Over 1 million tech questions and answers.

Solved: help with downloader trojans?

Q: Solved: help with downloader trojans?

I am working on the Brother in laws computer.... and he has several downloader trojans which have been caught and quarentined in AVG. They are aws listed: Downloader.Small.FU, Golid.B, Downloader.Galdcas.A, Downloader.Agent.D, Dolwnloader.Small.4.l, Downloader.Benuti.C, Clicker.4.AD, Proxy.5.AT, Downloader.Generic.JL.

I have run CWShredder, Adaware, Panda activescan, trendmicros housecalland mccaffee's stinger. none have removed it, AVG was the first to detect them and quarentine them. they cannot be repaired... so how do I get rid of them? They are keeping me from accesing some pages on the net (page loads, but no content is shown, and then it says done) and I cannot get into his Hotmail account (same problem)

here is the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 10:04:34 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\PROGRA~1\EzButton\CPLBTS88.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\monitorbk.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgvv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Konz\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01" target="_blank" class="wLink">http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\system32\monitorbk.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I am having a terrible time finding removal for downloaders, so any help would be appreciated!

forgot to add...it is a Toshiba Satellite lapto, P4, with XP SP2 (updated today) and IE browser (it won't show what version??)

RELEVANCY SCORE 200
Preferred Solution: Solved: help with downloader trojans?

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Solved: help with downloader trojans?

Read other 7 answers
RELEVANCY SCORE 67.6

First of all would like to say hi to everyone at TSG!

Have been referred to this while using McAfeeHelp, my system is infected with New Malware.j / Generic Downloader.f & Downloader-AYL.

Every time i start my browser, McAfee pops with messages of files infected by the above. It is able to delete files infected by Generic Downloader.f & Downloader-AYL but no the ones by New Malware.j. My system's 'TASK MANAGER' is not working. I get a message that 'Task Manager has been disabled by your administrator'.

Have tried scanning with Spyware Doctor 2.0.1.143 & Ad-Aware SE Personal but of no help. Reading the previous threads, have downloaded HijackThis. Kindly assist, find below the log file of HijackThis.

Logfile of HijackThis v1.99.1Scan saved at 2:35:07 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\s... Read more

A:Solved: Help Removing Trojans : New Malware.j / Generic Downloader.f / Downloader-AYL

Read other 13 answers
RELEVANCY SCORE 60.4

Can someone please help me? I ran some antispyware and virus software and found that I had downloader xa, lg, vg and generic downloader h. Also have multidropper ml. Mcaffe is unable to clean. I don't know how to get rid of it all and I tried to get rid of some other stuff and now when I boot up it says that there are some dlls missing. I deleted ceres.dll, farmmext.exe, buddy.exe and the program files E2G and Viewpoint. I also tried to empty out temp folders. Does anything below look messed up? What should I do? Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 11:32:34 PM, on 3/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\UWBRIJYD.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SSOQMNCINJ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\... Read more

A:Solved: downloader trojans and more

Read other 8 answers
RELEVANCY SCORE 60.4

Hi

Seems I have picked up the following trojans which seem to reinstall after each reboot. Spyware doctor has been of little help and as a result I am being continually bombarded with other trojans etc attempting to download.

Trojan.Downloader.Small.CML (Troj/BckDr-DKG [Sophos]
Trojan.Win32.Agent.qt [Kaspersky]
Backdoor.Sualimpo.E [BitDefender]
Trojan.Click.1210 [Dr Web])

I am pretty much a newbie at this but thru browsing other threads I have at least managed to download and run HJT - the log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:43 AM, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedu... Read more

A:Solved: Help with Downloader Trojans

Read other 15 answers
RELEVANCY SCORE 58.8

Hi , this is myfirst post. my laptop (running vista) is suffering slowdown , constant hard drive activity , new webpages opening. Norton wont update , avg found a couple of trojans(backdoorsd3bot,generic9 awcl ,lop virus) , norton found 1 (downloader) . i followed the 5 steps and here is my log . thanks in advance
Deckard's System Scanner v20071014.68
Run by alison on 2008-01-30 18:35:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as alison.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:46 PM, on 1/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\taskeng.exe
C:\Users\alison\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDSe... Read more

A:[SOLVED] trojans (downloader) , slowdown , popups,etc

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.


Quote:




Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.






Please post a fresh HJT log in your reply

Read other 1 answers
RELEVANCY SCORE 58.8

My scan result from pandasoftware online :
Virus:Trj/Downloader.DGM
Renamed
C:\Documents and Settings\kecoa\Local Settings\Temporary Internet Files\Content.IE5\A8UDVP4W\sia[1]_txt.vir

Virus:VBS/Psyme.C
No disinfected
C:\Documents and Settings\kecoa\Local Settings\Temporary Internet Files\Content.IE5\A8UDVP4W\sia[1]_txt.vir[index.htm]
Virus:Trj/Downloader.DGM
No disinfected
C:\Documents and Settings\kecoa\Local Settings\Temporary Internet Files\Content.IE5\A8UDVP4W\sia[1]_txt.vir[index.exe]
Spyware:Spyware/BargainBuddy
No disinfected
D:\opera\profile\cache4\opr00XH5.htm

How to get rid of these viruses, I tried spyboat S&D, Spyware Doctor, Ad Aware SE, Ewido and AVG free antivirus but the viruses is still there everytime I re-scan it with panda, please help me. Thanks in advance.
 

A:Solved: How to getrid of Trojans/Downloader.DGM and VBS/psyme.C

Welcome to TSG

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, do another scan with Panda and see if anything is still detected.
 

Read other 3 answers
RELEVANCY SCORE 58

First of all would like to say hi to everyone at Tech Support!

Have been referred to this while using McAfeeHelp, my system is infected with New Malware.j / Generic Downloader.f & Downloader-AYL.

Every time i start my browser, McAfee pops with messages of files infected by the above. It is able to delete files infected by Generic Downloader.f & Downloader-AYL but no the ones by New Malware.j. My system's 'TASK MANAGER' is not working. I get a message that 'Task Manager has been disabled by your administrator'.

Have tried scanning with Spyware Doctor 2.0.1.143 & Ad-Aware SE Personal but of no help. Reading the previous threads, have downloaded HijackThis. Kindly assist, find below the log file of HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 2:35:07 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusche... Read more

A:Help Removing Trojans: New Malware.j / Generic Downloader.f / Downloader-AYL

Hello parry, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 ? TEMP... Read more

Read other 14 answers
RELEVANCY SCORE 56

hi, it has been some time since anythng got me foxed but i could really use some assistance with this one please.basically i have a persistent problem. i use windows onecare and each time i start the PC it picks up several attempts to drop trojans. one care can clean them but does not seem to locate the sorce file which is instructing the drop. i havetaken several steps to fix the problem none of which have suceeded.my steps were. inspection if hijack this logs - couldnt see anything obviously wrongcleaning registry and start up entries, i was uncertain about a couple of them but nothing stood out.checking running processes - again i can't see anything obvious.manual search of win32 fils for anomalies, - this yielded several rogue .exe files and a couple of bitmaps, but i have to assume these were droped and not the source file.running onecare virus scan - finds nothingrunning malwarebytes scan - initially found a raft of infections and removed them but further scans yield nothing and the problem persists.clearly it seems i have a hidden file somewhere which is causing this to happen, i really do think there must be something in the start up .exe's as the problem always occurs on restart.help please, i am somewhat reluctant to simply wipe and start again from scratch as i have a whole heap of music editing software which will take several days to reinstallhere is my hijack this log, all halep and assistance gratefully received, many thnks in advance. now that i look... Read more

A:Hidden Downloader And Backdoor Trojans Trojans

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen, click on the Show Results button t... Read more

Read other 1 answers
RELEVANCY SCORE 50.4

Have Nortons Internet Securtiy,spybot and adaware, and zone alarm firewall.Spybot delets virtumonde everytime and it comes back up. While it does that, Auto Protect for Nortons catches downloader. But then Nortons always crashes. Cant browse at all. I would appreciate any advice you have to give me.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 07:53:46, on 15/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\TOD... Read more

A:Possible Downloader And Trojans

Also have this...if this helps OtscanIt.Txt

Read other 5 answers
RELEVANCY SCORE 50.4

cybertech said:

Hi pam_hodson, Welcome to TSG!!

Create a permanent folder on your hard drive like c:\program files\hjt.
Download Hijackthis and save it to that folder.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here and someone will be happy to review it.

Don't make any changes until instructed to do so.Click to expand...

I've got a similar problem - copy below, what do I do ??
Logfile of HijackThis v1.98.2
Scan saved at 20:45:32, on 14/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\MCAF... Read more

A:Downloader Trojans

Hi AJK Kelly, Welcome to TSG!!

I've split your thread off so please continue to reply here.

I see two anti virus products running. You should only be using one. Try removing one and post back with the results.
 

Read other 1 answers
RELEVANCY SCORE 49.6

This one is admittedly my fault, and though I'm to blame for instigating it, I don't feel I deserve all this:

this evening (20/11/2008), my PC (P4, XP, SP3, McAfee Enterprise v8.0.0) suddenly started acting very strange: slow, random popups in both FF and IE7. Worse: for some reason I get a warning telling me Windows Automatic updates is turned off (I did no such thing), and when I try to update my McAfee he keeps on giving me errors (I updated anyway using the SDATxxxx.exe from my university website.) Another strange detail: if I click on my mousewheel to scroll with that white ball with two arrows, it gets stuck, and the white ball freezes for the rest of the FF session.

- First, Spybot removed a whole bunch of spyware.
- Scanning with McAfee gave me a whole bunch of Trojans, some .dll's I couldn't move or delete (including c:\System Volume Information\_restore{856843B7-3CF7-46F8-8164-BB25B8465668}\RP765\A0056872.dll(\00012118.EXE) New Malware.jg(Trojan)
- I ran CCleaner as well, and it told me there was an entry in my startup for a file called C:\Windows\System32\rtcciwdq.dll. I googled it: nothing. Tried to rename/move/delete: impossible. Created on: 30/11/2008, 20:54 GMT+1 (around the time the troubles started.)

Where I think it comes from? Well...
I used Vuze (I know, I know) to download Sim City 4. The Pirate Bay supplied me with a 2CD iso rip. I mounted CD1 (using Deamon Tools), clicked Setup.exe. And that's when I think the problem began. SC4 never got... Read more

A:One Downloader.exe, and a whole bunch of Trojans

Quote:




Rest assured, this is the last time I used Vuze to download anything. Please help?




Why are these still installed?

Azureus
eMule
Vuze

Read other 3 answers
RELEVANCY SCORE 49.6

Hi,
I need help please!!!
Tonight I got about 7 "Threat Detected" alerts on my AVG. The threats were trojan downloader, purifyscan and Trojan Downloader generic.
Each time I clicked on heal and it said they had been healed but I still cannot access some areas of my pc as I get a windows error saying access not authorized.

Here is my hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 00:46, on 2008-03-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Fil... Read more

Read other answers
RELEVANCY SCORE 49.6

Oh man, my system is so sick!
I have this Trojan downloader program that I can not seem to get rid of!
Its called Stubby.D, and three others.
I have run AGV, NOD32 and SpyDoctor. It just hides there and they cant touch it.
I have no idea what to do. Can anyone offer me advice?? My system is so slow, and an "Enhance My Search" page keeps coming up. Plus, my system is loaded with all kinds of clickable links on certain words.
Please help?? I can pay for your service, I sure would appriciate it!
Sincerely, Pamela
 

A:[resolved] Downloader Trojans

Read other 7 answers
RELEVANCY SCORE 49.6

Hi thereI have problems I have recently been infected with Virtumundo and downloader trojans I think I have got rid of them using advice given here however i think there is still something resident because I keep getting advert pop ups and laptop running slow could you have a look at hjt log and advise.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:16:37, on 09/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.... Read more

A:Virtumundo and downloader trojans

Hello bigshay and welcome to GeeksToGo. Let's see what we can find.Before running a new scan let's clean out the temporoary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.Close ALL Internet browsers (very important).Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).Do not change any settings.Now click the Run Scan button on the toolbar.Let it run unhindered until it finishes.When the scan is complete Notepad will open with the report file loaded in it.Click the Format menu and mak... Read more

Read other 3 answers
RELEVANCY SCORE 49.6

A few weeks ago my McAfee informed me that it had spotted and removed two files for the downloader-a trojan and one file for Vundo trojan. This message kept coming back over and over. As time went on websites I would visit that I had been to many times before (e.g. CBS Sportsline) started having strange ads appear for Spyware and warning boxes kept saying I may be infected with a virus or that someone would be able to view websites I had visited. We stopped using the computer as much as we could. Then from work computer I found your site and decided I would follow these procedures. I have run Ad-Aware, Spybot, the Avert stinger, enabled a Sygate personal firewall, and have always had the McAfee and Microsoft auto updates on. In the past couple of days, even after the first few steps of your process, some pretty racy websites have come up mysteriously when we would accidentally leave Explorer open. Please help!!! Following is my Hijack This log. Thanks in advance.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:53:50 PM, on 12/17/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\System32\Ati2evxx.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svc... Read more

A:Downloader & Vundo Trojans

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Large M.D.My name is Richie and i'll be helping you to fix your problems.Please disable Spybot S&D?s protection,or it will interfere.You can enable it after you're clean.Open Spybot and click on 'Mode' and check 'Advanced Mode'.Click on 'Tools' in bottom left hand corner.Click on the 'System Startup' icon.Uncheck 'Teatimer' box and/or uncheck 'Resident'.Click the 'Allow Change' box.Then, check next to the computer clock to see if the icon for Spybot is still there.If it is, right click it and choose 'exit Spybot-S&D Resident'.Restart the computer.If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:http://www.russelltexas.com/malware/teatimer.htmViewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:ViewpointViewpoint ManagerViewpoint Media PlayerPlease download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will ... Read more

Read other 9 answers
RELEVANCY SCORE 49.6

I am working on the Brother in laws computer.... and he has several downloader trojans which have been caught and quarentined in AVG. They are aws listed: Downloader.Small.FU, Golid.B, Downloader.Galdcas.A, Downloader.Agent.D, Dolwnloader.Small.4.l, Downloader.Benuti.C, Clicker.4.AD, Proxy.5.AT, Downloader.Generic.JL.

I have run CWShredder, Adaware, Panda activescan, trendmicros housecalland mccaffee's stinger. none have removed it, AVG was the first to detect them and quarentine them. they cannot be repaired... so how do I get rid of them? They are keeping me from accesing some pages on the net (page loads, but no content is shown, and then it says done) and I cannot get into his Hotmail account (same problem)

here is the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 10:04:34 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Progr... Read more

A:help removing downloader trojans??

Its quite possible that they are lodged in your restore files and if they are no anti-virus can remove them from there so I suggest that you do a System Restore as per this site http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306084

Also go to add/remove in the control panel and remove any references to ViewMgr.exe that you find ......
 

Read other 1 answers
RELEVANCY SCORE 49.6

I have been infested after visiting a federal student loan site I had these trojans pop up identified by McAffee scan, but unable to remove...so then went to Norton, was able to detect, but again, unable to remove.

My system is very sluggish, pop ups everywhere. I did the HijackThis, and here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:24 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDO... Read more

Read other answers
RELEVANCY SCORE 49.6

Hi please help, Adaware finds 2 trojans on my pc win32.trojan.Agent and win32.trojan.downloader it deletes them but as soon as i go back on line they come back.
I also have webroot but on a full scan it fails to find them.
Results from hijack this as follows -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:34:31, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:... Read more

A:Help with Trojans agent and downloader

Read other 9 answers
RELEVANCY SCORE 49.2

I have a virus called [email protected] and a few trojans such as Downloader.AUX and my McAfee Virus Protector isn't really working... It pops up and is unable to delete, clean or quarantine.

Also, when I start Internet Explorer, it does not direct me to my normal homepage, it redirects me to 'topsecuritysite.com'.

I do not know if this is a real site or a way for me to download new virus protection, so I am not sure what to do.

Help would be grrrreatly appreciated.

Thank you mucho!

A:Virus: "[email protected]" & Trojans: "downloader.aux" Help Please?

This doesn't look good at all. Seems like a spyware infection let me research it and I'll get back to you ASAP.The fake virus alert is a result of a pest called "Smitfraud".Here is the removal steps until the Antimalware products released new updates for this newest variant out:1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).http://siri.urz.free.fr/Fix/SmitfraudFix.zipExtract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.3 Download, install, and update Ewido AntiMalware (get the free trial version)http://www.ewido.net/en/download/a. Install Ewido AntiMalwareb. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.c. The program will prompt you to update click the OK buttond. The program will now go to the main screene. On the left hand side of the main screen click on Updatef. Click on Start. The update will start and a progress bar will show the updates being installed.g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.4. Reboot into Safe ModeIf you're having trouble getting into safe mode or don't know how, here's a handy tool: Bootsafe.exehttp://www.superadblocker.com/bootsafe.html5. Once in safe mode, start Ewido... Read more

Read other 7 answers
RELEVANCY SCORE 49.2

A few weeks ago I was alerted by McAfee that a JS/Downloader-AUD and a Exploit-ByteVerify trojan were on my computer and unable to be deleted or cleaned. Ever since then my computer has been slower and the svchost.exe process has been taking up 100% of my CPU. I have tried several scans in safemode and nothing has been found. Also it seems that Windows Update on the Microsoft site is not working as well. I am running Windows XP with SP2. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:24 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\Pk... Read more

A:JS/Downloader-AUD and Exploit-ByteVerify Trojans

Read other 7 answers
RELEVANCY SCORE 49.2

Hi,A few days ago I noticed some strange behaviour of my computers (e.g. connecting to "dt.tongji.cn.yahoo.com" during any web page load).I ran a number of available programs / scanners, removed suspicious files, updated Windows, java, etc.Seems to be a bit better, but I still get positives from antimalware programs.Please help me to remove anything that's left!Attached are the DSS logs and Kaspersky online:Deckard's System Scanner v20071014.68Run by Marek on 2008-08-11 13:18:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --22: 2008-08-11 11:18:27 UTC - RP141 - Deckard's System Scanner Restore Point21: 2008-08-11 10:06:14 UTC - RP140 - Removed Symantec AntiVirus20: 2008-08-09 18:36:18 UTC - RP139 - Installed Java™ 6 Update 719: 2008-08-09 18:27:02 UTC - RP138 - Removed Java™ 6 Update 518: 2008-08-09 18:26:25 UTC - RP137 - Removed Java™ 6 Update 3-- First Restore Point -- 1: 2008-07-18 01:13:43 UTC - RP120 - System CheckpointBacked up registry hives.Performed disk cleanup.System Drive C: has 3.04 GiB (less than 15%) free.-- HijackThis (run as Marek.exe) -----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:19:23, on 11/08/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE:... Read more

A:Recurring Problems With Trojans (downloader, Others?)

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

First
Seeing its been a number of days since your original scanning with HJT could you please run HJT now and post a fresh HJT log back to this topic please.

Next

Start HijackThis Click on the Config button Click on the Misc Tools button Click on the Open Uninstall Manager button. You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking o... Read more

Read other 12 answers
RELEVANCY SCORE 49.2

OS: Microsoft Windows XP, Media Center Edition, SP2Computer: Dell Inspiron 9400, 2.00 GHz, 1.00 GB RAMRan Symantec AntiVirus, Spybot Search & Destroy, Ad Aware SE Personal, Avg Anti Spyware 7.5Ran Symantec in Safe Mode.Ran VirtumondoBeGone and VundoFix. No luck.Computer is running slow and when it boots up and connects to the internet, Symantec immediately detects either Vundo or Downloader.Any help would be appreciated!! Thanks!!!Ran HijackThis as fluffyrabbit.exe and the log returned is as follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:18:39 PM, on 10/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.ex... Read more

A:Vundo, Downloader Trojans Removal Help

Welcome to the BleepingComputer HijackThis Logs and Analysis forum reekaee My name is Richie and i'll be helping you to fix your problems.Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed in 2006,read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:ViewpointViewpoint ManagerViewpoint Media PlayerYour version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repea... Read more

Read other 1 answers
RELEVANCY SCORE 49.2

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 21:22:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2008-06-15 01:22:30 UTC - RP590 - Deckard's System Scanner Restore Point
51: 2008-06-15 01:10:19 UTC - RP589 - Removed Quivic
50: 2008-06-15 01:09:31 UTC - RP588 - Removed Power Tab Editor 1.7
49: 2008-06-15 00:59:22 UTC - RP587 - Removed Call of Duty(R) 2
48: 2008-06-14 18:07:04 UTC - RP586 - System Checkpoint


-- First Restore Point --
1: 2008-05-14 04:29:14 UTC - RP539 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 8.01 GiB (less than 15%) free.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:38 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\... Read more

A:NaviPromo.N and Downloader.Adload.JB Trojans

Bump, please

Read other 4 answers
RELEVANCY SCORE 49.2

er im using AVG free and it keeps warning me of downloader.obfuskated and torjan horse spamtool.EVL and torjan horse agent2.ADIYand i've used malware bytes, AVG free full scan, spybot search and destroy, but it didnt work.

A:infected with downloader.obfuskated and 2 trojans

Hi Please download TFC by Old Timer and save it to your desktop.alternate download linkSave any unsaved work. TFC will close ALL open programs including your browser
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will ... Read more

Read other 33 answers
RELEVANCY SCORE 49.2

Hi there, AVG has picked up that we have the 2 trojans mentioned above, however does not seem to be able to remove them. I also did an online scan with Trend Micro which did not remove them either. There also seems to be a search engige which randomly hijacks our browser windows, there is a picture of it here: http://www.adwareaway.com/images/al1.gif

I'm not really sure if its related to the trojans or is something additional! The Hijack This log is below. I would appreciate any advice
Logfile of HijackThis v1.99.1
Scan saved at 12:31:51 PM, on 18/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\... Read more

A:I seem to have 2 Trojans: Downloader.Lstbar.9.AU & Cliker.CAH

P.S This is actually my mothers computer which I am trying to fix for her. Her ebay account was hijacked a couple of days ago. Should she reset all her other online passwords?
 

Read other 2 answers
RELEVANCY SCORE 49.2

I've done just about everything with my system I can think of, but as soon as I get rid of a virus, another takes its place. Arrgghh! I even tried deleting internet explorer, yet all the pop-ups are still somehow originating from there. Also, after my computer's been on a while and I try to open a file folder, the desktop 'refreshes' but doesn't open the folder. please help me before I throw my computer on the freeway.Logfile of HijackThis v1.99.1Scan saved at 12:44:56 AM, on 7/13/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5450.0004)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\s... Read more

A:Nebuler, Downloader And Onther Trojans

Hello,Please download VundoFix.exe to your C:\.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Read other 14 answers
RELEVANCY SCORE 49.2

1. I was attacked by a bunch of virses while on-line. I have completed your 9-step preparation guide before posting. 2. My already installed McAfee Virus Scan intercepted: Downloader-AEX Downloader-OV Downloader-AFH Generic Downloader.g DC1.EXE AdClicker-BW Spy-Agent.iAfter disinfecting, the programs PPPCGM.EXE and SPHLP32.EXE persisted. I believe fragments of these programs remain in the registry.3. I disabled the System Restore function of XP.4. I installed trial Webroot Spy Sweeper (v 4.5.7); it indicates I am infected with: rootkit-masked files trojan-backdoor-us15info trojan-downloader-ruin trojan-secdrop cws_secure32.html hijack idesk unspypc.5. I loaded and ran Ad-Aware SE. It searched very slowly on my computer. It found some bad files, deleted them, and successfully scanned my hardrive. 6a. I loaded and ran Spybot. It took over 64 hours to search the 12GBs of data on my computer. Spybot Results 3, 13 Jan 06Found 6 problems--- Search result list ---CoolWWWSearch.WCADW: IE Search page (Registry change, nothing done) HKEY_USERSS-1-5-21-1614895754-492894223-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Local Page=about:blankCoolWWWSearch.WCADW: IE start page (Registry change, nothing done) HKEY_USERSS-1-5-21-1614895754-492894223-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blankCoolWWWSearch.WCADW: IE Search page (Registry change, nothing done) HKEY_LOCAL_MA... Read more

A:Trojans (backdoor, Downloader, Secdrop)

Hello,I see you are running Teatimer.I suggest you to disable it because it can interfere with the changes you'll make on your system.When everything is done and your log is clean again, you can enable it again.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.How to disable TeaTimer during HijackThis CleanupThen, Download ResetTeaTimer.bat.Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.You may want to print out these instructions for reference, since you will have to restart your computer during the fix.Please download FixWareout from one of these sites:http://downloads.subratam.org/Fixwareout.exehttp://swandog46.geekstogo.com/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.When your system reboots, you'll see your desktop and taskbar won't load yet. This is normal, because it is still scanning. Please be patient.Afterwards, HijackThis will launch automatically. Please click Scan, and check the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR0 - HKCU\Software\Micro... Read more

Read other 10 answers
RELEVANCY SCORE 49.2

Hi. I was infected and since have run multiple virus scans/spyware removers, but the files keep coming back. About at the end of my wits.Logfile of HijackThis v1.99.1Scan saved at 8:14:01 PM, on 6/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Medi... Read more

A:Trojans Infected Me - Downloader.generic.4.xje Others

Hello,* Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt. Post the contents of this log in your next reply together with a new hijackthislog.Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Read other 8 answers
RELEVANCY SCORE 48.8

I have got a good one for you.SO, I noticed this problem first in my browsers. Chrome and Fire Fox are displaying much of the html text on web pages as strings of subscript and superscript numbers.(screen shot) If I copy these numbers into notepad, they translate in to words...Google doesn't want to hear anything about this.So I scan with Norton and continue to find Trojans when every time I restart. The only thing that will scan in safe mode is Microsoft security essentials, thats what found the Alureon and some Java Downloaders.-----------------------------------------------------------------------------------------------------------GMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2011-02-16 07:44:02Windows 6.1.7600 Running: gmer.exe---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 771343423Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 285507792Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 1Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058... Read more

A:Trojans abound, Alureon, Java downloader etc

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 24 answers
RELEVANCY SCORE 48.8

Hey Team,AVG 7.5 found these three trojans as of 5 minutes ago:Not-a-virus.exploit.java.bytverifyTrojan.classloader.cDownloader.openconnectionHeres my latest HJT and AVG log:Any other info you need, just ask!THanksLogfile of HijackThis v1.99.1Scan saved at 2:00:21 PM, on 6/5/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hp... Read more

A:Not-a-virus.exploit And Downloader.openconnection Trojans ---_!

Hello EnricotheIV and welcome to the BC HijackThis forum. I don't see any signs of viruses or malware in the log. It is clean but there are a couple of things that should be taken care of.I do not see an anti-virus application running on this computer. An anti-virus program is your first line of defense in protecting your computer from all of the internet and email infections circulating today. I strongly recommend installing an anti-virus application as quickly as possible. Here are 2 free anti-virus programs that are available for personal use (I use these on various machines and they are both good):Avast Home EditionAVG Anti-VirusYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Updating Java:Note: If there is an Update XX in the name then the "XX" in the version will be whatever the latest version is.Download the latest version of Java Runtime Environment (JRE) 6.0 Update XX (if present).Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click the "Download" button to the right.Check the box that says: "Accept License Agreement".The page will refresh.Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.Close any programs you may have running - especially your web browser.Go to St... Read more

Read other 1 answers
RELEVANCY SCORE 48.8

Hi,

I downloaded a keygen and suddenly my computer has been infected by a virus. Symptoms include:
* "VIRUS ALERT!" message being printed on the right hand side of the current time in the System Tray
* Start Menu has no administration icons or "Program Files" menu - only quick launch
* Some desktop icons have gone missing
* Trying to open Windows Explorer with the keyboard shortcut (Win+E) returns an error saying "This operation has been cancelled due to restrictions in effect on this computer". I can still open it by doing Run (Win+R) and typing "explorer".
* C drive is missing from Windows Explorer

I have scanned my computer with AVG 8 and it has found viruses several times, but each time I try to heal/remove them and restart my computer, viruses still appear in a full system scan, though the names of the infected files and the names of the viruses change.

Previously, in addition to infected files in System32 folder, the winlogon.exe and lsass.exe processes turned up as infected in the AVG full system scan. Since then, I noted the names of the infected DLLs and verified that they were being launched with the Sysinternals' Autoruns utility. Then, using a Windows XP CD, I booted into the Recovery Console, sought out the infected DLLs and removed them from disk. After doing this and running a full system scan, winlogon.exe and lsass.exe do not appear to be infected, but new DLLs have shown up as being infected with similar virus ... Read more

A:Help removing Downloader.Zlob, BHO and Generic trojans

Left with no other options, I decided to reinstall Windows to remove the virus - it was just too hard to remove because it kept infecting different files.

I hope next time I need this forum, you guys can be of more assistance
 

Read other 1 answers
RELEVANCY SCORE 48.8

Made the mistake of doing a Google search with IE, not FF. Started getting all kinds of IE redirects. Ran CCleaner to clean out temps and registry. Ran MWB in regular mode, removed Hiloti, Agent, and Downloader trojans, restarted, malware returned. Ran CC & MWB in safe mode, malware returned again. Followed drill on MWB. When running GMER, it BSOD on pglipow.sys: Page fault in non-paged area pgliapow.sys - Address 95C74DSD base at 95C69000. Nothing showed up in red on GMER before BSOD.Your help is most appreciated. HSEdit: Was able to run systinternals rootkit revealer. Could not save results file so I created the attached screenshot rkr01.jpgDDS (Ver_10-03-17.01) - NTFSx86 Run by ZZZ at 18:50:57.23 on Wed 06/09/2010Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2297 [GMT -4:00]AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}============== Running Processes ===============C:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Program Files\Intel\WiFi\bin\S24EvMon.exesvchost.exesvchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\... Read more

A:Recurrent Hiloti, Agent, and Downloader Trojans

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Do not Attach logs unless I ask you to.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Gmer is the best but can be hard to get a log lets try this and see what we get.Scan With RKUnHookerPlease Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Sa... Read more

Read other 19 answers
RELEVANCY SCORE 48.8

hi, guys i have a Win XP Media edition pc that is 3.2 ghz with 512mb memory. lately this pc has been very slow at starting up and When I try to go to malwarebytes i constantly get a page cannot be displayed. when i use my laptop it is fine. both on the same network. I had Windows anti tirgger virus but removed that but it is still giving me problems. here is a copy of the hijack this log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:08:00 PM, on 2/9/2009Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehSched.exeC:\WINDOWS\System32\mabidwe.exeC:\WINDOWS\ehome\ehRec.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\perfs.exeC:\WINDOWS\System32\routing.exeC:\WINDOWS\System32\soxpeca.exeC:\Program Files\Spyware Terminator\sp_rsser.exeC:\WINDOWS\System32\sv... Read more

A:various trojans trojan downloader, ispy, adwaredotnet,

Please download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.NEXTPlease download RSIT by random/random and save it to your Desktop.Double click on RSIT.exe to run RSITBefore you click "Continue", make sure you change the List files/folders created or modified in the last 3 monthsClick Continue at the disclaimer screen.Once it has finished, two lo... Read more

Read other 8 answers
RELEVANCY SCORE 48

#1posted log

Logfile of HijackThis v1.99.1
Scan saved at 6:35:27 PM, on 9/22/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Terminator\Quick TV\Scheduled.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Prentice\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs... Read more

A:help:I have two Trojans;spam.multi-site/gen & downloader-multiU/gen

Read other 15 answers
RELEVANCY SCORE 48

I just recently reinstalled AVG 8.0 free version and ran my first scan. UGH!!!!

I have: Hijacker: Morwill Search and Generic
Logger Perfect Keylogger and stars
Downloader: small.nl, Brospy, .vb, Delf
Trojans- to name a few of them: Kolwebb, Killproc, Conhook, Wayphisher, Banker, Killav, Lespy, Ciadoor, Zlob.

AVG only removed one adware as a threat and I did not remove all unhealed folders since I was afraid it might crash the computer.

I have run a hijack immediately after and here are the results. Is there any hope for this poor old computer?? running Windows xp, 40 gb, 512 RAM

Thank you for any assistance!!
Hijack
Logfile of HijackThis v1.99.1
Scan saved at 4:15:43 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program File... Read more

A:Trojans - Downloader- keylogger- hijacker - Is there any hope for my computer?

Read other 16 answers
RELEVANCY SCORE 48

I have several different types of Downloader.General trojan horses and I also have PurityScan malware. I have tried SO MANY different things to remove them. Although several programs (AVG, Ad-Aware, Spybot, etc...) say they are deleting them, they are still there! I am not good with computers or computer terminology, so please be patient with me.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:06:41 PM, on 8/31/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Lexmark 2300 Series\lxcgmon.exeC:\Program Files\Lexmark 2300 Series\ezprint.exeC:\Program Files\Mcafee\MWL\MWLGui.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\SiteAdvisor\6066\SiteAdv.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\a... Read more

A:Lots Of Downloader.generic Trojans And Purityscan Malware

Hello Chell and welcome to the BC HijackThis forum. Let's run a different scanner and see what else it shows us.Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - Desktop Components
Reg - Disabled MS Config Items
File - Additional Folder Scans
Do not change any other settings.Now click the Run Scan button on the toolbar.Let it run unhindered until it finishes.When the scan is complete Notepad will open with the report file loaded in it.Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.Cheers.OT

Read other 14 answers
RELEVANCY SCORE 48

I got several trojans several weeks ago and have spent a lot of time cleaning them up with various disinfection tools and anti-virus software since some would get some infections and others got others. Even though I cleaned up a lot of it, my computer still makes these weird noises that sound like programs are accessing the hard drive when I am using it and online. When I do a netstat I usually see many unknown ip's connected to my computer. The person's description of virus activity on this page: http://www.computing.net/answers/security/iexploreexe-trojan-solution/20354.html

best describes the activity and noises that I hear that let me know that I am still infected. The names of some of the things the anti-virus scans found: were a .bat.js script. I also had trojan.downloader, dloader.trojan, stpage.trojan, script.virus and muldrop.trojan files found. Recently I had js:IIIredir-Q[Trj] and iexplore.exe found. Trojan hunter found the js:IIIredir-Q[Trj] file and prevx the iexplore.exe. But after cleaning the dloader.trojan, stpage.trojan, script.virus and muldrop.trojan files with dr. web nothing else has been able to detect anything, but I know it is still there. Malwarebytes never found anything, even when other scanners would. Researching the trojan.downloader information, I found registry files named Win-Trojan/Agent and deleted them. Whatever I have has survived several destructive recovery processes so is very good at hiding. Because of this I ran MBRcheck a... Read more

A:Infected with Trojans including js/trojan downloader believe there are still traces

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 46 answers
RELEVANCY SCORE 48

Over the past couple of months I have picked up a number of the above Trojans/viruses. AGV has moved them to the Virus Vault. I have attached details of the infections quarantined in the vault.I have run a full system scan with AVG Anti-virus Professional and AGV Anti-Spyware 7.5I then ran SmitFraudFix but it appears no files were deleted.I have run HijackThis and the log is below .... is my PC clean and should I empty the virus vault?I hope this is enough information, this is a very step learning curve for me Any help or advice is greatly appreciated.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:57:50, on 09/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ps2.exeC:\windows\system\hpsysdrv.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\... Read more

A:Trojans: Spysheriff.d / Downloader.agent.acrn / V.cec / & Hacktool.bvu/bvr

Hello kymystry,

Welcome to the BleepingComputer Forums.
Since it has been a few days, please post a new HijackThis log.
Thank you for your patience.

Read other 4 answers
RELEVANCY SCORE 48

Good Evening,I have been having issues with 4 types of Trojans and I think I might have cleared most of the programs and files they added to my computer. However, I know that there must be some programs/files lagging around since my AVG once in a while finds one of these Trojans (Downloader, Clicker, PSW.Agent and Generic3). Below is my HijackThis log:Logfile of HijackThis v1.99.1Scan saved at 8:41:53 PM, on 3/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\WINDOWS\system32\rundll32.exeC:\... Read more

A:Problem Getting Rid Of Downloader, Clicker, Psw. Agent And Generic3 Trojans

Hello Kofucius, Sorry for the delay. I am SifuMike and I will be helping you. 1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Read other 16 answers
RELEVANCY SCORE 48

Greetings,I have several Trojans showing up in my Norton scans, of course Norton tells me they are gone but I have found otherwise.A friend of mine got a Myspace message and downloaded something on my computer by opening it since then I have had problems.Any assistance with these problems would be greatly appreciated.Thank you.The following is my hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:32:11 PM, on 1/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC: ... Read more

A:Infected With Several Trojans, Vundo, W32traits!inf, Downloader, Adclicker

Welcome to the BleepingComputer HijackThis Logs and Analysis forum whiskeyjohnsonMy name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java version.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervis... Read more

Read other 14 answers
RELEVANCY SCORE 48

Dear IT Friend,
Two evenings ago I was reading a blog page and clicked on a topic that looked interesting. It happened quite quickly, but my Avast software (free edition) alerted me that it had blocked a site from downloading something. Within about 10 seconds, however, various horribile things began to happen to my computer.
I received another error message, icons began to disappear from my desktop, taskbar and about 20 stacked messages referring to kernel problems, Ram memory running low, filled the computer screen. Even my programs and Task Manager became hidden. I disconnected the computer from the internet connection and shut down.

Via my CD drive in Safe Mode, I've been able to restore the Task Manager and unhide my programs (unhide.exe). Windows Security Essentials found and was able to remove various Trojans and Exploit:Java items. (Trojans=FakeSysdef, Tikuffed.AK, Downloader:Win32/Karagany.A, Downloader:Java/OpenStream.AM) (Exploit:Java/CVE-2010-4452, Exploit:Java/CVE-2010-0840.BU)

My main concern now is that the computer is sluggish and locks up for several mins at a time when I attempt updates and/or during scans, which are causing them to abort completion. I can't find other malware myself, but I'm sure something is still working. I've also never had system startups take 5 mins as they are now. It normally takes about 2 mins. SpybotSearch & Destroy tells me that the "External update application has been corrupted."... Read more

A:Trojans: Downloader, FakeSysdef, Karagany & Java Exploit

My apologies ... I found the Attach.txt file. For some odd reason it was being minimized to a section of the screen that I never use -- not sure why, but here it is.

Best, Jsum.

 Attach.txt   33.07KB
  0 downloads

Read other 3 answers
RELEVANCY SCORE 47.6

I went to a bogus video site and installed an infected activeX control onto my computer. Initially my adaware programs detected Smitfraud, BHO.DE, and various other spyware/trojan related wares.

I also was getting PCSecure popups bars in my internet browser. I ran a combination of programs I found suggested in other threads similar to my case:
Combofix
ATF-Cleaner
SUPERAntispyware
AVG Anti-Spyware 7.5
Smitfraud Fix
X Micro Cleaner (Something like that)

...and I normally run Spybot S&D, Lavasoft Adaware, and BitDefender.

Right now the only traces I'm picking up of whatever is left are these trojans that keep appearing in my Local Settings/Temp folder. I keep clearing all the files out, but the trojan files keep coming back.

As for initial symptoms (in addition to the PCSecure popup bar), I had random cmd.exe prompts popping up every now and then.

Here's a little more about the Temp Folder Trojan files:
They appear under the filenames BITxxx.tmp and BitDefender often also shows them ending with rmv.exe and main_uninstaller.exe.
The trojans names are Trojan.Agent.ABSG, Trojan.Agent.BHO.N, Trojan.Agent.BHO.O, Trojan.Downloader.Agent.YNQ, Trojan.Downloader.Agent.YNU

Nothing else really comes to mind. Please help!
 

A:Temp Folder trojans reappearing. (BHO, Downloader YNQ, ABSG) What is the source?

Here are my Smitfraud and HijackThis Logs.

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:56:30 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:... Read more

Read other 2 answers
RELEVANCY SCORE 47.6

Back in late March, I noticed that my anti virus software (McAfee) had been silently detecting and quarantining various trojans on a weekly basis since November 2015. I posted a topic on this forum, followed the instructions given to me, and the problem appeared to be resolved. Unfortunately, this resolution was only temporary. As of April 30th, I am once again seeing the same trojans being detected and quarantined 
 
Recent quarantined trojans are as follows:
JS/Nemucod.il
JS/Nemucod.ik
JS/Nemucod.eq
Generic Packed.js
w97M/Downloader.bct
 
The locations where these threats were detected are:
C:\\Windows\Temp\MCE00000\MCE00001
C:\Users\[computer name]\AppData\Local\Google\Chrome\User Data\Default\Cache
 
Oddly - or maybe not - I "don't currently have permission to access" the Temp folder, and the AppData folder was initially hidden when I checked to see if I could access that folder. Presumably I can regain access to the Temp folder easily enough, but figured I'd go through the steps advised here before clicking any further.  
 
Anyhow, FRST.txt report is as follows, and Addition.txt is attached:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by orion (administrator) on -O- (07-05-2016 14:21:22)
Running from C:\Users\orion\Desktop
Loaded Profiles: orion (Available Profiles: orion)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: ... Read more

A:My AntiVirus program keeps detecting trojans - JS/Nemucod & W97M/Downloader

Hello froman and Welcome to the BleepingComputer.
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
Ensure your external and/or USB drives are inserted during always the scan.
If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator the computer. How is open as administrator the computer?
Disable... Read more

Read other 3 answers
RELEVANCY SCORE 47.2

So Kaspersky found 3 threats however they are not in their database or virus list website. I am pretty sure my friend contracted them from looking at free porn on my computer! I know I should password protect my computer and I definitely have learned my lesson!

Backdoor.Win32.Rbot.Vqa

Trojan-Downloader.Win32.CodecPack.alm

Rootkit.Win32.TDSS.cjv

Thanks in advance for any advice or help!


DDS (Version 1.1.0) - NTFSx86
Run by Chupacabra at 22:31:07.51 on Thu 01/01/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2047.1017 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C... Read more

A:Kaspersky found 3 Trojans, Backdoor, downloader, rootkit not in kas virus list!

Can someone help? Thanks.

Read other 2 answers
RELEVANCY SCORE 47.2

Hello all, thanks in advance for any help. Here's the story: Yesterday, spybot began popping up with a message requesting to allow a change to the registry for MSServer. Stupidly, the first few times I allowed it, but then wised-up and hit deny and remember. However, the spybot window telling me that it denied pops up continually."Registry change denied Identified as: User blackslist Resident denied the change of MSServer (category System Startup global entry) based on your black list." This never stops coming up, there's usually 5-10 windows on the screen at once. I ran S&D, which found the following results: hitbox Microsoft.WindowsSecurityCenter.TaskManager Smitfraud-Cgp Virtumonde.dll Virtumonde Win32.BHO.je Zlob.Downloader.bs Zlob.Downloader.vcd Zlob.Downloader.vdt I removed all, rebooted, and ran a 2nd scan, which found nothing.A new error window appeared when windows started: "Error loading C:\Windows\system32\vncslojo.dll The specified module could not be found." The spybot blocked MSServer windows continue to appear. I ran Norton, it found nothing.I went through the entire list of installed programs from the Remove Programs screen. Nothing there, aside from pre-installed Dell junk, was suspicious. I ran Adaware, it detected two items... I was an idiot and only took a screenshot instead of writing down the full names, but what I saw was:"Adware.BHO(generic) Root: HKCR Path: interface f7d09218-46d7-4d3d... Root: HKCR Path: t... Read more

A:Remnants Of Several Trojans - Virtumonde, Win32.bho.je, Zlob.downloader, Smitfraud-cgp, Hitbox

Hello Vlad858,Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Read other 25 answers
RELEVANCY SCORE 47.2

Back on March 18th, 3 of my business email accounts (in MS Outlook) began receiving spam emails that were being sent from my own email addresses. Certainly I did not send these emails myself, so my immediate thought was to change my passwords for each email account as well as the login password for my domain hosting service (since the business emails are associated with the hosted website). 
The problem has continued, with additional spam emails received (every few days) from my own email addresses. I've filed a support ticket with the hosting service to see if the server that hosts my domain was breached, but have yet to hear back.
Anyhow, this experience prompted me to scrutinize my own computer for vulnerabilities, and checking the quarantine log of McAfee, I see that it has quietly been detecting and quarantining various trojans since November 7 2015! AntiVirus programs that I've used in the past have alerted me when detecting threats, so I was definitely alarmed to see that so many threats had been quarantined by the program. 
 
Quarantined trojans are as follows:
Artemis! 45A3E508CB68
W97M/Downloader! (multiple versions with various numbers following)
W97M/Downloader.axk (+.awq +.awf)
JS/Nemucod.du (+.cs +.ci +.fh +.dy +.eq)
JS/Downloader.gen.bb
JS/MalHeur.a
 
I'm not sure if the proliferation of these trojans has any relation to the spam emails that I'm seeing - aside from that, I haven't noticed any suspicious problems or performance issues with my... Read more

A:My AntiVirus program detects trojans (such as W97M/Downloader) on a weekly basis

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Remove the program in bold via the Control Panel > Programs > Programs and Features Applet.Host App Service (HKU\S-1-5-21-2211250516-935607534-4216707785-1002\...\SweetLabs_AP) (Version: 0.269.7.911 - Pokki)Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to a new file. 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Pokki) C:\Users\orion\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\orion\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\orion\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\orion\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://homepage-web.com/?s=lenovo&m=start
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxps://homepage-web.com/?s=lenovo&m=start
SearchScopes: HKU\S-1-5-21-22112505... Read more

Read other 7 answers