Over 1 million tech questions and answers.

Solved: Solved: NoAdware detected a worm NAV2005 missed

Q: Solved: Solved: NoAdware detected a worm NAV2005 missed

I did a scan using NoAdware v4.0 (Unregistered version) and detected the following:

“ Backdoor.GWGhoHKEY_LOCAL_MACHINE\Software\MicRegValue “ and:
“ Worm that trys to spread itself and allows unauthorized access to your PC.“

I tried to locate this with RegEdit and didn't find it (no surprise there as I'm rather a novice at this) and with RegCleaner.

Here's the current log:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:21 AM, on 10/4/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\DJSNETCN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\SPYWARE BLOCKER\SPYWAREBLOCKER.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.EXE" /0
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
I would think this should be easy to nail once I understand how to get at it.

RELEVANCY SCORE 200
Preferred Solution: Solved: Solved: NoAdware detected a worm NAV2005 missed

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Solved: Solved: NoAdware detected a worm NAV2005 missed

Read other 15 answers
RELEVANCY SCORE 68.4

I know i have downloaded an file from my email that i shouldnt have
i scanned with ewido and it found several worms and trojans and i got rid of them
here is a highjackthis log, i dont know if i got rid of everthing please let me know
thanks
Logfile of HijackThis v1.99.1
Scan saved at 1:32:44 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ALLTEL DSL Check-... Read more

A:Solved: worm detected

Read other 9 answers
RELEVANCY SCORE 68.4

please help.. AVG anti-virus has detected several viruses in my computer. it has been placed in the virus vault. But after this, I have been receiving a pop-up error everytime i open any application from my computer that says "The application or DLL C:\WINDOWS\system32\kernel32.sys is not a valid Windows image. Please check this against your installation diskette." what shall i do? please help...
 

A:Solved: worm detected

Read other 11 answers
RELEVANCY SCORE 67.2

I have Mcafee Internet Security 2006.

I repeatedly get the potential worm activity detected message from McAfee VirusScan. It says 2 emails have been sent within the last 25 seconds. This condition might indicate a worm/virus is attempting to send email. The email subject varies from "about your health", "Your health, your care", to viagra messages. I use outlook and it is not open. I have run McAfee virus scan, CA-etrust online virus, and downloaded AVG virus software to identify this virus. But have not been able to identify it or fix it.

Windows xp professional sp2. I would appreciate any help you can offer.
I've pasted my HI Jack log below.

Logfile of HijackThis v1.99.1
Scan saved at 7:10:35 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Gri... Read more

A:Solved: Potential Worm Activity Detected

Read other 6 answers
RELEVANCY SCORE 61.6

feels like i havent been on here for ages

jus looking for some help with MS Word

was wondering how i can make the little squared sign(small 2) appear next to a number

e.g x = (4+5) 2 -this 2 should be small like when writing 6th the t and h become small. how can i do this manually?

and help very much appreciated
 

A:Solved: missed u!

In my version of Word (2000) here's the way you do it:

type your formula,
highlight the 2,
go to "Format" on the top menu,
select "font"
look for "superscript" with a box beside it. Click in the box to put a checkmark in it.
Click the "OK" below

If that doesn't work in your version, then go to your Help menu and search for "subscript". The instructions there should also work for superscripts.
 

Read other 3 answers
RELEVANCY SCORE 60.8

Sorry folks but I missed the voting as to wanting Windows 7 Beta to have it's own forum. Got this from pyritechips as his answer to my post asking why we didn't have such a forum:

Hi buf. I guess you missed the thread we had on that subject. You can see it here (http://forums.techguy.org/site-comments-suggestions/789220-windows-7-section.html), and since this thread is a repeat, I am going to respectfully close it.

I surely would not have inquired had I known of the forum poll. I can abide by the decisions made. (Have to )
 

Read other answers
RELEVANCY SCORE 60

Hello,

Today I have recognized that autoexec.bat file is missed on my computer. How is possible ? Is it necessary to have it ?

Regards,
 

A:Solved: autoexec.bat file missed

Read other 6 answers
RELEVANCY SCORE 52.8

Hello friends,

Please help and adv suggestions.

Firstly the pesty number 1
- I-WORM/FB.FZ refuses to leave my HD.

It is multiplying in all folders and files with .exe. My AVG detects it and heals it but it comes back again and again. The problem has somewhat slowed down since I used Vundo but it is still there.

I have also used Super Ant Spy ware but no effect. I use Firefox 2 0 0 11 mostly.

Secondly pesty number 2 which automatically starts my IE 7 with the nasties from
www.hopelessromantic.com

This happens ever so often and it chokes my CPU.Seems my browser is hijacked ?? and I have blocked this site umpteen times under OPTIONS>TOLLS>PRIVACY
but god knows how it bypasses the filtering.

Please see attachment for AVG results.

Kindly suggest some remedies. Tanks a lot folks. Cheers
 

A:Solved: Internet worm I-WORM/VB.FZ and other pesties

Read other 16 answers
RELEVANCY SCORE 52.4

Hi, I am completely new to this, so please be patient. All I know is that my new computer has detected the Trojan files listed in the subject and I don't know how to get rid of them. I am running Vista premium and this is my first post, so I need to know what I can do to remove this stuff before it starts wreaking havoc. Thanks!
 

A:Solved: OfficeScan detected WinAntiSpyware2007 file and SpyHunter 2.9 detected Trojan.vundo!

Closing duplicate.

Please continue here:

http://forums.techguy.org/showthread.php?t=610916
 

Read other 1 answers
RELEVANCY SCORE 51.6

I have a friend who has SystemWorks2004 AND Norton Anti-Virus2005 installed on her laptop. When you click on the Symantec systray icon, the NAV2005 desktop icon, or NAV2005 under the start menu, the SystemWorks2004 window comes up (just like when you click on the SystemWorks2004 desktop icon or select SystemWorks2004 under the start menu). Is it skipping over the NAV2005 program or does that integrate into the SystemWorks program as the anti-virus part now?

I guess my real question was, as long as she keeps her subscription to SystemWorks2004 and def files up to date, is there a reason to purchase a separate NAV2005 program?

Thanks - cybergrrl
 

A:SystemWorks2004 and NAV2005

The System Works has an Anti-virus incorporated into it already so, if it was renewed, there would be no need to install another Anti-virus program. She should uninstall one or the other. Personally, I would keep the System Works as it has more features.
 

Read other 3 answers
RELEVANCY SCORE 51.6

I installed NAV2005 on my wxp-he. When I run LiveUpdate, it doesn't complete the installation of the NortonAntivirus update, instead saying:

*****
Windows 98 4.10.2222

NAVNT 11.0.1

Your Operating System is Windows 98/Me. This update is not desiged for Windows 98/Me.
*****

Yesterday I was on the computer about 12 hours, off and on with tech support.

I had already uninstalled NAV, installed sp2, reinstalled NAV2005, same problem. Norton said remove and reinstall NAV. I told them I already had. Do it again. Did. Same result. Second call, they said call hp and have them fix bad sectors and try again. Did (they had me run scandisk, then run sfc /purgenow, then run sfc /scannow), same result. Third call to Norton, uninstalled NAV LU LiveReg through add/remove, then took out of the registry and removed all symantec folders on the drive (except for three that wouldn't leave), then reinstalled. She guaranteed me this time no problem. Wouldn't stay on the line for the reinstall. Hung up, reinstalled, got same problem.

Yes, I have a W98SE 4.10.2222, but the NAV2005 CD doesn't know it. And NAV2005 hasn't been installed on it (though NAV2004 was). Yes, it has been networked through a router to the wxp, but the network card hasn't worked in ages (the w98 can't get to the Internet and the w98 and wxp can't see each other, and for the final 2 installations of NAV2005 above, the w98 was unplugged from the router).

My wxp has always been xp, not u... Read more

A:NAV2005 LU thinks my wxp is a w98??!

Norton is and always has been a law unto itself,not even its own people know how it works,there is no question it is seeing that Windows 98 somehow,and in my opinion until you get rid of that your not going to get what you want, you may get other replies telling you different hopefully ....good luck
 

Read other 2 answers
RELEVANCY SCORE 50.4

After I applied Intelligent updater and later ran Live update
it shows me that I need to download Virus defs that I already applied(with Intelligent updater)!?

Can anyone help?

Thanks.
 

A:NAV2005 Live update problem

Read other 15 answers
RELEVANCY SCORE 48.4

Anyone have any information on this program? I don't use it but one of my users says she uses it at home, and I don't want her getting into something she shouldn't be. I've read that it's just a scam but can't find any info on it.
 

RELEVANCY SCORE 48.4

please help me to know what to do next. THANKS

anh mai

A:the hj log after used noadware

sorry!!! here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:48:38 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINNT\goidr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {913FA72E-EEE0-47DE-A216-D38D1721F170} - C:\WINNT\system32\jcfhi.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe... Read more

Read other 14 answers
RELEVANCY SCORE 48.4

I have recently cleaned my computer using Adaware, Spybot and Hijack this. However I have just downloaded a programme called noadware and after it scanned my computer I was shocked that it apparently found 9 severe and dangerous files etc. To delete all these files you have to register and pay $19.95. Whilst this is not a lot of money I am concerned that the results of the scan are genuine. Does anybody else use this programme or heard of it. Thanks
 

A:www.noadware.com

Read other 16 answers
RELEVANCY SCORE 48

mcafee detected a worm on my computer. and just to be sure that it's really clean, i scanned it with hijackthis, but i'm not sure if there's any problem. would appreciate it if someone could point out to me if there's something not right. and i've been getting alot of these worms attack lately. what can i use to guard my computer against these attacks?

Logfile of HijackThis v1.99.1
Scan saved at 10:47:21 AM, on 1/25/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\S3apphk.exe
C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\eMule\emule.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Documents and Settings\Administrator\My Documents\my folder\cleaners\HijackThis.exe
C:\Documents and Settings\Administrator\My Documents\my folder... Read more

A:worm detected

i ran ewidow too. this is the results. 14 infected and cleaned.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:53:02 AM, 1/25/2006
+ Report-Checksum: 8B7293B6

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Adm... Read more

Read other 17 answers
RELEVANCY SCORE 48

This is my first post so bear with me. My laptop would boot up, icons load and then shut down.

Took it to have repaired, they did a system restore and loaded a anti virus program.

I had to re-load Aol software. Now, when I got on computer this is the message I received.

threat detected filename/user/patrick/patrick.exe
threat name virus identified worm/vb.7.a
detected on open

Details:
process name c:/program files/common files/aol/1256342570/ee/aolsoftware.exe
process id 3644

Then I have to answer this question before I can shut down or anything.
move to vault
go to file
ignore

I am totally lost as to what this means and what I need to do next.

Please help!!!
 

A:Worm detected

Read other 9 answers
RELEVANCY SCORE 48

I just ran adware scan and it detected C:/win32.p2p-wormalcan.a reg key Ihave zonealarm running
thx

A:HJT worm detected

Please read and follow the five step process outlined in this post.

Then download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here. Do not fix anything in HijackThis since they may be harmless. Make sure to include the System information at the top of the log as well.

Read other 1 answers
RELEVANCY SCORE 47.6

Recently my spysweeper detected coolwebsearch and some other CWS variants.I deleted and they raappeared after start-up.So I bit onthe NoAdware.net ad and they "found" WebPi if memory serves.Anyway bought the software to remove.It pointed to password protected files(or I found at least)My question is,Can WebPi be remotely installed from a remote computer or does someone need physical access to pc?I'm afraid to re-install NoAdware to see if they indeed did have tagalong trojans or whatever.I'm not computer literate to know if this is possible.I did research a bit and found that this software is questionable at best.Please help.Thanks

A:Noadware.net With Tagalongs?

Hello and Welcome to Bleeping Computer! You can Start Here. Please be sure to follow all instructions otherwise it will only impair our ability to help you.

Read other 2 answers
RELEVANCY SCORE 47.6

Hi,

I ran a program called Hitman Pro and it detected the following:

C:\Documents and Settings\Our Computer\My Documents\Downloads\FlashPlayer_V.82511273c.exe
Size . . . . . . . : 573,160 bytes
Age . . . . . . . : 85.7 days (2013-04-22 16:57:35)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 64E8843A0B26E4DF8C014F39431733ABE90F1DD20E6EF104F1C88A426983135F
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> Emsisoft . . . . . : Trojan.Win32.DomaIQ.AMN!A2
Fuzzy . . . . . . : 99.0

C:\Documents and Settings\Our Computer\My Documents\Downloads\winzip setup.exe
Size . . . . . . . : 990,872 bytes
Age . . . . . . . : 48.7 days (2013-05-29 18:42:25)
Entropy . . . . . : 7.9
SHA-256 . . . . . : 7D459DF662DB375267E74BB420E6661A53490216C3E202B160EB505B81ED63D4
Version . . . . . : 1.0.0.0
RSA Key Size . . . : 2048

Here is my HiJack This log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:57:32 PM, on 7/23/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobil... Read more

A:Trojan and Worm Detected

I'm not sure if my post was seen. Posted on July 23rd. I read the "PLEASE BE PATIENT" disclaimer, but not sure if more time is needed. If so, just let me know.

Thank you,

Tim
 

Read other 1 answers
RELEVANCY SCORE 47.6

Hello, I have recently acquired a worm through a security hole that was downloaded by shareware (My Fault). This worm Disabled - Task Manager, "Run", Control Panel, "All Programs" on the start Menu, and most links on the right side of the Start menu. From my research, i conducted that this virus (or worm) is a very high danger. It acts like a key-logger, and displays the following message and other pop-ups -(Yellow Triangle with "!" Mark (Picture))Title - "Security Warning!"Message - Worm.Win32.Netbooster detected on your machine. This virus is distributed through the internet via the e-mail and Active-X objects. This worm has its own SMTP engine which means it gathers e-mail and re-distributes them. In worst cases... (Continued)Skipped a line - "Type" - "Virus"Skipped a line - "Security Risk" 5/5Etc. These and several other messages pop-up which lead to a rouge anti-virus known as WebAnti-virus 2008. I have tried scanning Trend, Spybot S&D, Malbyte's Anti-Malware, Kaspersky, and Nortorn, but they all do NOT detect it. This virus is manually controlled, up to an extent. When i try to download an anti-virus, or any other protection file, it starts bombarding me with pop-ups, slowing the speed dramatically. The same goes with scans. This might be programmed to do that, but it looks like someone is manually controlling it. Also, 3 new icons appeared on my computer labaled - "System Error Fixer... Read more

A:(Not Detected By HJ) Unremovable Worm

Hi ,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Note 1. Please refrain from making any changes to your system from now on as it might prolong handling your log and make the job for both of us more difficult.To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note 1:The logs will be created in this folder: C:\rsit

Note 2:The tool takes not more than one minute to scan the system.Tell me if you have run any other tool other than those you have mentioned.

Tell me about the current condition of your computer.

Read other 23 answers
RELEVANCY SCORE 47.6

My oldest son just graced me with the computer of his finance'. With lots of applications and the Windows 2000 Professional operating system, it would be great if it did not shut down soon after turning it on.

They bought a bundled computer at Costco and claim they never had any operating system discs.

Is there anything I can do to help mend this thing so that it will stay on and remain stable?
 

A:LSASS and no Worm Detected! Now What?

If you can stay on-line long enough, please do this. Click here:

http://www.sherrylynn.us/HijackThis.exe to download Hijack This. It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the log and advise.

If you're having trouble staying on-line long enough, probably due to a virus like Sasser, you can abort the shutdown by doing this:

To stop the computer from shutting down, go to Start - Run - and type in
"shutdown /a" (no quotes)
 

Read other 2 answers
RELEVANCY SCORE 47.6

AVG detected a few trojans, couldn't heal them, but moved them to the vault
Trojan horse downloader.Dsfica.3.AK
Trojan horse downloader.Generic.DTH
Trojan horse backdoor.Generic3.REW (3 times)

AVG also popped up with this message,
C:\SYSTEM.SAV\MSMoney\MONEY\IE\AXA.CAB:\unaxa.exe
virus identified 1-worm/generic.APW
infected, embedded object
infected, archive

Pretty sure the files are harmless now that AVG moved them to the fault, but to double check here is the hijack log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:22 PM, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Craig .OFFICE\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/re...c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...1w4FlSX+sAMtg7
R1 - HKCU\Software\Microsoft\Internet... Read more

A:Trojan and worm detected...

Bump.

Read other 12 answers
RELEVANCY SCORE 47.6

Hi Guys

I ran a Malwarebytes scan and it detected Worm.autorun.

I have run allthe necessary scansandhopeyoucan assist me in cleaning up my pc.

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:20 PM, on 23/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program ... Read more

A:Worm Detected Malwarebytes

Read other 8 answers
RELEVANCY SCORE 47.2

Purchased NOADWARE for my Toshiba laptop.
(http://www.noadware.net/?hop=advanced99)
Any comments on this company? When I did a scan on my laptop there was lots of stuff that didn't show up on the free AOL or the Norton that came with the computer.
NOADWARE seemed pretty simple to use for a novice like me.
thanks

A:Noadware - Any Comments On This Product?

Had you of asked before "purchasing", I would have told you that there are better products for free.
It was once listed as a rogue product by Spyware Warrior and has since been removed from that list.

Read other 3 answers
RELEVANCY SCORE 47.2

Last night, I was looking for something and came across a website that offered "free scan" to see if dangerous spyware or adware had infected your computer. Not sure why I thought this now (it was late last night) but I clicked on the download, it said "scan your computer free!" (Of course, it didn't say it was free to remove what was found!)

I downloaded it, virus scanned the dl, installed it and ran it. Actually, at first I thought it was an "online scan", which was how it sounded.

It found Cydoor, which I knew I had, (Bazooka brings it up, but it says to remove, the host must be removed, and I don't know what the host is. Possibly Shareaza, but that says it doesn't have spyware- I went to the Cydoor website and filled out a form they had, to get directions to take it out, and when I hit SEND a page came up saying it couldn't be sent..) Anyway, this program, last night, brought up Cydoor (saying in red DANGEROUS!) and said "delete". Of course, when I clicked this, it said only the registered versions ($19.95) could delete what was found!

I uninstalled Noadware, deleted cookies, and ran SpyBot. This didn't find anything that looked like Noadware, but one link said "gator". The dreaded and sneaky "gator"! (Seems like I read somewhere it's now using a new name?) I then put "gator" in FIND (files and folders) and came up with a folder of it (started to instal when I clicked it... Read more

A:noadware.net- blacklisted site? etc

Read other 6 answers
RELEVANCY SCORE 46.8

I just received a popup from Windows saying that I had a MSIL/Necast.D worm and I downloaded Windows Security, however it didn't detect it. I ran screen317's check and this is what came up in the log.  Results of screen317's Security Check version 0.99.67   Windows Vista Service Pack 1 x64 (UAC is enabled)   Out of date service pack!! Internet Explorer 7 Out of date!``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled!  Microsoft Security Essentials    Antivirus up to date!  `````````Anti-malware/Other Utilities Check:````````` Java™ 6 Update 12   Java version out of Date! Adobe Flash Player     11.7.700.224   Adobe Reader 8 Adobe Reader out of Date! Mozilla Firefox (21.0)````````Process Check: objlist.exe by Laurent````````   Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Windows Defender MSASCui.exe Windows Defender MSASCui.exe   `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0 %````````````````````End of Log`````````````````````` 

 

A:MSIL/Necast.D worm detected?

This is the Fabar Service Scanner report log....
 
Farbar Service Scanner Version: 16-06-2013
Ran by CHEF (administrator) on 20-06-2013 at 15:09:41
Running from "C:\Users\CHEF\Downloads"
Windows Vista ™ Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\... Read more

Read other 19 answers
RELEVANCY SCORE 46.8

Please help me. I'm running Windows XP, and McAfee VirusScan. My system won't stop sending emails

"Potential Worm Activity Detected! The last few sent emails contained similar subject or body content."

I'm given three options

1. Stop this e-mail
2. Find out more information
3. Continue what I was doing

No matter which option I choose, a similar message will subsequently appear. I can't seem to get out of this endless loop.

I ran AVG antivirus, and cleaned detected infections. but it has not solved the problem.
I then have Norton antivirus installed on the system. But similar messages of email being sent keep popping up. Please help as I am in a desparate situation.

The following is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:19 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
... Read more

Read other answers
RELEVANCY SCORE 46.8

I just found by looking at my autorun programs, I have one with a file name %1. I read on another forum "bleepingcomputer" that it's added by the W32/protorid-AD worm. I am wondering if anyone knows how to rid myself of this. I assume I must have the worm too!

I am running the latest versions of Avast and run SpyBot, and Malwarbytes every 3-4 days. (no "adult sites" viewed) lol

I have noticed one thing...Show processes fro all users in "task manager" sometimes takes 2-3 tries to show. That's the only thing I've noticed out of the ordinary.

Do I need to worry? How can I fix this?

Read other answers
RELEVANCY SCORE 46.8

Last evening, with my machine performing nicely without any problem, whilst out prowling the Net I did a 'drive-by' scan using ewido anti-spyware 4.0 micro scan, which I have never used before. Much to my surprise (I keep all security tools & XP religiously updated and used) the ewido scan found the topic title worm and reported the path as:C:\Program Files\Fast Defrag Freeware\close.comI recognized this rather useless little RAM examiner and defrager program straight away. I had installed it long ago from one of the PC magazine offerings, but had rarely used it. I might add I do not just willy-nilly, cross my fingers, install, and hope for the best outcome. I ran two a/v scanners over the program before I installed and I would have done the same with the CD which delivered the worm before I would have opened the CD. And of course the PC magazine, per normal, assured they too had scanned the content of the CD and deemed it free of bugs. Yeah right! So it looks like this little bazza - close.com - was sitting there awaiting something to slip through my firewall and kick it into action.Rather than have ewido take care of the problem straight away, being brave, I opted to examine a bit further, which has been known to get me into trouble. I determined Worm.Warezov.fh was, as you know, a mass mailing worm. I decided to uninstall Fast Defrag Freeware and did. I re-ran the aforementioned ewido scanner and it revealed a related C:\System Volume I... Read more

A:Worm.warezov.fh Detected & Removed

Welcome Globe Roamer Jeff First i need you to do the following please: Go here:http://virusscan.jotti.org/ Using the 'Browse' button,browse to:C:\WINDOWS\system32\taskmgr.exeThen press the 'Submit' button.Wait while the file is scanned.Post the results into your next reply please.If Jotti's too busy,try here:Go here: http://www.virustotal.com/en/virustotalf.htmlUsing the 'Browse' button,browse to:C:\WINDOWS\system32\taskmgr.exeThen click on 'Send'.Post the results into your next reply please.

Read other 12 answers
RELEVANCY SCORE 46.8

my desktop changed and it had a warning saying I have been infected. Also, I couldn't start Task Manager. One or several popups started telling me to download removal tools. I did not trust these and didn't download anything. I updated my windows defender and ran scans. It did detect and removed different stuff with name variations of the one above. Still my desktop had the warning and I couldn't change the desktop image. I installed Microsoft Security Essentials and ran. Again it detected and remove same virus mentioned above but desktop remained the same.

I searched online what to do if I can't change desktop and start Task Manager. Online I found instructions how to go into Regedit and delete in Policy so I can now change desktop picture and start Task Manager.

But I still get popups windows with add. I get these in Chrome and in Explorer. Problem originally started when I was browsing in Chrome.

My ISP provide a free Anti-Virus program so I downloaded that and ran it. My ISP is cbeyond and the anti-virus program is called F-secure. After running all scans several time problem still persist. Popups keep coming. Just a minute a go I was prompted to fill an online survey for BleepingComputer. It looked legit so I filled it out in an effort to give something back to this site that I hope will help me solve this. After I filled it out it offered me some products and I realized it was the virus again.

It seems the Anti-Virus program is not able to remove ... Read more

A:Worm:Win32/Emold.U detected

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. You will also be instructed to create a Root Repeal LogWhen you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.The HJT team is very busy and it will take awhile to get to your postPlease be patient and good luck

Read other 2 answers
RELEVANCY SCORE 46.8

My McAfee is driving me crazy, it keeps popping up saying "Potential Worm Activity Detected" and it says that emails are being sent out. It also keeps blocking a trojan but not getting rid of it. I've done a full system scan it could not recognize it, i also did spybot s&d, lavasoft ad-aware, the trend online scan and the multi_av scan. I don't know what's going on. I'll give you my hijackthis log. I would really appreciate if someone could help me.

Logfile of HijackThis v1.99.1
Scan saved at 11:30:24, on 04/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Autodesk Shared\Ser... Read more

A:Potential Worm Activity Detected

Read other 6 answers
RELEVANCY SCORE 46.8

Now that I have the "SWEN" worm... what do I do? YES, I know... all common sense was lost for a brief second as I opened that damn e-mail! I did the HouseCall scan... do I click delete while the detected worm file is highlighted? Thanks!
 

A:[Resolved] SWEN worm detected... Now what

Read other 13 answers
RELEVANCY SCORE 46.8

Hi,

I've seen other forums on this topic but none of them have really helped me.

My McAfee Virusscan keeps popping up with

Potential Worm Activity Detected!
The last few sent e-mails contained similar subject or body content
E-mail Subject: Can you imagine that you are healthy

I ran my McAfee, Ad-Aware and also Spy Sweeper but none of them has helped. On another forum i saw a program called VundoFix so i downloaded and ran that but it hasn't helped. Ive posted my hijackthis logfile below, I'm Fairly computer Illiterate so please try to dumb it down , thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:13 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\... Read more

A:Potential Worm Activity Detected!... Please Help.

Closing duplicate thread, please continue here: http://forums.techguy.org/security/578825-my-mcafee-keeps-popping-up.html#post4766708
 

Read other 1 answers
RELEVANCY SCORE 46.8

Here is what happens:I turn on the computer (my brothers) everything is fine- shows Welcome screen. Before anything (icons or desktop) shows a pop-up appears that says the following:Spyware Alert - Security Warning - Worm.Win32.Netsky detected on your machine. This virus is distributed via the internet through email and active-x objects. The worm has its own SMTP engine which means it gathers emails from local computer and redistributes itself. In worst cases the worm can allow attaches to access your computer, stealing passwords, and personal data. Viruses can damage your confidential data and work on your computer. Continue working in unprotected mod is very dangerous.Type: VirusSystem Affected: Windows 2000, NT, ME, XP, VISTA, 7security risk: 5recommendations: It is necessary to perform full system scan.Only after i click "ok" or close the popup will the desktop, icons, and programs load.As the programs are loading during startup - Window Security Center Opens, also some AntivirusLive performing some sort of "scan"I was going to try to start this method:http://www.bleepingcomputer.com/forums/ind...3&hl=netskyI downloaded the programs on my computer (this one) saved the programs on a flash drive, then moved them to the infected computers desktop but when i tried to open the ATF Cleaner a pop-up says:Application cannot be executed. The file atf_cleaner.exe is infected. Do you want to activate the antivirus software now?Started it on safe mode to try t... Read more

A:Worm.Win32.Netsky detected

well im still here if anyone is interested in helping...

Read other 1 answers
RELEVANCY SCORE 46.8

I've seen several other members experience the same problem, where McAfee keeps telling me that "Potential Worm Activity Detected!". It goes on to say "The last few sent e-mails contained similar subject or body content." and the subjects are random, as well as the emails they are sent to. Here is a copy of my HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:21 AM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\mcafee.com\vso\mc... Read more

A:potential worm activity detected

Hiya and welcome to Tech Support Guy

Are you still having this problem? If so, do the following:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click &q... Read more

Read other 1 answers
RELEVANCY SCORE 46.8

http://antivirus.about.com/library/weekly/mcurrent.htm?pid=2827&cob=home angelize56
 

A:Maxima Screensaver worm-Detected 6-27-02

Cheers for that Marlene ! hope u r well ?
 

Read other 1 answers
RELEVANCY SCORE 46.8

How do I get rid of this message - can't send email at all
 

A:Possible worm activity detected with McAfee

Hi huff0623

Welcome to Tech Support Guy Forums!

Does McAfee point to an email message containing the worm?

If so, have you tried deleting the message?

Run an online antivirus check from at least one and preferably 2 of the following sites
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://security.symantec.com/default.asp?
http://www.ravantivirus.com/scan/
Allow them to clean/delete any spyware/malware or viruses/trojans they may find.

If you do not already have these programs,
Download:
Ad-Aware SE 1.05
Spybot-S&D (ver. 1.3)

Install Ad-Aware SE and Spybot-S&D and check each of them in turn for updates.

For Ad-Aware SE click on Full System Scan and deselect Search for negligible risk entries.
Let Ad-Aware SE remove what it finds.
Run Spybot-S&D and have it fix what it finds marked in Red.

After running your online virus scans and running Ad-Aware SE and Spybot S&D,
close all programs and reboot to complete the removal process.

If you are still receiving this message and are unable to send emails, try turning off email scanning in your Anti-virus program and check your firewall to make sure it is allowing your messaging program access to the internet.

Let us know what happens.
 

Read other 2 answers
RELEVANCY SCORE 46.8

I am getting this popup from myy McAfee virus scan multiple times a day. But when I run virus scan, nothing is found.

Potential Worm Activity Detected
The last few sent emails contain similar subject or body content
Email Subject - Susan 5982 - Clipboard
sent to [email protected]

I haven't sent any emails with that subject and I don't know anyone with that email address.

What should I do?

Thanks,
Susan

A:Help - Potential Worm Actvity Detected

It would appear you have a keylogger or similar which is emailing your keystrokes or a record of visited sites etc to this email address.
You need to immeadiately run the following scans and fix what they find and then post a hijackthis log on the hijackthis log board.Moderators please move this to hijackthis log board


Please download
Mcafee stinger multivirus removal tool
Install and run

Spybot search and destroy
Ad aware personal form Lavasoft
Install, update,run, check for problems , fix problems.
A Squared trojan remover
Download, install, update, scan and fix.

Read other 15 answers
RELEVANCY SCORE 46.8

Hi, strange emails are being sent from my computer to random email addresses with subjects advertising prescription drugs and I keep receiving alerts from McAfee saying Potential Worm Activity Detected. I ran Hijack This and have posted my log below. Any help on what to do to stop these emails would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 14:32:56, on 21/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spmsg2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmew... Read more

A:Potential Worm Activity Detected

If anyone could check my hijack that log I would really appreciate it.
Thanks
 

Read other 1 answers
RELEVANCY SCORE 46.8

When I am trying to e-mail individual pictures - the e-mail in Outlook Express in the "sent" folder keeps staying in there and my computer keeps trying to send it. Then a pop-up from McAfee comes on saying:

"Potential Worm Activity Detected! The last few sent e-mails contained similar subject or body content. Then it gives the E-mail Subject and then it says I want to......
Stop this e-mail
Find out more information
or Continue what I was doing."

Even though I am just sending it to one person, not multiple addressess - that box comes up.

What is causing this and how do I correct this problem? I've never had this problem in the past. When I send pictures as "attachments" this does not happen. The only time this happens is when I try to send an e-mail with the pictures being shown in the message.
 

A:Potential Worm Activity Detected ?

Download hijackthis and do a scan then copy and post the log here for someone to analize. as well do a scan here. .
 

Read other 3 answers
RELEVANCY SCORE 46.8

for whatever reason, Spybot keeps telling me that NoAdware 4.0 is rogue. is it correct, or is this a false positive lurking around? I'm no stranger to false positives; at one time, one part of my anti-malware armada insisted that mIRC was a trojan(although it stopped after the next database update)...

I want to make sure, before I nuke it, even if I haven't used it in a while...

A:Spybot Claims Noadware Is Rogue...

Here's their website. It appears to be legit though it is shareware. Most of us would rather use freeware.http://www.noadware.net/?hop=neil1000

Read other 10 answers
RELEVANCY SCORE 46.8

Recently I ran a scan with spysweeper and it showed coolweb search and CWS variants.Deleted and still had after reboot.Freaked and ran free scan by NoAdware.net.It found numerous "Dangerous" infections.Mainly referring to WebPi applications,I believe.(key loggers,screen shots,whole nine yards)Really freaked.I was running ghost surf 2005,spysweeper,mcafee antivirous suite-although last one was expired a couple weeks.Anyway somehow I came across files that were password protected supposedly.I deleted manually.Then wiped drive.Relegated computer to games only since it was time to upgrade anyway.My question is:Has anyone heard of the WebPi false positive with NoAdware.net?>I did a little research on them and they are questionable at best.Also ,can WebPi be installed without physical access to computer?Can it be installed through a backdoor remotely?Thanks

Read other answers
RELEVANCY SCORE 46.4

My pc has been acting a bit odd for a few months. This has included icons requiring multiple depresses to open, hard drive capacity barely increasing after removing programs, and deleting files. There are also the occasional screen freezes. A scan with Malwarebytes ver. 1.44 detected "Malware.Trace, Trojan.Vundo, and Worm.Kolab" in "Category: Registry Key." Any assistance in removing these "offenders," would be appreciated.
I have provided my Attach and ark zipped files as requested.

Here is my DDS.txt Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Lil Momma at 20:15:42.64 on Wed 01/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.307 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100113-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.ex... Read more

A:Malware, Trojan, and Worm Detected via Malwarebytes

BUMP, please.

Read other 1 answers
RELEVANCY SCORE 46.4

Been having constant pop ups of various "infected" statements. I run Sophos Anti Virus which is really good but seems these have slipped through. I run adaware every now and then as well. Being a little tech savy i tried the normal things i have done in the past. I have followed the thread about what to do in these circumstances and done the 5 steps.

Below is the log after dss.exe

Not sure what else i can do as i know these things are present. The online Pandasoftware search found several issues but was only able to fix one.


Deckard's System Scanner v20071014.68
Run by Brett on 2007-12-20 17:24:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
72: 2007-12-20 07:24:57 UTC - RP675 - Deckard's System Scanner Restore Point
71: 2007-12-20 02:16:36 UTC - RP674 - System Checkpoint
70: 2007-12-17 05:05:29 UTC - RP673 - Installed Sophos Anti-Virus
69: 2007-12-17 05:03:13 UTC - RP672 - Removed Sophos Anti-Virus
68: 2007-12-13 14:08:06 UTC - RP671 - System Checkpoint


-- First Restore Point --
1: 2007-10-02 09:34:52 UTC - RP604 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone --------------------------... Read more

A:Constant pop ups - Windows has Detected... worm.w32.netsky....

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop


Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Go to -> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall


Follow the prompts. Type "1" and press Enter to begin the scan.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is no... Read more

Read other 3 answers
RELEVANCY SCORE 46.4

Hi i realy need help my sony vaio laptop keeps coming up with messages saying its been effected by worm.win32.net booster. and ever time i log in to my computer three programs are on the desktop, ive never seen them before. could someone please help me

ps computer is an xp

A:Please Help My Laptops Detected Worm.win32.net Booster

Run a full system scan with Malwarebytes' Anti-Malware in Normal Mode (Instructions).

Read other 2 answers