Over 1 million tech questions and answers.

Need Help! Malware Win32.agent.lf, Win32.zlob.cpx. Infected From Videocodec Installation

Q: Need Help! Malware Win32.agent.lf, Win32.zlob.cpx. Infected From Videocodec Installation

Hi I got malwares from videocodec installation. Here are symptoms:1.I have been recieving internet explorer pop-up to the site "yourprivacyguard.com" and "pcsecuresystem.com". 2. Also, Kaspersky detected that my computer has been trying to download something from "http://www.thenetworkcom.com/get-last-update.php?sid=502&aid=610&said=0&pn=5&config=cb" (from the report about 4-8 times every minute). 3. There are fake windows security alert pop-ups saying something that my computer is infected malwares and I need to download program to clean them. 4. My desktop wallpaper changes to some form of a warning sign against a red backdrop (which could be closed when I mouse over the top right hand corner and click on the 'x', after which my wallpaper re-appears)5. 3 web short cuts appear on my desktop labeled Error Cleaner, Privacy Protector, and Spyware &Protection which re-appear everytime after restart.6. There are new internet explorer toolbar: The nssfrch7. The process "explorer.exe" consumes almost 100 percent of cpu and this slow down my computer significantly.I used Kaspersky internet security 7(my anti-virus software), Ad-Aware2007 and Search and Destroy(as suggested by this site) to detect and fix these problems. These fix almost all problems (probem number 1, 3, 4, 5,7). However, problem number 2 is not fixed as Kaspersky still keep reporting that there are contacts between my computer and the site "http://www.thenetworkcom.com/get-last-update.php?sid=502&aid=610&said=0&pn=5&config=cb" almost every 10 seconds.I would be very grateful if you can help me solve the problem. Thanks!!Here is my Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:38:59, on 30/10/2550Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\Program Files\Intel\Wireless\Bin\OProtSvc.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\ltmoh\Ltmoh.exeC:\Program Files\Apoint2K\Apoint.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Intel\Wireless\Bin\EOUWiz.exeC:\Program Files\Fingerprint Sensor\AtSwpNav.exeC:\WINDOWS\system32\igfxext.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Softex\OmniPass\scureapp.exeC:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exeC:\Program Files\Fujitsu\Application Panel\QuickTouch.exeC:\Program Files\Fujitsu\BtnHnd\BtnHnd.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\Program Files\Logitech\Video\LogiTray.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXEC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Logitech\Video\FxSvr2.exeC:\Program Files\Apoint2K\HidFind.exeC:\Program Files\Apoint2K\Apntex.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Skype\Phone\Skype.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Hijackthis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - (no file)R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)O2 - BHO: (no name) - {003169BC-AB68-482F-AEA6-B51A47BDDB83} - (no file)O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\UserData\IEHelper_5001.dll (file missing)O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: TBSB00889 - {4415B6F8-AAED-4789-8A62-101E0C13A850} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\Windows Live Toolbar\stmain.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - (no file)O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: The nssfrch - {AC9BBDB2-8FCD-49C8-96F7-CC3CF7B453CD} - C:\WINDOWS\nssfrch.dll (file missing)O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exeO4 - HKLM\..\Run: [ATSwpNav] C:\Program Files\Fingerprint Sensor\AtSwpNav.exe -runO4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exeO4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exeO4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exeO4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB002" /M "Stylus Photo R310"O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [VoipDiscount] "C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimizedO4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Pornthep.PORNTHEP-A3C591\Application Data\Mozilla\Firefox\Profiles\z84n6bco.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Pornthep.PORNTHEP-A3C591\Application Data\Mozilla\Firefox\Profiles/z84n6bco.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htmO8 - Extra context menu item: &ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htmO8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: http://www.bualuang.co.thO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nunueng-in-da-blog.spaces.live.com/...ad/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122138714109O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122188418781O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLLO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~3.0\adialhk.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Indexing Service (IndexingService) - Unknown owner - C:\WINDOWS\system32\cisrv.exe (file missing)O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exeO23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe--End of file - 18915 bytes

RELEVANCY SCORE 200
Preferred Solution: Need Help! Malware Win32.agent.lf, Win32.zlob.cpx. Infected From Videocodec Installation

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Need Help! Malware Win32.agent.lf, Win32.zlob.cpx. Infected From Videocodec Installation

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nunueng My name is Richie and i'll be helping you to fix your problems.Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.If you have previously downloaded ComboFix,please delete that version now.Now download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.*NOTE*In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.Also post a new Hijackthis log please.

Read other 9 answers
RELEVANCY SCORE 120.8

I believe I was infected last night when a website somehow redirected me to liteautogreatest{dot}cn.I'm running XP Home SP3 and the ZoneAlarm Internet Security Suite (just updated earlier today).ZoneAlarm continually finds a couple of problems and hibernates them but they do not go completely away after a reboot.The ZoneAlarm active monitor scan shows the following...Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNB.tmp on 4/20/2009 13:29:22Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNA.tmp on 4/20/2009 13:23:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN9.tmp on 4/20/2009 13:17:40Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN8.tmp on 4/20/2009 13:14:30Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN7.tmp on 4/20/2009 13:07:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN6.tmp on 4/20/2009 13:02:40Rootkit.Win32.Agent.ikz was found in C:\WINDOWS\system32\drivers\systemntmi.sys on 4/20/2009 12:57:48Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\T... Read more

A:Infected with Rootkit.Win32.Agent.ikz, Trojan-Dropper.Win32.Agent.amzh, Trojans? Malware?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.alternate download linkThen download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, re... Read more

Read other 3 answers
RELEVANCY SCORE 118.4

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 116.8

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 112.4

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 109.2

Cleaning up my sister's computer (Vista), I ran Spybot Search & Destroy and along with the usual cookies, it said it found Win32.Agent.ieu, Zlob.Downloader.rid, and Win32.FraudLoad. After 'fixing' these, I checked and saw that Windows Firewall was disabled. When I tried to restore the defaults, it wouldn't work. Of course this may be unrelated. I restarted and ran another Spybot scan, and found Win32.Agent.ieu and Zlob.Downloader.rid again, and removed them again. This time when I tried to re-enable the Windows Firewall defaults, it worked. About the same time I was doing this, my sister discovered someone had hijacked their PayPal account and made a large purchase... this may also be unrelated, but I suppose it's possible the malware snagged their login info. At this point I decided it was time to call in the cavalry to make sure this malware was completely gone. I couldn't get GMER to run. After starting the scan, I got a blue screen / restart twice in a row. Your help in clearing this off is appreciated!DDS (Ver_10-03-17.01) - NTFSx86 Run by Chris & Kait at 12:57:21.69 on Fri 04/30/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1022.176 [GMT -5:00]SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ====... Read more

A:Triple infection: Win32.Agent.ieu, Zlob.Downloader.rid, and Win32.FraudLoad

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 108.8

I did my best to follow the pre-posting instructions and there's still the same issues as before.Please help me fix this.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:40:00 AM, on 1/31/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Sygate\SPF\smc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\fpsuqsiw.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\System32\svch... Read more

A:Win32.trojan.agent, Win32.trojandownloader.zlob, Pe_trats.a

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

Read other 19 answers
RELEVANCY SCORE 108.8

a friend of mine isnt that computer oriented and was on my computer and clicked on everything that popped up pretty much. ever since then my homepage has been coming up as blank and have been getting a little bubble at the bottom of my screen saying that i have spyware on my pc along with a numerous amount of pop ups (which i never got before, at all) and i did the scans described in my description and still no luck removing them. never had this kind of problem before at least of this im a very big noob when it comes to this so bear with me thanks in advance for any tips or ideas!!!!!!Logfile of HijackThis v1.99.1Scan saved at 8:49:22 PM, on 7/13/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exec:\program files\cox\applications\app\CurtainsSysSvcNt.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Cox\Applications\app\Prism.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system3... Read more

A:Infected With Trojan.win32.startpage.adh, Trojandownloader.win32.zlob.ci, Trojandownloader.win32.zlob.mo, Spywarequake 2.0, Sea...

Hello Gnome86,Welcome to BC. I am sorry to be the bearer of bad news, but you have several infections, the most important of which is a worm, SDBOT.BWV, with backdoor and keylogging capabilities, evidenced by these entries :O4 - HKLM\..\Run: [System Kernal Support] system.exeO4 - HKLM\..\RunServices: [System Kernal Support] system.exeO4 - HKCU\..\Run: [System Kernal Support] system.exe I would recommend you to disconnect this PC from the Internet immediately. If this computer is used for any sensitive transaction like banking or other financial transactions or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would also be wise to contact those same institutions to alert them to the possibility of identity theft. Though it is identified and can be killed, because of it's backdoor functionality, it is very likely that your computer is compromised and there is no way to be sure that it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:Here are some informative links to help you decide:When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063 How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 Securi... Read more

Read other 10 answers
RELEVANCY SCORE 107.6

Spybot Search & Destroy found win32.agent.sd, win32.tdss.rtk, and zlob.downloader.bit. I removed them successfully, yet my computer is still running incredibly sluggish. When I go to Control Panel>Security Center>Virus Protection, it says VirusRescue3.0 is up to date. I have no idea what Virus Rescue is. Also, when i go to My Computer>C: it gives me the following error message: "windows cannot find resycled\boot.com. Make sure you typed the name correctly and try again. To search for a file, click the Start button, then click Search.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:07 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jr... Read more

A:win32.agent.sd, win32.tdss.rtk, zlob.downloader.bit

Read other 16 answers
RELEVANCY SCORE 107.2

I have an F-Secure internet security software suite on this computer, and it is up-to-date and functioning. I also have MalwareBytes (free) installed and have been running it regularly, and I use the ESET Online Scanner as well. The OS is Windows XP, and it is up-to-date.About three weeks ago I cleaned around three trojans from this computer using MBAM and the online scanner. A few days ago, Adware.Win32.WebHancer.x was found by F-Secure, and is currently quarantined. Today, several instances of the two Trojan-Spy programs were found and quarantined by F-Secure; they infect system files and system restore files. I already looked up information on cleaning the system restore files by stopping and restarting system restore (and scanning inbetween). I deleted the quarantined files.All of the Spy-Trojan's found are infecting in C:\hp\recovery\wizard\fscommand\. The file names are:AppRecoveryLink_ret.exeCDLogic_ret.exeCreatorLink_ret.exeRestoreLink_ret.exeRTCDLink_ret.exeRunLink_ret.exeSysRecoveryLink_ret.exeWizardLink_ret.exeThe Adware infected a .dll file, and I was advised not to delete it.CDLogic_ret.exe is Agent.bdzz; the rest are Agent.beafI have run my antivirus, MBAM, and the online scanner again and they picked up nothing. Also, the Adware and Trojan-Spy's were all found during MBAM scans, but F-Secure picked them up.I have attached a HiJackThis log and a DDS log; GMER froze my computer partway through the scan when I used it. I have ran a... Read more

A:Infected with Trojan-Spy.Win32.Agent.bdzz, Trojan-Spy.Win32.Agent.beaf, and Adware.Win32.WebHancer.x

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 103.2

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 102.8

PLEASE NOTE: This is a DIFFERENT computer than the one I am currently working on with Agent ST

Because I was paranoid about this one, I ran an ESET Online scan to check my computer and it reported at several different trojans:

Win32/Toolbar.Zugo
2 variants of Win32/InstallCore.D
JS/Agent.NDJ
Win32/TrojanDownloader.Tracur.F
Java/Agent.DU
and probably a few more.

I am not sure exactly how many because I inadvertently closed Internet Explorer before the scan completed.

I did not set ESET to remove anything that was found, I was just scanning.

So, here I am,,,,needing help for yet another computer in my house.

It seems to be running fine but since this is the one I use for working at home, communicating with clients, online banking, etc. I need to be sure it's clean.

I am a web developer so I am very familiar with Windows,etc. however, virus removal is not my expertise so I need to ask for help.

Here is the contents of the DDS.log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
Run by Dona at 15:35:19 on 2012-02-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2232 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k nets... Read more

A:Need help with trojans..Win32/Toolbar.Zugo, Win32/InstallCore.D, JS/Agent.NDJ, Win32/TrojanDownloader.Tracur, Java/Agent.DU and...

Hi Dona!Peek a boo! Guess who?Can you try and zip up the GMER log file for me to review?---------------------Can you see if ESET Online Scanner dropped a log file in this location?Browse to this location: C:\Program Files\ESET\ESET Online Scanner\It should be named: log.txt if it was saved. If it is, please post that for me.---------------------You seem to have 2 versions of Skype installed. One of them seems to be a bit outdated.Lets remove that one now.You can go to the Control Panel and click on Add/Remove Programs and remove this one: Skype™ 4.1---------------------You're version of Firefox is also outdated by two versions. Open up Firefox and go to the Help menu click on About Firefox.It should check for updates, and download the updates that are required. Once it's completed downloading the update it'll present you with a button that says Apply Update. Please click on that. It will close Firefox and then apply the update to your computer.---------------------Please run these scans for me as well: Malwarebytes' Anti-Malware I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings: Open Malwarebytes' Anti-MalwareSelect the Update tabClick Check for UpdatesAfter the update have been completed, Select the Scanner tab.Select Perform quick scan, then click on ScanLeave the default options as it is and click on Start ScanWhen done, you will be pro... Read more

Read other 14 answers
RELEVANCY SCORE 102

I have already scanned and fixed my notebook for spywares using ad aware se and sbc yahoo! anti-spy. But i still got pop ups and system alerts saying that i have spywares on my computer and my internet explorer browser is still internet security. And everytime i run sbc yahoo! anti-spy, i always get the same spywares and when i click on remove all, it is removed but when i run it again, the scaan results is the same. Please help me. Attached is the copy of the log created using HijackThis. Thank you.Logfile of HijackThis v1.99.1Scan saved at 12:02:06 AM, on 7/5/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\dcomcfg.exeC:\WINDOWS\system32\atmclk.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files ... Read more

A:Infected With Trojandownloader.win32.zlob.ci And Trojan.win32.startpage.adh And Spywarequake 2.0

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/pa... Read more

Read other 5 answers
RELEVANCY SCORE 101.6

Hi, Below is the log of the HijackThis which I ran as per the instructions on your website. I am currently running spydoctor which finds the infected files and apparently fixes them, but then they return almost immediately. I run ZoneAlarm firewall and AVG antivirus along with aol, if that helpsPlease help as this is driving me mad Logfile of HijackThis v1.99.1Scan saved at 20:16:06, on 04/05/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/2/hi/uk_news/default.stmR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpEC05.tmp (file missing)O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files... Read more

A:Infected With Trojandownloader.win32.zlob.ci & Trojan.win32.startpage.adh

Hello,Your previous log is not complete... I am missing the running processes part, so make sure you are running HijackThis from a permanent folder and not from a temp folder.It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.It is also important you don't miss a step and perform everything in the right order!!* Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Don't use it yet.* Reboot into Safe Mode`: ( without networking support !)?To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpEC05.tmp (file missing)O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files�... Read more

Read other 2 answers
RELEVANCY SCORE 100.8

http://news.yahoo.com/s/ap/20071028/ap_on_...nTACiuYsr_q188FAfter reading the story about the Pa bigfoot, Found out it is a HOAX!!! Rick Jacobs is using his blogspot to send out trojan horse and malware! I saw this story on yahoo.com and I was curious to see the pictures to see if they were real or fake...so I did a google search on Rick Jacobs and this was what I found. When I went to this site it said to intall Active X to view video of said Bigfoot, after it installed I got quiet a shock!!! Pornography! Thankfully my children weren't watching! I am appauled that there wasn't anyone that did research before reporting this story! I have Avast antivirus software and I am getting warnings (pop-ups) that Adware was found. Win32:Agent-LTS[Trj] Malware type Trojan Horse and Win32.Adware-gen [Adw] Malware. Do you know how difficult this will be to remove from my computer!??ughhhh They need to prosecute this man for this! To see the link **Warning Proceed with Caution!!** will contain Adult content!http://rick-jacobs-bigfoot-photo-pictures.blogspot.com/Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:52:10 AM, on 11/1/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\... Read more

A:Win32:agent-lts[trj] Malware Type Trojan Horse And Win32.adware-gen [adw] Malware

Hello,I see the tool we use for this infection doesn't remove below variants yet, so do next please..* Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

C:\WINDOWS\advreprwd.dll
C:\WINDOWS\sdrmod.dll
C:\WINDOWS\hupsrv.dll
C:\WINDOWS\msmhost.dll
Then click the red Moveit! button below.Close OTMoveItIf a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.Then, after reboot, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)O2 - BHO: MSVPS System - {7A22D62B-562F-4D55-8B1E-3AAA6C2BA688} - C:\WINDOWS\advreprwd.dllO3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dllO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [Button Bar] C:\Documents and Settings\Kim Robinson\Local Settings\Temporary Internet Files... Read more

Read other 8 answers
RELEVANCY SCORE 100.4

Community,I am having SERIOUS problems removing a virus. It infected my computer through a website - //www.pcsecuresystem.com -- please look out for it!I need help fixing this problem, please. No matter how many times I try to run AdAware or Spybot, the Vundo virus keeps returning upon startup (my McAfee keeps telling me this) and AdAware locates the Zlob downloader, but doesn't delete it when I click "Remove".Again, I have run AdAware 2007, several times, but it seems to not be able to delete the malware. When it shows me the problem, Adware give this information:===================================================WIN32/Trojandownloader.ZlobRegistry Entry: HKCR Path: clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}Registry Entry: HKCR Path: clsid\{a95b2816-1d73-4561-a202-68c0de02353a}Registry Entry: Root: HKLM Path: software\microsoft\windows\currentversion\explorer\browser helper objects\{a95b2816-1d73-4561-a202-68c0de02353a}File name: File: c:\System Volume Information\tracking.log.===================================================Also, I am posting my Hijackthis Log, as follows:===================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:10:27 PM, on 2/4/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon... Read more

A:Infected With Win32.trojandownloader.zlob, Zundo, And Unknown Malware

Welcome to the BleepingComputer HijackThis Logs and Analysis forum morehouse96My name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java version.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the gu... Read more

Read other 13 answers
RELEVANCY SCORE 99.2

According to AVG I'm infected with Clicker.AAFT which appears as c:\windows\fonts\services.exe. Task Manager always has at least 2 of these additional services.exe running.I used to have Norton antivirus running but the virus broke it and i couldn't re-install it. I bought the Kaspersky Labs virus scanner but that to would not install. it looks like this virus has changed the "rights" of some objects. The only virus scanner that would install and work was AVG.I tried to re-install service pack 3 thinking it would possibly overwrite some of the virus infected files but I got an "access denied" when I tried to start installing... ARRRRRRRGGGGHHHH!!!!Any help would be much appreciated!/Blair Here's my DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by Blair at 15:18:10.15 on 2009-07-11Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2127 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\sv... Read more

A:Infected with Clicker.AAFT Win32.Delf.rtk Win32.Agent.atta

I just noticed that I'm also infected with Virtumonde in
C:\WINDOWS\system32\sopidkc.exe

/Blair

Read other 15 answers
RELEVANCY SCORE 99.2

Hello!I have trouble with my computer. I found this forum online and now I hope that you can help me. I suspected that I had a virus so I installed a anti-virus program. It found files with the names virus.win32.sality.k and trojan-proxy.win32.agent.II on my computer. After desinfecting those files I always got an error message when I turned the computer on. It kept telling me: file vmmdiag32.exe cannot be found. Then I found this forum and saw that other people had the same problem and that this is still a consequence of the virus. I don?t know how to get rid of it.Then I found your preparation guide for use before posting a hijackthis log, and checked my computer with the programs you adviced. Now that errormessage has disappeared, but I have the impression that my computer doesn?t work properly anymore. It?s getting slower and the anti-virus programm always finds new infected files. Sometimes when I turn the computer on it gets stuck while it is booting up and I have to press F1 to continue.Now there?s a problem with the audio too - I don?t know if it is also a result of the virus. It tells me: bad directsound driver. please install proper drivers or select another device in configuration. error code: 88780078. and the only sound the computer makes is a terrible peep sound.I have never had a virus before (I didn?t have internet on my computer), so I?m a little bit helpless and I would really appreciate it if you could help me.I also did the Hijackthis. here is the res... Read more

A:Infected With: Virus.win32.sality.k; Trojan-proxy.win32.agent.ii

Hi schag1,

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience.

Read other 6 answers
RELEVANCY SCORE 98.8

Hi!

Please help. Along with the above virus? names I have an icon down in the bottom right corner that flashes from a yellow X to a yellow ? with a message telling me I have a Critical System error and to go to that site and download software....

I have AVAST and ran a full scan and did come up with several files with virus/trojan names; these files went into the Virus Chest. I deleted the Temp ones but decided not to delete anything else until I know what is going on. I have since ran the Clean Up through Avast and rescanned twice. Did not show any new stuff although there were 6 files that it was not able to scan. It appears that my C drive has all the problems.

One other thing I did notice was that when I went into Device Manager there is the big yellow question mark next to something identified as optional device and below that another question mark as RAID something. Also, down below the volume game controller file? there are several things that have a big yellow exclamation marks......

Someone showed me last night the process to remove the Adware(??) and the icon and clean this up and but I was not at home so I just reviewed the info, decided that I should be able to do it and just wrote down this website address. So, now I have here but do not know where to get started.................

Thanks for you help!

A:Win32:zlob; Win32:ageng-a; Win32:adan-007; Win32:enumplus And On And On

Sorry you didn't get a reply sooner.Here's what to do.Follow the directions in this topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Then post a new topic with your HJT log here: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/Provide a brief description of your problem, and provide a title similar to the one you have here.Please be patient, as the HJT team is very busy. Do not bump your log as the team may think that someone is already helping you. If you have not had a response in five days add a reply to this topic: http://www.bleepingcomputer.com/forums/topic14717.html and paste in the link to your HJT topic there.Orange Blossom

Read other 1 answers
RELEVANCY SCORE 98.8

I use ESET NOD32. At startup it detects the win32/Kryptik in a start-up scan and later mentions the Win32 rootkit running in memory. The scan log shows that it has detected this on each startup but it cannot delete because files are locked from removal. I have not been able to tell what file NOD is trying to find. Below is last log file post: This same message is repeated in numerous 10+ restarts in the past 24 hours.

5/19/2009 8:25:51 PM Startup scanner file \\?\globalroot\systemroot\system32\gxvxctxujtymqsiltimrpcilnqyirvmqgrlhk.dll a variant of Win32/Kryptik.PF trojan cleaned by deleting (after the next restart) - quarantined
5/19/2009 8:25:46 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean

I have run ESET in safe mode. It didnot do anything to eliminate the problem. Windows Defender has apparently not done anything either. Finally, I tried windows malicious software removal, but apparently it could not do anything either.

Main problem I notice is delays in internet usage. Happens both in firefox and ie. I changed DNS settings from automatically detect to a fixed DNS setting from earthlink.net. Still same slow down in internet usage.

Appreciate any help you can give. I have tried to find bad file, but to no avail.

Thanks
===============================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by Pop at 21:38:42.70 on Tue 05/19/2009
Internet Explorer: 7.0.... Read more

A:Infected with Win32/Krptik.PF and win32/Rootkit.agent.odg.trojan

It now looks like I may have been able to repair my problem. I used a somewhat, haphazard, unguided approach to removal. The final solution came from AVG Rootkit removal ( http://download.cnet.com/AVG-Anti-Rootkit-...4-10662685.html ). Here is a list of all the steps I attempted. I was worried at times I could have hurt my system, but then I would have had to reinstall the OS. But, on the other hand, some internet posts I read were saying that was the only way to repair the situation. So, desperation took hold. I found my reinstall disks, just in case I needed them and proceeded. ATF Cleaner -- Who needs temp files anyway, especially if they might have trojans, I eliminated temp files this program would find.CC Cleaner - used this to clean out internet cache and history.Recycler folders - I had multiple recycler folders, one that had a rundll in it. I assumed you only have one recycle bin so you only need one of these folders. I had to reset the folder view options in exlorer to see all files and folders (hidden, system, etc.) I deleted the extra recycler folders I could find.System Restore - I turned off system restore. This would erase all the previous positions I had saved. This meant I could never go back to a prior position where my computer was running good, but I didn't know how to find out if I had virus/trojan in one of these saved files I then immediately turned back on the system restore after the old restore files were deleted.b]Windows defender[... Read more

Read other 2 answers
RELEVANCY SCORE 98.8

My computer is infected with Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent. I've been trying to remove them with Ad-Aware but they re-install themselves. I've downloaded numorous other malware removers but the malware seems to disrupt / won't allow them to install or work. This includes the root repeal program mentioned in the preparation guide. When I attempt to run root repeal I get the following error:

04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)
04:03:06: DeviceIoControl Error! Error Code = 0x1e7
04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)

The most annoying thing that is happening is when I go to google something, it will redirect me to somewhere else or will throw random pop-ups at me every now and then. Also, I tried to reformat / re-install a fresh copy of Windows Vista but it seems this piece of malware makes it impossible to boot from disk.

Thank you in advance for your assistance!

Attached below is my dds.txt log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Jeff at 3:59:19.84 on Fri 08/28/2009
Internet Explorer: 7.0.6000.16890
Microsoft? Windows Vista???? Home Premium 6.0.6000.0.1252.1.1033.18.2046.1362 [GMT 9:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\... Read more

A:Infected With Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 98.4

Firefox and Mostly IE is experiencing redirects when I search through any search engine. Avast is continuously stopping malware in the Windows\Temp folder.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricardo at 15:09:36.31 on Sun 12/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2184 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\... Read more

A:Infected with Win32:Malware-gen, Win32:Rootkit-gen, and Win32:Spyware-gen

Please close this post. I'm reformatting and reinstalling an Acronis Image prior to the infection. Thanks anyway.

Read other 2 answers
RELEVANCY SCORE 98.4

m ades, windows xp sp3
to whomever can help- i tried to remove some viruses
using info from bleeping, but am not having any luck.

i downloaded a file that i thought could help me on another
matter, but it had a virus that zone alarm's active scan did not
catch.

it was a rootkit virus. i tried tdsskiller several times as well as
malwarebytes, and thought i finally got rid of it. then another
virus popped up despite my not having connected to the internet.

another was this patch virus that kept redirecting my opera
browser. malwarebytes did not see this, but zone alarm did.
i tried to get rid of it and used tdsskiller, and thought i did.
i had to keep switching between safe mode and
normal mode to do it. i had no problems for two weeks, then
both seemed to pop up again. my guess is that i never
actually got rid of them. i tried zone alarm, malwarebytes,
and tdsskiller over and over again, with no luck. then my
ability to connect to the net went away. i gave up and restored
my hdd using the file i made just after i thought i had gotten
rid of the problems, so that though i would still have the viruses,
i would get back the net. using tdsskiller and malwarebytes
still did not work, and a new virus showed up. .

i'm including the logs from zone alarm, malwarebytes, and tdsskiller.

i would really appreciate help.

first to show up. used tdsskiller, seemed to be removed, kept showing back up.

(Forged): C:\WINDOWS\system32... Read more

A:infected with Rootkit.Win32.ZAccess.e, HiddenFile.Multi.Generic, Trojan.Win32.Patched.mf,, Backdoor.Agent.Gen) -> Value: Sh...

ps i have mbam, zone alarm,tdss,
and hijack logs, but was not sure
how to post them since the number
of text characters on this page
was limited.

Read other 70 answers
RELEVANCY SCORE 98

HelloMy son has managed to get Trojan(s) on his laptop... Windows XP Pro SP2I deleted temporary files, cleared cookies, turned off system restore and ran Norton, A-Squared free, SpyBot 1.6 and Ad-aware SE Personal 2008Norton claims to have dealt with trojan.zlob and A-Squared found and cleared the trojan-dropperIs there anything else I need to worry about please? If so please can you help me to remove it? I have reached my level of understanding and am not technical enough to understand the Hijackthis log.Many thanksLin=================The Hijackthis log follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:52:45, on 15/08/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1... Read more

A:Infected With Trojan.zlob - Trojan-dropper.win32.agent.rvv

Hi elsiegee40Please make sure you have system restore turned on again ... actually you should NOT have turned it off, you now have NO restore points to fall back upon. despite what Norton & others may say, you should not turn restore off (purge system restore) until your computer is clean ... even an infected restore point is better than none at all.Your hijackthis log is clean, but that doesn't mean your computer is, from experience I doubt Norton has removed all the malware ...Download Deckard's System Scanner (formerly Comboscan) to your Desktop.Note: You must be logged onto an account with administrator privileges.1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.5. Then do the same with extra.txtNote: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txtPlease remember to post both txt files ...Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.THEN ..Please Download Malwarebytes' Anti-Malware from Here :-http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlor here :-http://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the appl... Read more

Read other 6 answers
RELEVANCY SCORE 97.6

Athlon AMD pc Windows XP Service pack3

My F-Secure antivirus keeps warning me about malware eg koobface but can only deal with it by renaming it. Spybot and Malwarebytes have identified Win32.agent.pz, Win32.BHO.je,and virtumonde.dll (among others). I have tried turning off System Restore and have used Safe Mode but all to no avail as they keep returning.
I have downloaded Hijack this so could post a log if required.
Any help would be much appreciated. Thank you.
 

Read other answers
RELEVANCY SCORE 97.6

Hi! My real-time Anti-virus protection filter (Eset Nod32) has registered som virus activity for the past couple of weeks that i cant seem to get rid of:2010-03-22 11:26:47 Real-time file system protection file I:\System Volume Information\_restore{9307B358-B690-49BE-8C17-30DE253AE1DB}\RP828\A0122539.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT INSTANS\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe.2010-03-22 10:34:42 Real-time file system protection file E:\System Volume Information\_restore{9307B358-B690-49BE-8C17-30DE253AE1DB}\RP828\A0123560.exe a variant of Win32/Kryptik.W trojan cleaned by deleting - quarantined NT INSTANS\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe.2010-03-22 10:34:36 Real-time file system protection file I:\System Volume Information\_restore{9307B358-B690-49BE-8C17-30DE253AE1DB}\RP828\A0122537.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT INSTANS\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe.The files (same trojan /s but different executable names after each deletion, for ex: it varies between A0005757.exe, A0005757.inf and svchost.exe and so on) comes keep comming back after deletion of files in qurantine. The DDS l... Read more

A:Infected by Win32/Agent & Win32/kryptik.W Trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 97.6

Hy there

My eset Nod 32 antivirus 4 detected Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS
I tried to remove them with Kaspersky removal tool, Malwarebytes anti-malware, SPYBOT
All Failed to delete this file C:\WINDOWS\assembly\GAC_MSIL\desktop.ini wich is a Win32/Sirefef.CH trojan
The other Win32/Rootkit.Agent.NUS trojan is in operating memory
My pc symptoms are: 1. can't acces a direct link....i have to press 3-4 times the Enter Key in browser..then page will load.
2. Pc is moving slow

A:infected by Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS

HiPlease do the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
Only if Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)NEXTDownload ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Wind... Read more

Read other 14 answers
RELEVANCY SCORE 97.6

OK Nomally I goto google, and read past bleeping computer related topics to the three viruses I listed in the topic, or for anything. But this crap takes the cake. Ive never delt with garbage like this.

I just moved into a new neighborhood, and have been looking for an unsecured internet for a while. Someone just brought one online friday. But when I connected to it (which its what Im connected to now) Trojans started popping up out of nowhere. Ive run Hijackthis and SDfix and will put the logs at the bottom. SD Fix seems to find the viruses, but cannot delete them properly. Itll find them delete them then list hidden attributes, which are still viruses, and not delete them. These little buggers are tricky.

So if someone could please help me out here. It keeps trying to send mass loads of spam mails. Ive also reformated about 4 times now. Its giving false positives in the ask manager running proccesses. svchost, IEXPLORER (listed under system, its supposed to be listed under HP_Owner for me not to mention its in caps), random charactered trojans that google has no info on, winlogin.exe is all messed up. MY LoginUI wont work properly anymore. and all of them are listed as exe in places they shouldnt be. Anyways heres the logs, Im gonna TRY to play some runescape while I wait for an answer.

One more thing, Computer is running slow, dont know if i can run spybot or counterspy again. LOL speaking of which Counterspy's Safe mode scan wont even run. PERIOD. So yeah:
Edit. Runn... Read more

A:Infected with PWS.LDPinchIE, Win32.Delf.uc, Win32.Agent.pz

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTListIt2 ReportPlease download OTListIt2 from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

Read other 1 answers
RELEVANCY SCORE 97.6

Hi,It seems that I have trojan activity on my home pc.I am running Vista and when I log in to my user profile I get a blue desktop with a box saying 'Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer'I have tried a few malware removal programs, Malwarebytes, CCleaner, Adaware and ran virus scans in an attemp to try and remove it myself without bothering you guys but I just can't shift it, so I'm hoping you may have the time to help?What I have noticed is that I only get these warnings when I am logged into my user profile, not as administrator or as another user on the pc. I also get no warnings when running in safe mode.I run Avast and that brings up a warning soon after the blue desktop comes up that points to infection with C:\Users\Guy\AppsData\Local\Temp\tt991.tmp.vbs. The numbers/letters after the tt (in this case 991) change each time I log in. It also states Malware Name: VBS:Malware-gen, Malware Type: Virus/Worm, VBS verison 080805-0,08/05/08 which I try and delete from the warning box.I then am greeted with a windows script host message box that will say the above file (tt991.tmp.vbs) failed (Access Denied).I also regularly get Windows security alert message boxes come up on the screen saying that Windows Firewall has detected activity of harmfull software with mention of one of many trojans. These have been:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan... Read more

A:Vbs:malware-gen - Trojan-clicker.win32.tiny.h, Trojan-downloader.win32.agent.bq, Trojan-spy.win32.keylogger.aa

Hi,I am hoping you can help me.My computer keeps telling me it is infected with spyware/malware. I get a blue desktop on startup with regular warnings saying the computer is infected with:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan-Spy.Win32.KeyLogger.aaTrojan-Spy.Win32.GreenScreenTrojan-Spy.HTML.Bankfraud.dqStrange thing is that these only show up when I log in to my user account. If I log in as administrator, another user or as any user in safe mode I get no warnings and nothing shows up on scans.The pop up warings direct me to this site: www.antispyware-review.info/?wmid=46638&pwebmid=uWfLn0pimL&a= which is Smartsoft reviews to buy PC Antispy or PC Clean pro.Malwarebytes scan picks up Fake.Dropped.Malware, Malware.Trace, Trojan.FakeAlert and Hijack.Wallpaper and even if I remove these and restart the PC they come back.A spybot scan pointed to 2 entries of VirtumondeI'll attach the latest HJT log, Malwarebytes log and Spybot logs in case you need them. Please help me with this, I cant seem to shift it Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:54:34 AM, on 8/7/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Ado... Read more

Read other 5 answers
RELEVANCY SCORE 95.6

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 95.2

Hi,I'm running Windows XP - Internet Explorer v. 6.00, SP3. Yesterday Avast alerted me to a virus on my computer (I neglected to write down the exact message). At the time, only Gmail was open and an email was being written. I've had some issues with Avast occasionally reporting a false positive, and since nothing was being downloaded at that time, I took no action with Avast. Instead, I immediately did a Quick Scan with MalwareBytes to see if it would find anything. MalwareBytes found and deleted the following: C:\Documents and Settings\HP_Owner\application data\Sun\Java\deployment\cache\\6.0\44\61b86cac-3c0c0928Trojan.FakeAlert.VGenC:\Documents and Settings\HP_Owner\local settings\temp\0.506697477033.exeTrojan.FakeAlert.VGenA second MalwareBytes scan was clean.I looked "Trojan.FakeAlert.VGen" up on Google and then it clicked: for the past few days, Adobe Flash Player has been crashing an awful lot. When it crashes (on Youtube, for example), it tells me the program is out of date and needs to be updated. The weird thing was that sometimes it worked for a while before it crashed, but I dismissed that as being some strange computer quirk. I went to the Adobe web site and tried to install the newest version of Flash Player, but was unable to. I feel foolish, but it never even occurred to me that a virus could be to blame. It concerns me that (assuming the Adobe Flash Pla... Read more

A:Trojan.FakeAlert.VGen, SpyInstall_HPPre.exe, Win32: Mirc-z [PUP], Win32: Kill App-W [PUP] & Win32: Agent-AMXO (Trj)

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList last 10 Event Viewer logList Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here.Be sure to restart the computer.The log can also be found here:C:\Document... Read more

Read other 13 answers
RELEVANCY SCORE 94.4

I have followed the 5 step rule with no luck and have searched the threads i am acualy a hardware guy and not up on the maleware viri so maybe some pitty here here is my HJTL

Logfile of HijackThis v1.99.1
Scan saved at 10:55:46 AM, on 2/1/2007
Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Documents and Settings\stacy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\... Read more

A:Help please 3 trojans present Win32.Qhost.f-Win32.Dialer.mw-Clicker.Win32.Agent.ac

Hi scubbadoo32,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here?s what we do first.


Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer, please navigate to and delete the following FILES (if they exist):

c:\eied_s7.cab


Please let me know if you encountered any problems finding or deleting the file.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:Run the CCleaner install... Read more

Read other 1 answers
RELEVANCY SCORE 94

Hello,Please help if you can .I ran free Avast! version 5.0.677 on my Windows XP desktop computer (Pentium 4, 1.5 Ghz CPU, 1 gb ram), and came up with the following virus warnings. Unfortunately the Avast! software internal tools to remove it are grayed out and not functioning. I tried a couple of things to remove viruses from help online and then realized I was in way over my head. I found this forum and am now requesting help.Avast! says I am affected with:JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and Win32:VirutAttached a screen shot of Avast! with viruses and partial path to them. Computer's Symptoms (not sure if these are all due to old slow processor or malware):Computer is freezing often;When it is in sleep mode it is turning itself on;Seems to be downloading stuff often and slowing down;Monitor is going black forcing reboots often;Couple weeks back I began getting floating ads that pop up when browsing online;I get an error message daily that says AdAware has shut down unexpectedly, do I want to send a report? I have been ignoring this, not knowing if it was important, been several weeks.Ok, I think that is all I can think of to share. Please help if you can. I appreciate it.Thanks,Dancer~~~~~~~~~~DDS (Ver_10-03-17.01) - NTFSx86 Run by ljk at 15:52:28.93 on Mon 09/20/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.102... Read more

A:Please Help ~ Infected with JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.I ask that you please refrain from running tools other than those I su... Read more

Read other 42 answers
RELEVANCY SCORE 94

Hello to everyone on the forum and thank you for any assistance you can provide.AVGs resident shield gave me a warning about Worm/Generic.QEV. Later when I thought I had dealt with it and was clean a Malware bytes scan in safe mode reported 240 trojan.agent entries in various files, processes, keys etc and a Spybot Search and Destroy scan highlighted these nasties Win32.Agent.icb and Zlob.Downloader.vcd which is what I put in the title as the other things seemed too non-descript. I do not know if they are all related. In each case I deleted the entries flagged up as viruses/malware and my latest anti-virus scans come up as clean, however my computer now seems to be running slow. I appreciate this could be because it is catching up with lots of updates or because I have accidentally quaranteened a file that was needed but please could someone check my HJT log in case they are still there waiting to respawn or some other gremlin has gotten in undetected. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:23:36, on 1/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:I:\WINDOWS\System32\smss.exeI:\WINDOWS\system32\winlogon.exeI:\WINDOWS\system32\services.exeI:\WINDOWS\system32\lsass.exeI:\WINDOWS\system32\Ati2evxx.exeI:\WINDOWS\system32\svchost.exeI:\WINDOWS\System32\svchost.exeI:\WINDOW... Read more

A:Win32.Agent.icb + Zlob.Downloader.vcd now clear?

Hello NocturnalNewt,Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.Thanks,tea

Read other 17 answers
RELEVANCY SCORE 92.8

Hi! I previously posted a topic on this in the Am I infected forum, here which has the main details of my infection. Despite malwareBytes saying it has removed the infection, it has still failed to remove the system\lowset directory and sdra64.exe. There is also another computer in my house which uses the same router. Should I debug that one and reset the router as has been advised to other users here?Here is my DDS Log:DDS (Ver_09-07-30.01) - NTFSx86 Run by Zoe temp at 22:38:18.75 on 29/08/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.210 [GMT 1:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\lxdicoms.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Prog... Read more

A:Win32\rootkit.agent.odg trojan / Zlob / sdra64.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 19 answers
RELEVANCY SCORE 92.8

Avast continually blocks the following threats: - Win32:Malware-gen - WIn32:Downloader-PKU [Trj] - Win32:DNSChanger-VJ [Trj]Avast scans and detects Win32:Sirefef-PL [Rtk], cannot remove it though.Malwarebytes scan detects BCminer, quarantines it, though never seems to get rid of BCminer. Other issues of possible note: - Windows Firewall not running 0x80070424 - Backup & Restore - last backup did not complete successfully - server execution failed - 0x80080005Ran both DDS and GMER (GMER did not have all the options available as per the preparation guide, and did not log anything when the scan was complete). .DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Family-pc at 12:37:05 on 2012-08-05Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.16383.13888 [GMT -4:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\sy... Read more

A:Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

Hello Njals, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

Read other 21 answers
RELEVANCY SCORE 92

Hi there. I am a class one numpty and decided to use p2p software to get a crack & keygen for sony vegas 9. I am now infected. I won't be doing that again. For your reference I use Windows XP SP3.I first became aware of it when AVG alerted me to a malicious exploit when I opened IE and upon google searching, the links on googles page kept getting redirected to a number of ad-laden websites such as africa-international.com (DON'T CLICK). Before it does this it seems to redirect through a site named cclicker.com. However, it seems to work if I C&P the URL from the bottom of the google listing and paste into my url bar. I ran Spybot since AVG was useless, and it said I had a trojan, sdra64.exe, and some malware. I clicked to remove it and it said it had removed everything except a registry key which it was unable to do. Then spybot prompted me about some registry changes but i did not know what to do as i was unclear whether the changes were coming from spybot deleting the virus or the virus trying to so something. I allowed some and disallowed others in a confused haze. The next time I ran spybot it said the trojan had installed a directory, C:\WINDOWS\system32\lowsec\, which it could not elect, containing a number of innocuously-named .ds files. At that point I got fed up with spybots and AVG's uselessness and downloaded a trial of Nod32. That seemed to find all my viruses and told me the name of the trojan, win32/rootkit.agent.odg. Spybot seemed to call it Win32.Zlob... Read more

A:Win32/Rootkit.Agent.ODG Trojan & Zlob lowsec directory?

Hello ajadagga and to BleepingComputer.You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!~Blade

Read other 3 answers
RELEVANCY SCORE 91.6

hi, my sister recieved an email from her fellow student mate and thought it was crucial and as soon as she opened the email she started to experience anti malware doctor software pop up saying you have recieved threats click yes to remove and so on. ive tried to uninstall that program from safe but it comes back again everytime i log on to desktop. also my avg 9 is picking up loads of the trojan horse cryptic.apo file in the temp folder but canot delete it , it says " interupted by user" and keeps multiplying. i cant seem to surf the net on windows explorer it says page unavilible but i can go online with skype and other messengers. the anti malware doctor pops up every now and then. just cant seem to remove the trojans and anti malware doctor software. ive tried anti malwarebyte in safe mode it found few objects but after restarting to desktop the anti malware doctor automatically installed again on the laptop. ----------------------------------DDS (Ver_10-03-17.01) - NTFSX64 Run by vedika at 1:45:44.03 on 20/07/2010Internet Explorer: 8.0.6001.18928Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.2006.619 [GMT 2:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Program Files (x86)\AVG\AVG9\avgchsva.exeC:\Program Files (x86)\AVG\AVG9\avgrsa.exeC:\Windows\... Read more

A:infected with anti malware doctor with trojan horse cryptic.apo and win32/psw.wow.now and win32. fraudpack. bagn

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 3 answers
RELEVANCY SCORE 91.6

Hi everyone. I find this forum very informative and quite interesting. I'm glad I found it. I do need help in getting rid of these that my scans have found. I use Spybot, Ad-Aware, and AVG on a Windows XP home edition. The Spybot and Ad-Aware found: Win32.backdoor.agent and Win32.trojandownloader.agent. Unfortunately, the AVG did not see these. Any help would be appreciated. The HJT log is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:36 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Photoshop Album Starter Ed... Read more

A:Solved: Scans detected Win32.backdoor.agent & Win32.trojandownloader.agent Please help

Read other 16 answers
RELEVANCY SCORE 91.6

Hi, as I've seen a post earlier about this problem, I wanted to post to inquire about the same problem I have, which the "trojan-Downloader.Win32.Agent Variant" warning shows up when I try to open World of Warcraft, I've used Norton Anti Virus to scan but for some reason I found nothing.

As in the previous post it mentioned downloading hijickthis and posting the findings..I was wondering if anyone could assist me with this and the steps... much appreciated.

Regards,
Nick
 

A:Trojan-Downloader.Win32.Agent Variantder-win32-agent-variant.html

Here is the hijackthis log as follows, please assit on the next steps. thanks
Logfile of HijackThis v1.99.1
Scan saved at 1:44:31 AM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program... Read more

Read other 3 answers
RELEVANCY SCORE 91.2

I recently got annoyed when my Firefox browser started redirecting me to random websites. So I scanned my computer using aswMBR and it found viruses called Sirefef-PL, Medfos and Agent-APDL.

Here is my aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-17 12:32:14
-----------------------------
12:32:14.193 OS Version: Windows x64 6.1.7601 Service Pack 1
12:32:14.193 Number of processors: 4 586 0x2A07
12:32:14.194 ComputerName: STEVEN-PC UserName: Steven
12:32:15.256 Initialize success
12:32:18.850 AVAST engine defs: 12081601
12:32:23.238 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
12:32:23.241 Disk 0 Vendor: SAMSUNG_HD103SJ 1AJ100E5 Size: 953869MB BusType: 3
12:32:23.264 Disk 0 MBR read successfully
12:32:23.267 Disk 0 MBR scan
12:32:23.271 Disk 0 Windows 7 default MBR code
12:32:23.286 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:32:23.300 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
12:32:23.393 Disk 0 scanning C:\Windows\system32\drivers
12:32:37.944 Service scanning
12:32:52.922 Modules scanning
12:32:52.930 Disk 0 trace - called modules:
12:32:52.946 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:32:52.951 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007db30... Read more

A:Help with Win32:Sirefef-PL/Win32:Agent-APDL/Win32:Medfos

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

Read other 13 answers
RELEVANCY SCORE 90.8

It attacked IE first. I used Ad-Aware and CCleaner. It seemed to go away. Then it came back and attacked Firefox. I used Malwarebytes' Anti-Malware in conjunction with Ccleaner and it wouldn't go away. After every use, there would still be another DLL file to find and destroy, even if Malwarebytes' Anti-Malware said it was successful. Often the files that returned were different DLLs then before.I have no Window's Explorer due to this infection. Managed to run tasks anyway and found you guys on google when I entered in a DLL file name that I had originally found while scanning. I can't recall the name of the offending DLL... Ran the Kaspersky Scanner, and the Highjack This Scanner. All results are posted below. KASPERSKY ONLINE SCANNER 7 REPORTSaturday, December 6, 2008Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Saturday, December 06, 2008 03:47:06Records in database: 1439820Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area Critical AreasC:\Documents and Settings\All Users\Start Menu\Programs\StartupC:\Documents and Settings\Kienzle\Start Menu\Programs\StartupC:\Program FilesC:\WINDOWSScan statisticsFiles scanned 112172Threat name 2Infected objects 2Suspicious objects 0Duration of the scan 01:05:54File name Threat name Threats countC:\WINDO... Read more

A:Infected; Trojan.Win32.Agent.asjk, Trojan.Win32.Monder.aane

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow... Read more

Read other 19 answers
RELEVANCY SCORE 90

(DDS log below)I re-installed my AV after running without it for a while and found that I had quite a few bad things going on picked up by Nod32 including (see attachment for more detail):Win32/Olmarik.ZCJava/TrojanDownloader.Agent.NBEa variant of Win32/Olmarik.UL trojanWin32/Cimag.CL trojanI also get multiple outbound connection attempts which are at least partially being blocked by Nod32 to weird .cc .cn and a few .com domain urls, this happens after performing a google search. Also getting some browser redirects going on and homepage changes.I tried setting nod32 to pre-release updates and performing a full scan, this picked up the above and removed them, but after a reboot there are still things going on. Before reading the steps on this site, I ran the latest ComboFix twice which picked up a rootkit in intelide.sys both times, but appears to come back each time. While I disabled nod32 when I ran ComboFix, it re-enabled upon reboot automatically, not sure if that matters.I've also been getting a startup delay of around 1 minute after logon, in this time, nothing appears to be going on (no apparent CPU or disk activity), but wireless, AV and other startup items do not run. Then a minute later, everthing fires up.I've tried running GMER several times but this keeps giving me a BSOD with IRQL_NOT_LESS_OR_EQUALLast scan with nod32 came up clean but still getting outbound connections and browser redirects.Looking to sort this out once and for all!DDS (Ver_10-03-17.... Read more

A:WinXP rootkit? problem + Win32/Olmarik.ZC Java/TrojanDownloader.Agent.NBE a variant of Win32/Olmarik.UL trojan Win32/Cimag.CL t...

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.----------------------------------------------Please download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perfor... Read more

Read other 14 answers
RELEVANCY SCORE 89.6

i am sorry to post a log over here, as i have read through the forum and try to resolve the problem on my own but i failed.since i had ran the comboFix, so i feel that it may be of help to post it.sorry for the trouble..here's the log file...ComboFix 09-07-28.06 - Bentley 07/30/2009 0:35.1.8 - NTFSx86Microsoft? Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.3069.1872 [GMT 8:00]Running from: c:\users\Bentley\Desktop\ComboFix.exeSP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Install.txtc:\windows\system32\tmp0_144047822718.bkc:\windows\system32\tmp0_16962678345.bkc:\windows\system32\tmp0_205418834021.bkc:\windows\system32\tmp0_355351885288.bkc:\windows\system32\tmp0_424346226483.bkc:\windows\system32\tmp0_516880812123.bkc:\windows\system32\tmp0_517948877969.bkc:\windows\system32\tmp0_525286544717.bkc:\windows\system32\tmp0_687442396617.bkc:\windows\system32\tmp0_77071886817.bkc:\windows\system32\tmp0_779592338841.bkc:\windows\system32\tmp0_790261416358.bkc:\windows\system32\tmp2_1075327197... Read more

A:Infected with win32/rootkit.agent.ODG trojan and win32/Olmarik.JU trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 89.6

The last two days my computer has frozen up while trying to surf around online. This seemed weird so I ran a full system scan with symantec endpoint both days. Both times the logs came back with no risks detected. Today I started getting internet explorer pops directing me to sites. I knew at this point I had an infection that endpoint was not picking up. I disabled my network card and used another computer to download some of the suggest programs I've seen on this site. I has hoping to at least get the problem quarantined so that I would feel safe enough to enable the network card again. After running the utilities, I am not freezing when surfing web pages and have resumed using the computer. I would like help making sure that my computer is clean since endpoint obviously isn't catching this problem. Below are the logs for Kaspersky Online Scan & DSS.Deckard's System Scanner v20071014.68Run by bgedeon on 2008-07-29 14:40:22Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as bgedeon.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:40, on 2008-07-29Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\s... Read more

A:Infected With Trojan.win32.monder.bcb & Trojan-downloader.win32.agent.xxa

I continued to investigate on my own. Combofix quaratined some files, but did not delete them. A scheduled full system scan with endpoint finally picked up some infections with the newest updates loaded. Symantec scan labels the infections as Trojan.Vundo and Trojan.Metajuan. Metajuan was removed automatically, but Vundo proved to be a little more pesky. Symantec offers a removal tool for Vundo on there website. I opted to try out Malwarebytes' Anti-Malware (mbam). It was able to located the files that were in quaratine and some infected files that were in system restore. I disable system restore to avoid any problems and mbam was able to delete all the files. After a system restart, I scanned with Symantec Vundo tool and found no further signs of infection. Mbam did a good job Re-enabled system restore and recreated a fresh restore point. I'm hoping that this will be in the end of this problem, but would still be interested in someone combing through some of my logs to see if anything was missed. I'm still a little miffed that endpoint had not picked these infections up when they are not exactly new threats and I had the most current definitions when I ran my previous scans.

Read other 10 answers
RELEVANCY SCORE 89.6

My computer has been infected with Win32/Rootkit.Agent.ODG trojan and Win32/Olmarik.JU trojan. AVG, ESET NOD32, and Avira couldn't delete it, and I want to delete it. It redirected all Google searches and slows down my computer. Can you please help me. Thanks ahead to anyone who can help.Here is the HJT logfile:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:28:51 PM, on 18/08/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\CheckPoint\ZAForceField\IswSvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC... Read more

A:Infected with Win32/Rootkit.Agent.ODG trojan and Win32/Olmarik.JU trojan

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.-----------------------------------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, ... Read more

Read other 20 answers