Over 1 million tech questions and answers.

Rootkit, Gmer and DDS scan result

Q: Rootkit, Gmer and DDS scan result

Here's the result after I scanned the computer. I hope this would help to solve my problem. I also want to thank you all for helping me.

DDS (Version 1.0) - NTFSx86
Run by Aaron Tran at 22:08:32.39 on Mon 11/24/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1501 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Aaron Tran\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://google.icq.com/search/search_frame.php
uSearch Page = hxxp://google.icq.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3A697D4A-289B-472D-96E0-7FF2F22836FD} - c:\windows\system32\jkkLEWmK.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\vtUmMfDT.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} -
BHO: {E83B327A-699F-640C-0E02-70547B0C05E0} - c:\windows\system32\caewqgeycilvoe.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D0943516-5076-4020-A3B5-AEFAF26AB263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [gadcom] "c:\documents and settings\aaron tran\application data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [{8F-FA-A9-9A-DW}] c:\windows\system32\jlwnw64p.exe DWmmm01FF
mRun: [ExploreUpdSched] c:\windows\system32\pcntmkdm.exe DWmmm01FF
mRun: [bvfrxvnozlall] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\caewqgeycilvoe.dll"
StartupFolder: c:\docume~1\aaront~1\startm~1\programs\startup\deewoo.lnk - c:\windows\system32\pcntmkdm.exe
StartupFolder: c:\docume~1\aaront~1\startm~1\programs\startup\dw_start.lnk - c:\windows\system32\jlwnw64p.exe
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoStrCmpLogical = 0 (0x0)
uPolicies-explorer: NoDesktop = 0 (0x0)
uPolicies-explorer: NoFavoritesMenu = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoRun = 0 (0x0)
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoStartMenuMorePrograms = 0 (0x0)
uPolicies-explorer: NoDFSTab = 0 (0x0)
uPolicies-explorer: NoResolveSearch = 0 (0x0)
uPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
uPolicies-explorer: NoTrayContextMenu = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoCommonGroups = 0 (0x0)
mPolicies-explorer: NoChangeAnimation = 0 (0x0)
mPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
mPolicies-explorer: NoTrayContextMenu = 0 (0x0)
mPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
mPolicies-explorer: StartMenuLogoff = 0 (0x0)
mPolicies-explorer: ForceStartMenuLogoff = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: DisableMyPicturesDirChange = 0 (0x0)
mPolicies-explorer: DisableMyMusicDirChange = 0 (0x0)
mPolicies-explorer: DisableFavoritesDirChange = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: GreyMSIAds = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.browsergate.com/redirect.php
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.browsergate.com/redirect.php
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxdev.dll
Notify: vtUmMfDT - vtUmMfDT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\vtUmMfDT.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkLEWmK

============= SERVICES / DRIVERS ===============

R1 mountmgrr;mountmgrr;c:\windows\system32\drivers\mountmgrr.sys [2008-11-23 86272]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-7 24652]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 XIRLINK;VivaPix WebCam;c:\windows\system32\drivers\ucdnt.sys [2006-9-5 1001404]

============== File Associations ===============

VBSFile=c:\windows\WScript.exe "%1" %*

=============== Created Last 30 ================

2008-11-24 21:45 250 a------- c:\windows\gmer.ini
2008-11-24 21:24 815,104 a------- c:\windows\system32\rmvtrjan.trb
2008-11-24 21:24 3,440 a------- c:\windows\undo.reg
2008-11-23 21:12 143 a------- c:\windows\system32\mcrh.tmp
2008-11-23 21:05 885,150 a--sh--- c:\windows\system32\KmWELkkj.ini2
2008-11-23 21:05 885,150 a--sh--- c:\windows\system32\KmWELkkj.ini
2008-11-23 21:04 318,464 -------- c:\windows\system32\jkkLEWmK.dll
2008-11-23 21:00 860 a------- c:\windows\system32\winpfz33.sys
2008-11-23 21:00 47,584 a------- c:\windows\system32\bidmmfsjdnee.exe
2008-11-23 21:00 21 a------- c:\windows\system32\zxdnt3d.cfg
2008-11-23 21:00 192,576 a------- c:\windows\system32\pcntmkdm.exe
2008-11-23 21:00 153,425 a------- c:\windows\system32\g4.exe
2008-11-23 21:00 200,744 a------- c:\windows\system32\jlwnw64p.exe
2008-11-23 20:43 <DIR> --d----- c:\temp\tn3
2008-11-23 20:41 <DIR> --d----- c:\temp\FT62
2008-11-23 20:41 <DIR> --d----- c:\temp\1cb
2008-11-23 20:41 <DIR> --d----- c:\docume~1\aaront~1\applic~1\gadcom
2008-11-23 20:40 35,840 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2008-11-23 20:41 200,725 a------- c:\windows\system32\dwwnw64r.exe
2008-11-23 20:41 26,112 a------- c:\windows\system32\vtUmMfDT.dll
2008-11-23 20:41 26,112 a------- c:\windows\system32\urqOHXnO.dll
2008-11-20 04:48 325,120 a------- c:\windows\system32\caewqgeycilvoe.dll
2008-10-06 21:18 <DIR> --d----- c:\program files\Symantec
2008-10-06 21:16 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-06 21:15 <DIR> --d----- c:\program files\Norton AntiVirus
2008-10-01 21:55 <DIR> --d----- c:\program files\AoA Audio Extractor
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-04 11:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-22 11:49 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Mp3 Audio Editor
2008-06-25 21:15 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Syntrillium
2008-04-28 20:36 <DIR> --d----- c:\docume~1\aaront~1\applic~1\BSplayer
2008-04-28 20:30 <DIR> --d----- c:\docume~1\aaront~1\applic~1\BSplayer Pro
2008-03-15 23:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Network Associates
2008-03-15 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-03-09 14:26 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Symantec
2008-03-06 00:49 <DIR> --d--r-- c:\docume~1\alluse~1\applic~1\winpcdoctor
2008-03-06 00:49 <DIR> --d--r-- c:\docume~1\alluse~1\applic~1\SalesMon
2008-02-21 19:26 <DIR> --d----- c:\docume~1\aaront~1\applic~1\DVD Flick
2008-01-29 20:01 <DIR> --d----- c:\docume~1\aaront~1\applic~1\vlc
2007-12-04 20:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2007-11-08 21:20 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Uniblue
2007-07-21 17:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ahead
2007-01-24 00:15 <DIR> --d----- c:\docume~1\aaront~1\applic~1\FFSJ
2007-01-11 22:30 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Viewpoint
2006-10-09 23:16 <DIR> --d----- c:\docume~1\aaront~1\applic~1\MathWorks
2006-10-03 21:59 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Mathsoft
2006-10-02 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2006-08-16 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2006-08-16 19:46 <DIR> --d----- c:\docume~1\aaront~1\applic~1\Intel
2006-02-06 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2006-01-18 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2006-01-18 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-07-29 16:24 472 a--shr-- c:\windows\qwfyb24gvhjhbg\kqIVvZb0pJL1v0.vbs

============= FINISH: 22:09:56.29 ===============

Preferred Solution: Rootkit, Gmer and DDS scan result

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Rootkit, Gmer and DDS scan result

I Have A Message Saying" Error In:c\windows\system32\caewqgeycilvoe.dll
Missing Entry:dllstart:".
I Currently Run On Xp Home Edition. After I logged in, everything on the desktop disappeared. The only left to see is the screen saver. Results shown above after the Gmer and DDS scan. Please advise of what to do and how to fix this. Thank you!

Read other 3 answers

I scanned my laptop with gmer, and I was suprised because it showed lots of malware / rootkit. Are these result reliable ?

A:Shocking "Rootkit" result from results from GMER scan

Actually that log looks clean. What do you think is an indication of malware in this log? It just looks like you have Comodo or something similar installed which explains what you see in the log.

Read other 5 answers

My GMER anti-rootkit scan resulted in the following message 'GMER has found system modification caused by ROOTKIT activity'. How do I address/correct this problem? It is not specific.

Read other answers

I have six computers that have been affected by a virus or some kind of issue. This computer i scanned as instructed and have the following results. Every computer was hit a little different but I found the vundo trojan on two that I removed, but this and 3 others I did not even find any malware when scanning with malwarebytes. I figured I would start with this computer and hopefully it will give me a way of fixing the rest or at least tell me how to look. Below is the DDS.txt log as requested.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by VIP at 13:04:30 on 2012-08-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.22 [GMT -4:00]
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
============== Running Processes ===============
C:\windows\system32\svchost -k DcomLaunch
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\\ccSvcHst.e... Read more

A:GMER Scan found rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 16 answers

Hello,I was asked to "speed up" an older laptop for a friend. After exhausting my knowledge without solving the problem, I turned to the internet for assistance and thankfully found Bleepingcomputer. My initial post was here, and after several scans I have been referred to this forum. In short, at the outset the computer was extremely slow, definitely suffering from the presence of System Tool as well as a google redirect. My independent efforts, using tools such as Spybot S&D, CCleaner, MBAM, SAS, and Hitman Pro removed several types of malware though also suggested the presence of a rootkit.At present, the computer seemingly functions normally, though Hitman Pro continues to report the following error: "Proxy server on this computer (User)" It reports this error twice in each scan, and is able to repair it, however the finding reappears after any restart.The requested logs are pasted and attached below. The only variance from the preparation guide protocol is that GMER was run without unchecking the IAT/EAT box, I can certainly repeat that scan if needed. Thanks so much for your help in advance.DDS.txt:DDS (Ver_10-12-12.02) - NTFSx86 Run by Lisa Pastel at 22:35:01.00 on Tue 12/14/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1938 [GMT -5:00]AV: avast! Internet Security *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: avast! Internet Security *Enabled*... Read more

A:rootkit activity per GMER scan

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for post... Read more

Read other 36 answers

i have scanned with gmer rootkit scan and saved the logfile in my documents as a txt file. i don't know how to read it, so that i can see that i don't have a rootkit detected by gmer.
i don't know how to post the log, or even if i am allowed to.
could someone here please help me hopefully through the process of posting, and reviewing the log. any info will be permanently archived in a folder with the programme accompanied by a large collection of anti-malware tools i have accumulated.

Mod Edit~ This topic has been moved to the "Am I Infected forum." This forum is better suited for the question you have asked.

A:Can I Post My Gmer Rootkit Scan Here? If So, How?

When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.Important! Please do not select the "Show all" checkbox during the scan..

Read other 4 answers

Hello there!

I followed the "Preparation Guide For Use Before Using Malware Removal Tools and Asking for Help" instructions up to the point where Gmer is open, and I am asked to uncheck several boxes before the scan. The problem is that most of the boxes are already unchecked and greyed out so that I cannot check them. Therefore, the Gmer scan does not include System, Sections, Devices, Modules, Processes, Threads, and Libraries.

I ran the scan anyways, and Gmer isolated no files after scanning Services, Registry, and Files in C:\ drive.

Therefore, I would like to know whether it is necessary that the Gmer scan include the missing categories, and if so, how I can make sure they are included in the next scan that Gmer runs?

Thank you very much!

Read other answers

Here are logs:

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2014-10-02 04:47:58
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721010CLA330 rev.JP4OA3MA 931.51GB
Running: i7tjqdjp.exe; Driver: C:\Users\nots0\AppData\Local\Temp\fgloqpoc.sys
---- User code sections - GMER 2.1 ----

.text C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe[2912] USER32.dll!LoadStringW 7659DFBA 5 Bytes CALL 100011A2 C:\Program Files\DAEMON Tools Pro\BRD.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3900] ntdll.dll!NtCreateFile 770D5608 5 Bytes JMP 64A8A210 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3900] ntdll.dll!NtFlushBuffersFile 770D5998 5 Bytes JMP 64A6EB90 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3900] ntdll.dll!NtQueryFullAttributesFile 770D6028 5 Bytes JMP 64A89C70 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3900] ntdll.dll!NtReadFile 7... Read more

A:Computer infected w/ rootkit from Gmer scan

Reg HKLM\SOFTWARE\Classes\[email protected] C:\Program Files\iTunes\iTunes.Resources\iTunesRegistry.dll (iTunes Resource Module/Apple Inc. SIGNED)(2014-02-21 08:25:18)
Reg HKLM\SOFTWARE\Classes\iTunes.aif\shell\open\[email protected] C:\Program Files\iTunes\iTunes.exe (iTunes/Apple Inc. SIGNED)(2014-02-21 07:54:38)
Reg HKLM\SOFTWARE\Classes\[email protected] C:\Program Files\iTunes\iTunes.Resources\iTunesRegistry.dll (iTunes Resource Module/Apple Inc. SIGNED)(2014-02-21 08:25:18)
Reg HKLM\SOFTWARE\Classes\iTunes.aifc\shell\open\[email protected] C:\Program Files\iTunes\iTunes.exe (iTunes/Apple Inc. SIGNED)(2014-02-21 07:54:38)
Reg HKLM\SOFTWARE\Classes\[email protected] C:\Program Files\iTunes\iTunes.Resources\iTunesRegistry.dll (iTunes Resource Module/Apple Inc. SIGNED)(2014-02-21 08:25:18)
Reg HKLM\SOFTWARE\Classes\iTunes.aiff\shell\open\[email protected] ... Read more

Read other 12 answers

I have been following the steps but am having a problem with the GMER scan it will scan for a few min. then shuts down the PC with "Fatal System Error".So I have included the initial log from the GMER scan prior to full scan and it does include the Rootkit.Agent that I cannot get rid of.ThanksBryan

A:Rootkit.Agent GMER scan will not complete

Hello I Would like you to do the following.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the report in your next post:C:\ComboFix.txt"information and logs"In your next post I need the followingLog from Combofixlet me know of any problems you may have hadHow is the computer doing now?Gringo

Read other 3 answers

Help! I am following the instructions that say "read this before posting for malware removal help". Can't get the GMER Rootkit Scanner to scan. I click scan & nothing seems to happen. I wait & wait & see nothing. What am I doing wrong?

A:[SOLVED] GMER Rootkit Scanner doesn't seem to scan

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.


I need to see your logs from running dds. Please post DDS.txt in, and attach Attach.txt to, your next reply.


I need to see a gmer log in order to help you. Let's try this special version of gmer.

Download GMER Rootkit Scanner from here and Save it to your Desktop. Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...Sections
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your de... Read more

Read other 14 answers

I've downloaded GMER and run a scan on one of my ws. A user complain that after he used it to check his Yahoo mail, his Yahoo account started to send spam with links to malicious site to all his contacts... I had Avira running on that PC it is updated with last definitions and complete system scan is run every day - no alerts or detections. I scanned the pc with Mbam also- nothing found. I decided to check with GMER for rootkits... And there are a lot of entries listed in GMER under Rootkit/Malware tab but scan finished without any warning of detection whatsoever. Also - no red lines... But I am still confused - is these listed under Rootkit/Malware detections or?

Please find attached GMER log file...

Thanks in advance for your help.
 gmer.log   7.71KB


A:GMER scan, a lot of entries listed under Rootkit/Malware - I am infected?

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

Read other 9 answers

I'm not sure how my DELL XPS M1530 laptop got the NTOSKRNL-HOOK Trojan, but it might have been from repeatedly downloading different versions of the same game in order to extend the free trial. I downloaded Family Feud, MahJongg, and The Price Is Right from the iWin.com and Jenkat Games programs, as well as from other Web sites, some of which, in hindsight, may not have been legitimate.

The irony is that right before my computer first crashed, I'd just finished a scan with McAfee and no problems showed up. About 10 minutes after the scan, in the middle of playing an online game and talking on Yahoo Messenger, the dreaded blue screen of death popped up!

Since then, I have not been able to start up Windows in Normal Mode. Every time I try to do a System Restore, the blue screen appears immediately after I type in my user name and password when the computer restarts.

After starting up in Safe Mode and performing a Quick Scan with McAfee, my laptop finally found the NTOSKRNL-HOOK Trojan and supposedly removed it. A subsequent Full Scan right after the first showed that the NTOSKRNL-HOOK Trojan was still on my computer, but claimed that, once again, it was removed. However, all other scans from that point on have found and "removed" this pesky trojan, but it still persists.

I really want to backup my files or salvage whatever data I can, but I have had many problems trying to do so! Since the trojan has taken my laptop over, I can no longer see my external h... Read more

A:NTOSKRNL-HOOK Trojan: my laptop can't complete the GMER Rootkit scan!


See if you can get GMER to run in safe mode...close down all other programs while it scans.

Also, see if this program will run and post the logs

Please download Sysprot Antirootkit from >>>HERE<<<

Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select ALL ITEMS
Look near the bottom left, and Check Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.

Read other 19 answers

Hello,Here is a brief story: A few weeks ago I thought I had some kind of malware on my computer, because my computer showed the symptoms I described in another post. About three weeks ago, I reinstalled Windows XP (Home Edition 2002 Version Service Pack One) onto my computer (Sony Vaio Model PCV-2222) and everything seemed fine. A few days later I started getting Google redirects. A few days after that I couldn't open certain image files on my computer. I was growing worried today when I couldn't open images on my computer, so I decided to run a Gmer scan, when all of a sudden something strange happened. Shortly after I started the scan, the Gmer program found hundreds of files in the registry, and it identified the "type" of those files as "SDSS." Then the computer restarted itself. I ran the scan again, and it only found one file. I'll post the results below. I don't know what to do, but I will be very helpful if anyone can lend a hand.Cordially,AbraHere's the dds:DDS (Ver_10-12-12.02) - NTFSx86 Run by [ABRA] at 14:00:42.92 on Fri 01/14/2011Internet Explorer: 6.0.2800.1106Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.760.455 [GMT -6:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\ezSP_Px.exeC:\WINDOWS&#... Read more

A:Google Redirects, Computer Restart During Gmer Scan, Possible SDSS Rootkit Infection?

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 28 answers
A:It says Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.1. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE2. We Need to check for Rootkits with RootRepealDownload RootRepeal from the following ... Read more

Read other 21 answers

Below are Bazooka scanner, dds and gmer scan results. Exe files are not working properly. Any executable I open immediately asks for a file to open the program. I can run some programs by browsing for the executable again but does not work for everything. Some programs won't work or install. here is my latest scan results using bazooka / dds / and gmer.BAZOOKA SCAN--------------------------------------------------------------------------------------------------------------------------------********************************************************************************************************************************************Result when scanning:SystemDir.explorer 545.505.000 %SystemDir%\explorer.exeC:\Windows\system32\\explorer.exehttp://www.kephyr.com/spywarescanner/library/systemdir.explorer/index.phtmlSystemDir.regedit 544.500.000 %SystemDir%\regedit.exeC:\Windows\system32\\regedit.exehttp://www.kephyr.com/spywarescanner/library/systemdir.regedit/index.phtml********************************************************************************************************************************************DDS SCAN------------------------------------------------------------------------------------------------------------------------------------********************************************************************************************************************************************.DDS (Ver_2011-06-23.01) - NTFSAMD64 Internet Ex... Read more

A:Virus - Bazooka Scan / DDS scan / GMER scan - %#^#%^#


Sorry for delayed response. Forums have been really busy. If you still need help with this post fresh dds logs, please.

Read other 2 answers

The Intel Driver & Support Assistant said that it had an update: Intel® Graphics Driver for Windows* [15.40]. When I did a scan with the Lenovo Companion app, it said there were no updates available. Why the difference of opinion betwee the two apps?

Read other answers

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:27:50 AM, on 19/08/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files\Motorola\Bluetooth\btplayerctrl.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT2645238
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
... Read more

Read other answers

Good afternoon,

I have been experencing really low internet speeds on my computer. I have ran many tools such as HiJack this, ComboFix, AVG (Including rootkit) and Malwarebytes. Several of these tools found things here and there which seemed to have been removed.

I have set my computer up to dual boot WIN XP/WIN 7. I only experience the low speeds while using Win 7 which seems to make me thing that something is taking the majority of my bandwidth usage.

Could any take a look at my logs and see if there is anything going on before I decide to reinstall the os.

P.S I have also included my HijackThis log file.

Thanks in advance!

A:DDS scan and GMER scan log files.

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===This process looks suspicious.C:\Users\James\Desktop\Security Tools\mb9soxkz.exeDo you know what it is?Did you installed this driver or do you know which application needs it.R1 enport;enport;c:\windows\system32\drivers\enport.sysIt may be valid but I cannot find sufficient information on it.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed.How to : Disable Anti-virus and Firewall...http://www.bleepingcomputer.com/forums/topic114351.htmlDouble click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt Note:Do not mouse click ComboFix's window while it's running. That may cause it to stallNote: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleeping... Read more

Read other 2 answers

When I run a virus scan using AVG I get the message C:\windows\system32\drivers\etc\hosts change result: changed. I have attached Kappersky and DSS scan results. Do I have something to worry about? besides AVG I have SpyBot which I update and run every couple of days. Thanks in advance for your help.

A:Avg Scan Result

Hello StalagmiteWelcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, download and install Hijackthis by Trendmicro and post a log, copy and paste it into the thread by using the Add Reply button, please do not attach it. I am looking at a possible trojan on your system.Download Trendmicros Hijackthis to your desktop.Double click it to installFollow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exeOpen HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is UncheckedGo to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Read other 2 answers


Can anyone tell me if this file is harmful, it was picked up while scanning with AVG software, status read at the top of the it said it had been changed, this is the file:


Is this whats called a kernal, this is not in my virus vault but keeps coming up on the scan each time.


A:AVG scan result

See post #4 in this thread: http://forums.techguy.org/security/554221-solved-avg-finds-ntoskrnl-exe.html

Read other 2 answers

Hey guys,
I posted this originally on May 2nd and have never gotten a response. If I don't have anything to be concerned about, please, just let me know. I have always gotten very good assistance with my troubles and questions before. Maybe I just posted my question in the wrong place.

Question about scan
I am not really having a problem but I am curious about the results of a scan by AVG Free. When my scan is complete, I get the results shown in Attach. #1. I click on "remove all unhealed infections and I get the results shown in Attach. #2. Also enclosed is the results from my HiJackThis scan. Thanks for the help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:31 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\A... Read more

Read other answers

Hiya All

Happy Easter.

I ran Malwarebytes yesterday as PC not right.Results of 15 objects found.Can someone please explain them or advise further?

Malwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 3

11/04/2009 20:23:50
mbam-log-2009-04-11 (20-23-50).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 130528
Time elapsed: 1 hour(s), 17 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

A:Malwarebytes scan result


We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Having problems with spyware and pop-ups? First Steps

link at the top of each page.


Please follow our pre-posting process outlined here:


After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please start a new thread in our Virus/Trojan/Spyware forum along with the required logs

Read other 1 answers

I have been having some problems as of late with my internet connection... various sites not being found, timeouts, cannot find server etc....

I call me EARTHLINK TECH support... and they suggested I make some cahnges in my dial-up networking, etc... and suggested I do a HIJACK-THIS scan.

I did the scan... and here are the results. I was wondering if anyone would look at the results and maybe make some reccomendations.....

Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 2:14:06 AM, on 1/18/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = DAVIDS' INTERNET BROWSER
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Ma... Read more

A:Can someone help me with this HIJACK THIS scan result.

Read other 7 answers

I found following items with earthlink protection virus scanner.
Winmovieplugin homepage hijacker, dialer
Coolwebsearch bho, adware
Pornmagpass adware, homepage hijacker, Trojan M
Elitemediapopup adware, driveby download
Transponder.bloger adware bho
Searchsquire adware, searchpage hijacker
spywareQuake thiefware
SafetyBar adware,Bho

I deleted the items but I cannot update avg spyscanner, but can still scan with it. Should I take any other steps to ensure that my system has really gotten rid of these things. Thanks in advance.

A:I got following in one virus scan result

G'Day hes4l,


Should I take any other steps to ensure that my system has really gotten rid of these things.

Yes indeed there are!

Go to the link "The 5 Steps", in my signature; read the instructions carefully; then, post a HJT Log in the HJT Forum, where one of the trained analysts will help you 'clean' your machine.

Now once you have posted your HJT log, there are two things you need to do....

Firstly, subscribed to your posting, so that you can receive instant email notification about any replies.

The other thing is; please be patient with receiving your first reply, as the HJT analysts are usually very busy.
So, I recommend if after say, 48 hours, you have not received any response to your request, go back into your thread, and type in "bump"; this will bring your post back to the front page, and to the attention of an available analyst.

Good luck with it!

If you have any other queries/concerns, feel free to post back.

Read other 1 answers

Thought I may have got an infection (sonar.heuristic.130).  So I ran numerous scans.  
Norton Internet Security A/V, Norton Power Eraser, MS Safety Scanner, ESET Online Scanner, Super-Antispyware, Malwarebytes, ADW, TDS Killer, and R Kill.
All my scans ok, less the ADW find.  Wasn't sure to delete the registry key, so I didn't.  I took a screen shot of LAN settings but couldn't figure how to attach, if I was supposed to.
The result of ADW scan:
# AdwCleaner v4.110 - Logfile created 16/02/2015 at 01:37:05
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Fred - ATHEIST
# Running from : C:\Users\Fred\Downloads\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:8080
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17631
AdwCleaner[R0].txt - [679 bytes] - [16/02/2015 01:37:05]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [737 bytes] ##########
Screen I tried to attach
Internet Options/Connections/LAN Settings
   Automatic configuration heading........only Automatically detect settings is checked
   Proxy server heading..........................box is un... Read more

Read other answers

Anyone know what this result means?

My windows processes are running really slow and was wondering if this is causing the problem.

A:AVG Virus Scan Result Help

Hi and welcome to TSG.
It should only concern you if it says it was infected.
Quote from Avg help forum.
"It is normal that AVG shows that files, the MBR or Boot record to have changed.
These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive.
The only time that you should worry is if they also show as infected."

Check link below for suggestions on Pc Maintenance.
List includes..
Scan For Viruses.
Scan for Spyware.
Microsoft updates.
Disk Cleanup.
Check Hard Drive for Errors.
Defragment Your Hard Drive.
Registry Cleanup is in their list but
Cleaning the registry may cause you more problem than you started with..
so it would be best to skip that one.

Read other 2 answers

Any Malaware experts out there to take a look at these results and let me know what to do next ????

Refers to my earlier thread this morning about desktop startup errors.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:35, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~4\... Read more

A:DLL Error HJT Scan result

This is a duplicate post.
Original thread and HJT log are here
AND has been moved to the MalWare forum,

Read other 1 answers

Windows RegData Malware HKEY_Classes_Root:refi Possi This is what I get as malware. What is it. Adaware won't remove it and Spybot doesn't recognize it as a problem. Please help.

A:Adaware scan result


Read other 1 answers

Hello everyone, I have no clue how to distinguish virus from essential files???

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:26:54 AM, on 22/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_5742z&r=27361110x915l04g4z155v47j2134s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_5742z&r=27361110x915l04g4z155v47j2134s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_5742z&r=27361110x915l04g4z155v47j2134s
R1 - HKLM\Software\Microsoft&... Read more

A:Need help with "hijack this" scan result PLEASE!!!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the ... Read more

Read other 2 answers

I have Windows XP and an AdAware scan hit on this as malware[Windows Reg Data Malware HKEY -Classes-Root:regfi Possi]. Can anyone tell me what this is? AdAware can seem to do anything with it and SpyBot doesn't recognize it . Please help.

A:AdAware scan Result

This could possibly be a sign of a possible browser hijack attempt. If ad-aware has found it, remove it. Download, update and run spybot, post your log and I'm sure someone will be along to help you with any problem soon. Nothing to worry about though, I have had lots of possible hijack attempts.

Read other 3 answers

Hi guys,

I just finished running a scan with spybot search & destroy and it came back with the following result (attached a pic). The problem is that I have heard the name before coolwwwsearch which is what was picked up and I thought it must be bad but just to be sure I checked the particular files in my registry. The files all belong to a program I just recently installed called Zero popup pro which as you can guess from the name is a popup blocker. I'm not sure what to do now and was hoping someone can advise whether to ignore what spybot has found or could that popup blocker program be some type of spyware?

A:Spybot scan result

Read other 9 answers

GMER - http://www.gmer.netRootkit scan 2008-06-24 17:00:45Windows 5.1.2600 Service Pack 3---- User code sections - GMER 1.0.14 ----.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxExA 7E45085C 5 Bytes ... Read more

Read other answers

How long should the GMER scan take?

I am going to post on my browser being hijacked etc. and have done the other two scans (hijackthis, dds) but when I went to do the GMER scan it took literally hours and hours and hours.

I am wondering if I did it right (more than a raw beginner, but not understanding most of this). After clicking "No" to the first GMER full scan request I ended up with a list of places to be scanned on the right. I made sure only "C" was checked, and that IAT/EAT was NOT checked.

And many hours later it was done with some end messages saying there were some things it could not do. But I could not copy the results because after hours and hours on my computer sometimes loses the ability to do certain things. (I had it uplugged from my DLS line to try to keep anything else from sneaking in while it was working.)

Could I have done something wrong?

I will try it again today, but my computer also checks out periodically so I have to fiddle with it to get back to the screen to see how the scan is progressing.

Your help is appreciated.

Anyway we sue the guys who do this? This browser hijacking thing gets by the security I have on two computers and this is the third time. (I had them in the shop for it previously.)

Read other answers

Hiya I have some problems and I was working through the new instructions page trying to get the log and stuff and have tried to scan with dmer and every time it scans for about 3 secs and then my laptop restarts. What do I do to try and stop this happening and what does it mean for my laptop :S


Oh and here is the dds scan thing..

DDS (Ver_10-03-17.01) - NTFSx86
Run by Goldfish1000 at 18:45:49.40 on 01/10/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.2038.1006 [GMT 1:00]

============== Running Processes ===============

C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Progra... Read more

A:GMER won't scan

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.




Please note that tools are best Run from the Desktop. Save to the Desktop and then Run from the Desktop.

Easier to find and perform specialized functions which may be required. Thanks.


It appears you didn't attach the second dds log, Attach.txt, to your initial post. I need to see it in order to help you.

------------------------------------------------------Please download Rootkit Unhooker and save it to your desktop.
Right-click RKUnhookerLE.exe and choose 'Run as administator'.
Click the Report tab, then click Scan
Check Drivers and Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it. Click Close then Yes
Copy the entire contents of the report and paste it in your next... Read more

Read other 17 answers

This is the first time I have used your website - it comes highly recommended to me. I have tried to follow your Guide for Malware Removal but each time I get to the step of completing a GMER scan it stops before I can save it to file labeled ark.txt. I have run the scan 3 times - each time taking several hours to run the scan - but then it restarts the computer before I can save it. I had run a malware program prior to trying your sight and it told me I had 2 Trojan Agents.1. C:\WINDOWS\cpnprt2.cid2. C:\WINDOWS/system32\cpnprt2.cidI was reluctant to allow the first malware program to delete these files because they looked important to me. Someone suggested I contact you and you would be able to help me.Thank youGinny

A:GMER scan

Hello,Don't worry about the GMER log for now. Please post the DDS logs as a reply. I will then merge them into your initial post and remove my reply so your topic doesn't get lost.Orange Blossom

Read other 2 answers

this is my first putting this on here. sorry if i get it wrong


i have not access to a windows install disc or a boot CD

A:i did a GMER scan

Hello pezzer,

I appreciate the gmer log, but I also need the logs produced by dds.scr. Please run that tool again and post the dds.txt, and attach the Attach.txt it produces.

Would you also please provide a description of the problems you are having?

Read other 1 answers

My computer is really messed up right now - it's running slow and freezing and I ran this scan but I don't know what any of it means -
Thank you!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:17:17 PM, on 9/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17099)
Boot mode: Normal

Running processes:
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\... Read more

A:Can someone analyze this hijackthis scan result for me?

According to your HiJackThis log, your computer is infected.

I'm not authorized to assist you in this section without the approval of a Moderator or gold shield member, so you need to wait until one replies.

You also need to read here.


Read other 2 answers

I have the following output from a ComboFix scan and need help with interpreting the results. I recently purchased this machine used and do not know much history on it. Thanks for any help.((((((((((((((((((((((((((((( [email protected]_06.29.10 ))))))))))))))))))))))))))))))))))))))))).+ 2009-05-23 06:30 . 2009-05-23 06:30 16384 c:\windows\Temp\Perflib_Perfdata_3a4.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-17 1947928]c:\documents and settings\Administrator\Start Menu\Programs\Startup\mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-7-26 552960]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c: ... Read more

A:ComboFix Scan Result Interpretation

ComboFix logs should not be posted outside the HijackThis forums, and then ONLY WHEN REQUESTED. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and ... Read more

Read other 1 answers

Hi everybody, I performed a hardware scan and go this result code: WHD400000-UN7YZE What does it mean and what should I do? Thank you

Read other answers

Installed Emsi AM & did a quick scan.
It found few threats & to me it all seems FPs.
Like it mention disabletaskmanager but taskmanager opens fine. Disablecmd but cmd opens fine too. Disable registry tools but regedit opens fine too.
What I could make out of the detection have mentioned.
Attached is the screenshot

Value: HKEY_USERS\S-1-5-21-191019590-2606562261-3006609305-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)

A:Emsisoft Antimalware Scan Result

Search Emsi support forum. Fabian Wosar discusses this in some threads. If I recall correctly he stated that there are cases where legitimate\safe security or other softs will create the above keys.

Since you have been installing various security softs maybe they are just left over - and are very unlikely an indication of any kind of serious infection...

Read other 11 answers

Hi there!

I just recently got my system put back together and I have been slowly running a few online scans to make sure everything was clean while I was downloading security updates over this last weekend.

I ran one recommended to me called BitDefender last night, and it came up absolutely clean. I also ran another earlier called ewido, which also came up clean, other than a few tracking cookies which were no problem getting rid of.

I just ran Panda's free online scan and it brought up something...

C:/Windows/system32/Tools/Restart.exe It says that files is "Potentionally Unwanted Tool"

I did a search on these forums and found somebody else had this file come up in a Panda scan, so I followed one of the instructions listed, and uploaded it to a site to run several scans. Here are those results:
File: Restart.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 eb1b125ee5d2022cbf5e2f7226f47638
Packers detected: -
Scanner results
AntiVir Found SecurityPrivacyRisk/Destart.A riskware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found... Read more

A:Panda Scan Result.. Restart.exe

Read other 9 answers

I recently loaded my os vis recovery disc I downloaded Avast free version. All seems ok until I looked at the scan log for this scan and it has 15 files that could not be scanned explaining it witht he message after each one Error: Archive is password Protect... Nothing should be password protected on the machine yet asd I haven set any.
The path indicated is the same except for the ending;
C: User\user2\...|>download.js

IS the usual procedure of hijackthis, necessary here or can someone explain this?


A:Solved: Avast scan result is odd

Read other 8 answers

Every time I run a Malwarebytes scan I get the same result, as per the attached screenshot.

Can anyone advise me (1) if there is a problem, and (2) how to get rid of the offending result permanently?
(I have blanked the XXXXXX part of the result - it is just my PC user name)

A:MalwareBytes: Same result every time I run the scan

See this::
Remove PUP.Optional.DownloadSponsor.A (Removal Guide)

Read other 4 answers

Is this Ok now?

Logfile of HijackThis v1.99.1
Scan saved at 6:56:47 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Pro... Read more

A:Hijack log and Ewido scan result

Hi and welcome.

You need to reply back to this thread instead of creating a new one. I'd merge, but the site appears to be having problems right now.


Read other 1 answers

I have just run a Malwarebytes (free version) scan, and get one potential problem as per the image below.

It refers to a tool I downloaded & used to display the Windows key for my Win 8.1 installation

Is this tool a potential security threat?

A:Malwarebytes scan & result ... what action to take?

If it is this one:
ProduKey - Recover lost product key (CD-Key) of Windows/MS-Office/SQL Server

don't worry. Nirsoft produces some of the best small Windows utilities around. The developer has an excellent reputation. I have used many of them for years without issues.

Read other 3 answers