTUP. I found that th... Read more

A:Windows Security Alert - Warning! Potential Spyware Activity..

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

Read other 2 answers
RELEVANCY SCORE 56.8

Upon using Adw Cleaner, I found out on Tuesday that they have an additional option to install "Hosts Anti-Pup/Adware" as extra protection.  Adw Cleaner (French download) appeared to not be infected, as no virus warning appeared when I scanned and cleaned before and after restarting my computer, but when I tried to install Hosts Anti-Pup/Adware, the following appeared:
 
! AVG Detection
 
Worm/Autoit AZCI Infected
Worm/Autoit AZCH Infected
 
Remove All
 
Additional Information:
 
HOSTS-Anti-Adware-main.exe
HOSTS Anti-Adware.exe
 
At the same time, I spotted in my add-on bar that an extra icon had suddenly appeared.  When I clicked on it, six listings of the following details were listed with all downloads stating webm, mp4, flv and 3gp video files, which relate to the Firefox add-on Flash and Video Download:
 
Flash Files to Download
Watch-as3.swf
Videos to Download
DomaIQ: Fake Flash / Java - You Tube
 
I assume that as "Fake Flash" was listed among the details, I was wise to not click on any of those files, which would probably have infected my computer further.
 
I then clicked on "Remove All" and the AVG report changed to "Secured" next to both files, which I had assumed meant my computer was now clean and I deleted the Desktop shortcut to the worm program.
 
In between, this appeared and the http://www.malekal.com/2012/01/10/hosts-anti-pupsadware link appeared (the Firefox add-on Trust My Web gives this site a Gr... Read more

A:Potential Worm

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===--RogueKiller--Download & SAVE to your Desktop For 32bit system or For 64bit system Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+=======Please run tha AdwCleaner and if prompter to update please do.Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.e... Read more

Read other 49 answers
RELEVANCY SCORE 56

On May 12, 2017, the WannaCrypt ransomware served as an all too real example of the danger of cyber attacks to individuals and businesses globally.

In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows. Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt. For more technical information and links to related articles, visit our Microsoft Security Response Center blog.

It is important to note that if you?re running a supported version of Windows, such as Windows 10 or Windows 8.1, and you have Windows Update enabled, you don?t need to take any action. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.

If you?re unsure what version of Windows you?re running, or whether you have Wind... Read more

Read other answers
RELEVANCY SCORE 56

My computer is constantly freezing/ slowing down to a snails pace. i have done everything from running Malwarebytes anti-malware and AVG (seperately), to defraging my hard drive, to stopping the indexing of my files for microsoft searches. I'm hoping that it's something simple, as it is starting to affect my ability to do school work. And just to clarify, when any of these events occur, there is no message that pops up with a message about any error.
Here is the log:
DDS (Ver_09-10-26.01) - NTFSx86
Run by Rees at 1:30:06.92 on Mon 10/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.89 [GMT -5:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGI... Read more

A:Potential worm and/or malware

Hello,We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Then please post back here with the following: log.txt info.txtThanks

Read other 4 answers
RELEVANCY SCORE 56

Okay, my computer has been going a bit funky here lately. This morning while it booted I didn't look at the screen right away but when I came back there was a command prompt window open, saying something about worm patterns loaded and on top of the command prompt window at the end was something about STC.exe, I immediately closed it and rebooted the system. As you can see it's loaded up and I can access the internet but I would like it someone could look at my HijackThis log. Also when I run Spybot, a Ras Profile Dialler keeps coming up, spybot can't remove, any help around that would be appreciated greatly.

Logfile of HijackThis v1.98.2
Scan saved at 11:59:28 PM, on 10/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:... Read more

A:Potential Worm Problem, Please Look at my HJ Log

Sounds like STE.exe is "2nd Thought" adware.

Download Ad-aware SE.

Ad-aware SE download

Configure Ad-aware:

First in the main window look in the bottom right corner and click on "Check for updates now." then click Connect and download the latest reference files.

From the main window, click "Start" then under "Select a scan Mode" select " Perform full system scan ."

Next deselect "Search for negligible risk entries."

Click the "Next " button.

When the scan is finished mark everything for removal and get delete the selections. (Right-click within the window and choose "Select All" from the drop down menu and click "Next")

Restart your computer.
 

Read other 1 answers
RELEVANCY SCORE 56

Hello,

I followed the steps to run a HJT Report however once I click the DDS link it acts like it wants to run but then nothing happens. I seem to have this problem with other programs as well. I have two computers I am trying to clean up so I will post two HJT logs as soon as I can get this resolved. Any help would be appreciated.

Thanks.

A:Need help with potential virus/worm

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Read other 3 answers
RELEVANCY SCORE 55.6

Hi there,I've used this forum before and reused some of the tools from a previous bad experience to try and remove a dodgy file that Winpatrol keeps saying is trying to gain startup access: winlogon_63.exe. This is apparently listed under "Microsoft Security Essentials" and a search has led me to believe it's Worm:Win32/Ainslot.A. I was editing my hosts file to try and gain access to a website that has had trouble recently with access, and searched for hosts file editing help. Seems a random pdf file popped up out of nowhere, which never actually loaded, I just got an error about it not displaying properly, and now I've wound up with a sluggish computer and dodgy looking startup requests.I scanned using Malware Bytes, restarted to remove the file, and I'm still getting the startup access request, and it still exists in the WinPatrol window, so I thought I'd come here.DDS.txt file:DDS (Ver_10-12-12.02) - NTFSx86 Run by !Vicky at 18:39:18.46 on 07/02/2011Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2815.1610 [GMT 0:00]AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\... Read more

A:Potential Worm:Win32/Ainslot.A

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 55.6

Hello I'm a newcomer and I think my computer could be infected. In addition, I don't have a lot of experience on how to diagnose or clean my computer. I have run many scans with many different software's. For example, I've done scans with Norton Anti-virus Suite, Ad-Aware, Spy Bot, Mal-aware bites and many more. Most of my scans except Norton's I have found infections ( At least that is what I think they were), and unfortunately I did not save the logs of any of this scans and I can't find them in my pc. Also, I've try running this software's again but no further infections found, but infections had something to do with "something, something... DNS." Sorry for not providing you with the specific name but I just can't find it and I don't remember. Thank you for your help and I hope my information can help. Attached find all my scan logs.
DDS (Ver_10-10-21.02) - NTFSx86
Run by kokoroko at 17:49:55.23 on Sun 10/24/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.85 [GMT -7:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe... Read more

A:Potential virus, trojan or worm.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:

msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/m... Read more

Read other 2 answers
RELEVANCY SCORE 55.6

Hello,

I received help with a Virtumonde infection on a separate computer a few years ago on the BleepingComputer forums, but I forgot my username/pass. Anyway, I was hoping I'd be able to get similar help with a recent infection. I have had a Conficker A infection on my USB drive, which was removed by an Anti-spyware program on a work computer, however I used that USB drive on my home computer (the one I'm posting with) before I was aware it was infected. I didn't transfer any files from the USB to my home computer, and I've run Malwarebyte's anti-malware and Spybot S&D with no detected infections, however I'm still a bit concerned that my home computer may have become infected during the process or in the past to transmit the infection to my USB. My laptop may also have been the source of the infection - I am almost certain that it has some form of malware/spyware on it as it runs extremely slowly at times and has had problems with programs crashing recently.

I am posting here with my home computer because I would like to be able to work on a computer in the meantime that I can be sure is clean. Later on, could I also post my problems with my laptop? I'd be willing to wait to allow new posters to get help before I do if that were the case. I'd be really grateful for any help I can get.

Anyway, here are my logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Chew Ng at 20:3... Read more

A:Potential Conficker A worm infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

Read other 2 answers
RELEVANCY SCORE 55.6

I have Mcafee Internet Security 2006.

I repeatedly get the potential worm activity detected message from McAfee VirusScan. It says 5 emails have been sent within the last 25 seconds. This condition might indicate a worm/virus is attempting to send email. I use outlook and it is not open. I have run McAfee virus scan, XSoftspy SE & Registry Mechanic and cannot get rid of it...once I close outlook, I can't even open it again till I reboot.

I ran Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:19 PM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:... Read more

A:Hijack logfile PLEASE HELP for potential worm

Please do not start more than one thread for the same problem.

Closing duplicate.

Please continue here:

http://forums.techguy.org/security/527014-potential-worm-activity.html#post4261521
 

Read other 1 answers
RELEVANCY SCORE 55.6

Websense Security Labs has had reports of a new worm that uses Skype to propagate. We are still investigating the issue but here are the details so far:* users receive messages via Skype Chat to download and run a file* the filename is called sp.exe* assuming the file is run it appears to drop and run a password stealing Trojan Horse* the file also appears to run another set of code that uses Skype to propagate the original file* the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)* the file connects to a remote server for additional code* the original site has been black holed and is not serving the code anymore* the number of victims is still TBD* the original infections appear to be in APAC region (Korea in particular)More details will be published later today when we get more details.Special thanks to the Shadow Server for research assistance.Source http://www.websense.com/securitylabs/blog/....php?BlogID=101

Read other answers
RELEVANCY SCORE 55.6

continual pop up box (about 300 times today) mcafee viruscan 'potential worm activity detected' saying i've sent emails (hundreds apparently!) i cant get rid of it and my computer also keeps powering down and restarting by itself
email addresses are not known to me - if i 'stop this email' i just get another, and another............... i can't delete these emails from message queue as suggested because i dont know where they are being sent from - i have just transferred from aol to sky so i haven't even used my new email addresses!!
at a suggestion i have downloaded 'hijack this' program and have copied the results below
Logfile of HijackThis v1.99.1
Scan saved at 21:06:18, on 05/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vs... Read more

A:PLEASE!! help mcafee potential worm/virus

Hi, Welcome to TSG!!

Click on the link below to get lsp-fix.
Run that to fix your internet connection.

http://www.cexx.org/lspfix.htm

Check the box that says "I know what I'm doing".
Remove msnetax.dll only that one!

Click Here and download Killbox and save it to your desktop.
Double-click on Killbox.exe to run it.
Put a tick by Delete on Reboot.
Copy the following list of files to clipboard, CTRL+C to copy

C:\WINDOWS\SYSTEM32\sysfldr.dll
c:\windows\system32\msnetax.dll
Now in Killbox go to File, Paste from clipboard.
Click the All Files button.
Click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file.
Click Yes.
It will ask if you want to reboot now,
Click Yes.
Note: It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually.
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Please move hijackthis.exe into a permanent folder.

To create a permanent folder click My Computer, then C:\
In the menu bar click on File, New, Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder.
Put your HijackThis.exe into that folder and post another log.
 

Read other 1 answers
RELEVANCY SCORE 55.6

Hey guys, I just joined BleepingComputer because i see you've helped out a lot of people with similar problems. Recently 85% of the time when i click on a link from google it brings me to a different site which give me tracker cookies which show up in spybot. I thought it wassent a big deal until i ran Malware Bytes and for 28 infected objects. It got rid of 26 and two will not delete. Here are the logs...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:21:44 PM, on 7/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\st... Read more

A:Google redirection potential of a worm??

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 55.6

Potential Koobface gang Worm Infection caught from facebook. Hijacks browser from search engines and takes me to various malware sites that say that my computer is infected with a virus and that i need to download software to fix it. Have run SUPERAntiSpyware and Malwarebytes Malware programs. It finds two Trojans and fixes them, but the problem still persists. Logs attached. Thanks for any help.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Emily at 20:08:47.06 on Sun 08/23/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1917.982 [GMT -4:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:�... Read more

A:Potential Koobgang Worm Infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 16 answers
RELEVANCY SCORE 54.4

Hi.I am carrying this topic here from the Am I infected? What do I do? and the topic Ie: Xpc Infosystems, IE Homepage hijacked !!!. All troubleshooting included in the earlier post. The problem in short is that the IE7 Homepage is hijacked to "http://nvr.xpc.co.in" and the IE Window Title has changed to XPC Infosystems. 1. Performed an scan using Kaspersky Online Scan, which showed Worm.VBS.Small.n as the infection. result attached. 2. Perfromed a scan using Deckard's System Scanner. However, I ended up closing the notepad files "main" and "extra". How can I locate them on the system drive?3. Have followed the steps as mentioned in the topic Ie: Xpc Infosystems, IE Homepage hijacked !!! but enabled the Windows Scripting so that it could be caught by the scans. Please help to solve this.ThanksThe HJT Log is attached below:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:13:57 PM, on 22/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24Ev... Read more

A:Ie7 Homepage Hacked: Potential Malware (worm.vbs.small.n)

Saurav RaajSorry for the delayYou have a suspicious file I would like to look at Please go HEREPut Your Name, and Bleeping Computer HJT forumand In the file to submit box, click Browse. Locate the fileC:\WINDOWS\system32\NewVirusRemoval.vbsIn the comments tell them that I asked you to upload the fileThen Select Send File.Thanks2. Rerun Hijackthis (scan only) and place checks beside the following entriesR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC InfosystemsF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs Close all other open windows except Hijackthis and Select "Fix checked"Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

Read other 15 answers
RELEVANCY SCORE 54

I was informed early this morning that our PC was potentially infected with reported activity of opening undesired web pages, programs opening/closing automatically, and Windows Vista Home Security popping up with a list of infections.

I am still in the very early stages of back tracking this problem but it appears that a member of our household was visiting a website, when they must have clicked on a sponsor link for that took them to another site. There is no history for the second site, but the time stamp was about 15 minutes before the problems started to occur. Everything else in the history log is pretty average for our household.

AVG scans came up clean, but there is a line item in the virus vault around that time with this entry:

Infection Type: Warning
Virus Name: Found registry key with reference to file C:\ Users\Computer\AppData\Local\oxp.exe
Path to File: HKCR\exefile\shell\open\command\\
Date of storage: 5/8/2011, 7:14:01am

Perhaps I?m incorrect in thinking that one click to a mystery website caused all this ? but I?m not sure how to look and find out where all these came from? Any help diagnosing and correcting this would be greatly appreciated. The infected PC has been completely disconnected from the internet and I will be using our backup for the duration of the recovery.

Here is a complete list of Malware identified by Windows Vista Home Security:
Email-Worm.JS.Gigger
IM-Worm.Win32.Kelvir.k
MWME.Tw... Read more

A:Several Malware Detected & Potential Rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 79 answers
RELEVANCY SCORE 54

I have what I presume is a fake windows security message that tells me to download a probable fake anti-spyware program on my sons computer.

UPDATED INFO He was watching tv on computer and trying to log on to facebook the sound stopped he got a warning which closed before he could read it. The browser worked, fb worked he minimized the browser and the desktop was blue there was a warning that said he had spyware and had to run a scan and he clicked on the red circle x's thinking that was McAfee and it didn't do anything so he disabled his internet so nothing further would happen.
last thing he downloaded was the movie a night or two before and it ran that night fine. When I checked frostwire was running and I turned it off

It's running Windows Xp and there are two red circular icons with a white X on the taskbar and task manager is greyed out when I right click the taskbar and if I ctrl alt del it's greyed out as well.

This is what pops up:

Attention! System detected a potential hazard (TrojanSPM/LX) on your computer|that may infect executable files. Your private information and PC safety is at risk.|To get rid of unwanted spyware and keep your computer safe you need to update your current security software.

The internet seems to have been disabled on this computer as well so I can't download hijack this to run it.
Windows XP
McAfee Security Center
Windows Xp
 

Read other answers
RELEVANCY SCORE 53.6

I restarted my computer after uninstalling and reinstalling my antivirus (pc tools antivirus) and when I booted up I got the error message

"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.
Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly."

I went to this website to fix it and have followed the directions on the site http://kb.wisc.edu/helpdesk/page.php?id=2048 apparently windows was already patched when I tried to patch it so I skipped that step and i am scanning with the symantec w32.blaster.worm fix tool right now.

what I want to know is how this happened and how to prevent it next time.

thanks for any and all help.

A:might have w32.blaster.worm COMPLETE DESCRIPTION OF PROBLEM AND POTENTIAL SOLUTION

If your computer was already patched, it should not have gotten the worm...Worms have a tendency to crawl around the web installing itself on people's unprotected computers. We don't offer security advice in the Microsoft forums, we actually have a security section specifically for this type of situation.

Look over the First Steps at Removing Malware . Make a note of any steps you cannot complete, and post that information, along with any required logs in the HijackThis Log Help section.

Please be patient as our security team recieves a lot of logs every day. If you do not recieve a response after 24 hours, you can post again to bump it back to the front page.

Read other 3 answers
RELEVANCY SCORE 53.2

I have crazy worm activity that makes my computer impossible to use. Have tried multiple times to fix it with no results. Here is my HJT log:Logfile of HijackThis v1.99.1Scan saved at 10:51:02 AM, on 1/14/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\ewido anti-malware\ewidoctrl.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\WINDOWS\system32\keyhook.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\A... Read more

A:Worm Activity

Hi,You have probably been helped elsewhere, but if you still need help can you post a new log from HijackThis. The notification system will tell me that you posted.In case you are not using the latest version of HijackThis (1.99.1), please download the latest version from one of these addresses:http://www.bleepingcomputer.com/files/hijackthis.phphttp://209.133.47.12/~merijn/files/HijackThis.exehttp://www.downloads.subratam.org/hijackthis.zip

Read other 1 answers
RELEVANCY SCORE 53.2

I'm getting alerts that this computer as well as others are trying to access 50.63.202.43 over port 135. It's very suspicious, but normal scans with AV/Malwarebytes don't come up with anything and 50.63.202.43 is a very common GoDaddy IP address.
Below are FRSTS.txt and attached is Addition.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:21-10-2015 01
Ran by JasonF (administrator) on ANZL2CE35119Z0 (24-10-2015 02:27:00)
Running from C:\Users\christianh\Downloads
Loaded Profiles: ChristianH & JasonF (Available Profiles: exchadmin & johnra & KevinM & ChristianH & abhis & anuser & Administrator & JasonF & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpCardEngine.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Validity Sensors, Inc.... Read more

A:Possible worm activity? Help please.

Greetings JHBPJF and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems ... Read more

Read other 31 answers
RELEVANCY SCORE 53.2

Hello,

I am trying to help a friend, and I am not sure if this is the result of an actual virus or not.

Although my computer on their network is having no problems resolving google etc, their computer will not connect to search websites.
I have tried changing their dns settings to 8.8.8.8 to no avail.
Their computer is running Windows XP with automatic updates turned on and service pack 3 installed.

They are running AVG 2012 Free, with all updates applied till today 03/April/2012
A full computer scan popped up one instance of a generic trojan, but this was supposedly solved by the anti-virus.
A rootkit scan shows:
"";"<unknown>";"Corrupted section atapi.sys[.text] +0x6852, size 1 bytes";"Object is hidden"

Is this actually a virus?

Thanks for any help,

Donat

A:search engines are not available, and AVG has detected a potential rootkit

Please download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itClick the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Read other 3 answers
RELEVANCY SCORE 52.8

The problem started yesterday (9/19). I was prompted by McAfee to fix a lack in security on my computer. Not long after I did that Internet Explorer crashed and would not open again. I received the following message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions or access."

Upon further attempts, I also received this message: "Application cannot be executed. The file is infected. Please activate your antivirus software."

I tried to run a scan with McAfee, but got this error: "Scanning has encountered a problem from which it cannot recover. Here are the problem details - Error starting on demand scanner."

I opened a Firefox browser and was able to use it temporarily - but then it crashed also and will not open again.

Other applications have also failed - Outlook Express, etc.

I tried running Ad-Aware - it also crashes.

I tried running HijackThis, and the preferred methods suggested on this site (DDS.scr and RootRepeal). These executables all seem to start but do not run to completion. They just seem to disappear.

I'm sorry but I have no logs to post at this time. First off, I guess I need help figuring out how to get these logging tools to run in the current state of this machine.

Finally, I have also received this lengthy message: "Attention! System detected a potential hazard (Trojan SPM/LX) on your computer that may infect executable files. You private... Read more

A:attention! system has detected a potential hazard (Trojan SPM/LX)...

Moved from HJT to a more appropriate forum. Tw

Read other 10 answers
RELEVANCY SCORE 52

Hi,
Since a few days, I noticed my internet connection hiccups. Monitoring packets, I saw even if no programs were open, there was internet activity.
Using TCPview from sysinternals, I discovered a lot of connections on the SMTP port, and a few on HTTP and HTTPS port.
I started PeerBlock, and it blocked many servers from spreading.

The situation looked similar to other times.

I downloaded latest version of combofix and placed it on my desktop. Then:
- I turned off my pc
- I turned it on and choosed to run in Safe Mode
- started combofix in safe mode (no network support)

combofix found and deleted some files. Then combofix restarted my pc in normal mode and finished its job.

I checked the connections, and they looked ok. There was no activity.
After 10 minutes, unfortunately, the strange activity started again. Many connections on the SMTP port.

I also tryed looking into processes (with processExplorer from SysInternals): there are many svchosts instances, but they look normal.

What tools can I use to intercept and possibly destroy this virus?

I have Windows 7, 32-bit.

Thanks in advance.

+++ Update: I have stemmed the problem, by adding a rule in the windows firewall. The virus tries to make a connection on the port 443 (https) at the remote address 77.67.10.x , then (on success) it downloads something, and starts to spam a lot of emails (that is, it creates a lot of connections on many servers through the port 25).
So, for now, I have added a rule to deny access fro... Read more

A:Mass Mail (worm?) and other DL/UL activity

Hello,Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/340920/infected-with-a-mass-mail-virus-dont-know-name/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.Please be patient. It may take several ... Read more

Read other 1 answers
RELEVANCY SCORE 52

Help pleaseThere's weird worm(malware or whatever) which has infected my comp.Its sending emails to unknown addresses.Its using the svchost program to send the mails so i have blocked the outgoing activities of the application.The file svchost.exe.ent.exe was found which has been considered as a threat and quarantined by the Anti virusMy HJT log is as follows'Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:28:42 AM, on 3/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\QUICKH~1\QUICKH~1\ONLNSVC.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXEC:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exeC:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscnt... Read more

A:Help Help Help Need Help Regardin A Worm Activity(as Fast As Possible Pls

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.When posting your logs please post them directly into the reply. Do not attach them or include them codeboxes going forward.Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. It is also possible that you may need to disable your Antivirus or Antimalware programs before this program can run properly A guide on how to temporarily disable many of the common protections programs can be found here.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

Read other 1 answers
RELEVANCY SCORE 52

Hello Forum,

My Dell Precision T3600 originally came with Win7 x64 which I upgraded to Win10 successfully. However I wanted to do a fresh install of Win10 to get rid of accumulated OS mess that cluttered most of my 256GB SSD drive. So I created a bootable USB thanks to MS create media tool. From the bootable Windows 10 setup, I deleted the old partitions (OEM recovery and such which was taking almost 1GB) selected the new clean primary partition and installed Win10. All was looking good until after install it rebooted and got a 'No bootable device detected' error. I will spare you the hell I went through to find the following simple solution:

In the BIOS, you need to change the boot sequence type from 'Legacy' (you know, the old one since forever which you put diskette above HD) to the new fancy UEFI which apparently is a new industry standard where everything is taken care of by the devices. Here's a screenshot of my BIOS:
After this BIOS change, restart the computer with the bootable Windows 10 installation, when the setup shows the available partitions, I had a little warning beside mine saying it couldn't install windows on that partition. I deleted it and then I could install it. Rebooted and everything was perfectly fine.

Hopefully this will help someone save some time.

TB,

A:Potential Solution 'No bootable device detected' after fresh install

Also the screenshot was taken after everything was working. When I originally set it, there was no 'Windows boot manager' and SCSI HD there. It seems UEFI let's OSes write to the BIOS or something.

Read other 1 answers
RELEVANCY SCORE 52

Hi all, there is something that ESET detected as a potential threat and I'm not sure which option to take: disinfect it or to ignore it (as this within Winzip folder)
If this within Winzip folder, which I installed from a CD (not downloaded from internet). So it is false or positive ?

I was using the pc as usual, then turn off the monitor (approximately 30 minutes), I turn it on again and i see that message.

A:ESET Antivirus detected a potential threat in Winzip Utilities

  
Quote: Originally Posted by 3Colors


Hi all, there is something that ESET detected as a potential threat and I'm not sure which option to take: disinfect it or to ignore it (as this within Winzip folder)
If this within Winzip folder, which I installed from a CD (not downloaded from internet). So it is false or positive ?

I was using the pc as usual, then turn off the monitor (approximately 30 minutes), I turn it on again and i see that message.


I believe that is a false positive but you can check.

You can use an online service such as Online MD5|SHA1 Hash Generator For File And Text

At the top right you can browse to the file in question.

Go here Malware scan of WINZIPSSRegClean.exe (WinZip System Utilities Suite) 2e498be0979ea3d16fc25812c29ba7c37a2ac69b - herdProtect and compare md5/sha1 hash. Towards the bottom there is a list of more sha1 hash's for different versions of WinZipSSregclean.exe

If your sha1/md5 don't match with any of them, its possible the file is corrupted in some way.

Read other 9 answers
RELEVANCY SCORE 51.6

Hi there,I am back after a few busy months and need assistance please. My regular XP prof computer, which had previously been fixed by your wonderful 'doctor' Grinler, now it has been hit again because it won't start up in windows. It starts up but never quite comes to the desktop screen. The screen appears to be hiding behind another layer or something and it had a strange wallpaper showing before it got unstable. It was working great and suddenly it was acting wierd. I was able to only run malwarebytes in safe mode. So I am using now my newer other Xp prof computer. This one got hit too so I ran malwarebytes and posted the log below to show you it found the worm Prolaco. Then I ran gmer on it and it showed rootkit activity with a lot of instances of IEXPLORE. It also started failing at windows updates which made me be on alert that it too might have been hit. After running malwarebytes it did better with windows updates and only failed on one update which was the net framework. I did not do any removal with gmer. I only ran the program in hopes I would get your help so I don't lose the only working computer in this attack. But I am needing to cure both of them. They both got hit at about the same time I believe. I'm not sure if that could happen at the router that they both plug into. The one that is not booting up, I did not quite finish getting it all backed up onto DVD before it stopped working in windows so because of that I am needing assistance ... Read more

A:Rootkit activity from Gmer and Worm found

Hi gabstercol,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the step... Read more

Read other 86 answers