Over 1 million tech questions and answers.

Possible Rootkit/Polymorphic

Q: Possible Rootkit/Polymorphic

Over the last few days I've run into my audio mixer not functioning for internet browsing but functioning for computer games, when right-clicked it wouldn't identify that there were any installed. Computer would not shut-down when the proper buttons were pressed, would lock me out of task manager and generally lag. Malwarebites found a few things but whenever I restarted and did a scan it'd continue to find things. SpybotS&D started to mention things I never asked for it to do and to make matters even better during booting up the computer will get to the Windows XP loading screen, within 2 seconds blue-screen and then restart but boot up properly this time but sometimes not load at all. Plus it would lock out the system restore option arbitrarily as well as the safe mode indefinitely.
Windows XP SP2 computer with C: Drive Partition
DDS.txt enclosed
DDS (Ver_10-12-12.02) - NTFSx86
Run by cole at 22:53:59.97 on Tue 01/25/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1579 [GMT -4:00]

AV: Rising Antivirus *Enabled/Updated* {234E4A88-48FA-4220-A994-5323706FF524}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Documents and Settings\cole\Local Settings\Apps\2.0\J05K8Z2A.KJN\7EE0V6RE.VN6\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\CurseClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD0.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD0.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\iTunesHelper.exe"
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
StartupFolder: c:\documents and settings\cole\start menu\programs\startup\CurseClientStartup.ccip
IE: Open with WordPerfect - c:\documents and settings\aj\my documents\corel\wordperfect office x5\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cole\applic~1\mozilla\firefox\profiles\4126ns0y.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d2bb6ff&v=6.011.025.001&i=26&tp=ab&iy=&ychte=ca&lng=en-US&q=
FF - component: c:\documents and settings\cole\application data\mozilla\firefox\profiles\4126ns0y.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\cole\application data\mozilla\firefox\profiles\4126ns0y.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: d:\program files\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 RsNTGDI;RsNTGDI;c:\windows\system32\drivers\RsNTGdi.sys [2010-6-29 11528]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-11 294608]
R1 hookcont;hookcont;c:\windows\system32\drivers\HookCont.sys [2010-6-29 15768]
R1 hooksys;hooksys;c:\windows\system32\drivers\HookSys.sys [2010-6-29 168472]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-11 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-11 40384]
R2 rsassist;rsassist;c:\windows\system32\drivers\rsassist.sys [2010-6-29 12184]
R2 RsRavMon;Rav Service;d:\program files\rising\rav\RavMonD.exe [2010-6-29 191128]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-7-6 14088]
S0 hvpme;hvpme;c:\windows\system32\drivers\cncff.sys --> c:\windows\system32\drivers\cncff.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-8 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-26 1684736]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe --> d:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-5-29 508160]
S4 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-2-26 219360]

=============== Created Last 30 ================

2011-01-26 02:48:00 541696 ----a-w- C:\palladium.exe
2011-01-25 13:24:04 86 ----a-w- C:\asdfasfas.bat
2011-01-24 22:28:05 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc32.tmp
2011-01-24 20:40:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-24 20:40:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-24 20:19:12 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-24 20:19:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-23 03:17:58 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-01-23 03:16:49 -------- d-----w- c:\program files\Microsoft IntelliPoint 5.0
2011-01-21 00:00:00 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc9E.tmp
2011-01-12 01:26:57 -------- d-----w- c:\windows\Internet Logs
2011-01-12 01:12:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-12 01:12:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-11 12:33:39 -------- d-----w- c:\docume~1\cole\applic~1\CheckPoint
2011-01-11 12:33:07 -------- d-----w- c:\program files\CheckPoint
2011-01-11 04:27:01 -------- d-----w- c:\docume~1\cole\locals~1\applic~1\Temp
2011-01-11 04:26:44 38848 ----a-w- c:\windows\avastSS.scr
2011-01-11 03:22:47 3584 ----a-r- c:\docume~1\cole\applic~1\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2011-01-11 03:22:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2011-01-11 03:22:32 -------- d-----w- c:\program files\MSECACHE
2011-01-11 03:13:49 -------- d-----w- c:\docume~1\cole\applic~1\PriceGong
2011-01-11 02:42:55 -------- d-----w- c:\docume~1\cole\locals~1\applic~1\AVG Security Toolbar
2011-01-11 01:46:55 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-01-11 01:28:40 -------- d-----w- c:\program files\Rising
2011-01-11 00:55:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Common Files
2011-01-11 00:28:13 -------- d-----w- c:\docume~1\cole\applic~1\Spyware Terminator
2011-01-11 00:28:10 -------- d-----w- c:\program files\Spyware Terminator
2011-01-11 00:19:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-11 00:16:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-11 00:01:22 -------- d-----w- c:\program files\common files\PC Tools
2011-01-11 00:01:21 -------- d-----w- c:\program files\PC Tools Security
2011-01-11 00:00:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-01-03 02:29:00 -------- d-----w- c:\docume~1\cole\locals~1\applic~1\Deployment
2010-12-31 04:14:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-12-31 03:23:59 -------- d-----w- c:\docume~1\cole\applic~1\Seagate
2010-12-31 03:23:37 -------- d-----w- c:\program files\Seagate

==================== Find3M ====================
=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD1600JS-55NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6CE555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6d47b0]; MOV EAX, [0x8a6d482c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x8A722030]
3 CLASSPNP[0xB80E8FCF] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\00000067[0x8A7733B8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x8A77FD98]
\Driver\atapi[0x8A77F310] -> IRP_MJ_CREATE -> 0x8A6CE555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD1600JS-55NCB1_____________________10.02E01#5&110a72bf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A6CE39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 22:55:09.57 ===============

RELEVANCY SCORE 200
Preferred Solution: Possible Rootkit/Polymorphic

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Possible Rootkit/Polymorphic

Hello and welcome to TSF. My name is Taylor and I'll be helping you with your fix.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

Read other 19 answers
RELEVANCY SCORE 50

I may have need of some help. Can you please took a look? Thank you. I was advised it has polymorphic inf.
I tried to run the GMER,but it doesn't finish.
As a senior technician, from my past experience I have noticed that such issues occur due to Corrupted Registry Entries and it needs to be fixed immediately.
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/15/2010 2:46:28 AM
System Uptime: 3/20/2012 2:44:44 PM (2 hours ago)
.
Motherboard: | | PM800-8237
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Socket 478 | 2394/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 23.207 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_32061565&REV_80\3&13C0B0C5&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_32061565&REV_80\3&13C0B0C5&0&78
Service:
.
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: VIA Rev 5 or later USB Universal Host Controller
Device ID: PCI\VEN_1106&DEV_3038&SUBSYS_32061565&REV_81\3&13C0B0C5&0&82
Manufacturer: VIA Technologies
Name: VIA Rev 5 or later USB Universal Host Controller
PNP Devic... Read more

Read other answers
RELEVANCY SCORE 49.6

I attempted to create logs but, I could not complete any of the steps. When I began Adobe Reader opened a screen that stated that it could not open 'dds.scr' because it is not supported or it may be damanged due to the file being damaged.
My monitor flashed. Next I saw a file download warning, it was dds.scr screener saver showing me a window with an arrow pointing to Save as screen on desktop, it would not run either. It told me to disable any Script Programs by clickling
DDS Icon to start, it would not click. Then there was a save file window. Next screen was an example, a small black information screen, then a DDS. txt Notebook Window. The next screen shot was an attach txt Notebook window and
save DDS.txt to the desktop. Last was a screen that where I was to create a GMER Log (only for 32 bit computers) I skipped ahead until this screen came up. The one thing that did work was, when I began, it did make my CD unable.
I apologize for not being able to give more details.

Thank You Very Much

LemonDrop
,

A:Polymorphic Infection

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/438856 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 11 answers
RELEVANCY SCORE 49.6

Hi, I was told by LogMeInRescue support that my other laptop has polymorphic infections. I gave them temporary remote control so they could find out the status of my word processor. While they were looking around they found polymorphic infections. They offered to remove them for 300.00 but I can't afford that. They did finally drop the price to a one time removal for 50.00 but I still can't afford it. I was wondering if Combofix could find and remove them? If not, is there any other tool or would someone recommend a complete system reset to factory defaults, or would that even work? The computer is a Toshiba Satellite with Windows 7 OS. I wouldn't mind resetting it to factory default if that would work. I have nothing on it that I worry about losing. I bought it as a back-up and have only used it about 10 times. It was in a pawnshop for a couple of months and that's how I figure it picked up infections b/c I only used it to go to POGO internet game site and Tune-In online radio.
Any advice?
Thanks.

A:polymorphic infections?

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 7 answers
RELEVANCY SCORE 48.8

I have noticed that whenever I reboot my pc, there is a program that will appear in task manager and in c:\windows\temp. The program name changes each time I reboot. The current name is GXFA04.EXE. I have seen the name as GT3F4B.exe and as FS1BA0.EXE.

I have ran micro trend, adware pro, spyware doctor, spybot, spywareblaster,
and other tools. Nothing is being reported. I am copying my hjt log. I am hoping that someone will see what I cannot see.

Logfile of HijackThis v1.99.1
Scan saved at 1:57:39 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AutoMate 5\AutoMate5Svc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Software Research\eValid\Program\eventer.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\GS30s.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sybase\EAServer\bin\jagsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc3... Read more

A:Polymorphic virus? HJT log included - Please help!

Read other 6 answers
RELEVANCY SCORE 48

Hopefully, this new threat will remain low risk and users are safe as long as SCR or EXE attachments are not opened.Evaman.A worm - new polymorphic mass mailerhttp://secunia.com/virus_information/10429/http://vil.nai.com/vil/content/v_126563.htmhttp://www.sophos.com/virusinfo/analyses/w32evamana.htmlhttp://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39513http://www.sarc.com/avcenter/venc/data/[email protected]@mm is a mass-mailing worm that spreads to addresses found at the website email.people.yahoo.com. This worm arrives as an attachment with a .exe or .scr extension.SUBJECT OF EMAIL MESSAGEreturned mail failure delivery failed transaction server error mail failure Delivery Status (Failure) TEXT OF EMAIL MESSAGEThis is an automatically generated Delivery Status Notification.Delivery to last recipient failed.Email returned as attachment text file. Message from Mail Delivery Server.Unable to deliver message to last recipient.Email returned as text file. Email returned by the server as ASCII Text mail file.To read the email download the included attachment. Mail Server Notice:Last email sent could not reach intented destination.Email returned as ASCII text file. The last email sent by this account could not reach intended destination.Email has been returned as text file attachment. Mail Delivery Status Notification:Message returned by server. Message returned as text file attachment. ATTACHMENT NAMESbody message email returned text document ATTACHMENT EXTENSIONS*... Read more

Read other answers
RELEVANCY SCORE 46.8

Allaple is a powerful polymorphic LAN and Internet worm. It uses a number of exploits to spread and performs a dictionary attack on network share passwords. The worm copies itself multiple times to a hard drive and also affects HTML files. In addition the worm performs a DoS (Denial of Service) attack on a few websites.The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes. After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following TCP ports used during the DoS attack: 22, 80, 97, 443 While this new worm may not be widespread, it features some advanced designs. In particular, the polymorphic encryption feature could make this one difficult for AV vendors to detect. Allaple.A Internet/LAN worm - Highly polymorphic with Password attackhttp://secunia.com/virus_information/34550/allaple.a/http://www.f-secure.com/v-descs/allaple_a.shtml

Read other answers
RELEVANCY SCORE 42.8

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 34.4

OK- I am not extremely computer savvy... I may have destroyed the computer beyond repair, but my files are not backed up and all of the videos of my son when he was a baby are on there and only there. So, HELP!!!! I had a bad virus that started as pop ups for fake virus protection- I can't even remember what it said. I gave it to my brother in law to fix and it took him a month to tell me I needed to backup my files cause he was going to dump the whole thing. Last night after plugging in the USB and having it fill up without even getting through a 1/4 of our pictures, I decided to try to get rid of the virus myself. I ran malwarebytes which found some items and told me to shut down to complete. I did, got the blue screen- started in safe mode w/ networking (got a pop up that said malwarebytes could not be located). After some more searching, I downloaded Hitman that was made for the DNS virus- I know whatever it is on my computer is really bad. The local connection icon was completely removed. Ethernet driver gone and microsoft system tools like firewall and security all gone. Here is a what hitman said before it told me to reboot to complete the deletion of the virus (s). Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.graftor.13001 (engine A), backdoor.maxplus, trojan-dropper.win32.sirefeflIK... and 57 items in tempfiles..... HELP PLEASE!

A:. Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.g...

Copy this tool to the infected PC FSS Checkmark all the boxesClick on "Scan".Please copy and paste the log to your reply.

Read other 1 answers
RELEVANCY SCORE 32.8

I'm working on a friend's laptop and they believe one of the kids went somewhere they didn't need to be going. They said they started noticing issues on 7-20. I was going to try and clean it my self and did a little research on the rootkit and decided I needed to ask for some help. I attached the logs from malwarebytes and TDSSkiller. When using TDSSkiller I had it skip trying to "cure" the infection.
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:50 on 24/07/2012 (Elizabeth)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
-=E.O.F=-
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Elizabeth at 14:51:40 on 2012-07-24
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2286 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C... Read more

A:Infected with Rootkit.Zaccess/Rootkit.Boot.Pihar.c, Trojan.Dropper.BCMiner

please go ahead and re-run TDSSKiller and allow it to "cure" what it findsNEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Read other 21 answers
RELEVANCY SCORE 32.8

I originally received Security Tool 2011 from golf.com.au. It came through svchost.exe.

I found and deleted the .exe and System Restored to before the infection. In safe mode with networking (i..e without firewall), iexplore.exe was startig by itself and before I picked up on this I believe I was infected with a series of trojans and other nasties. Many of these were picked up by Malwarebytes and SUPERAntiSpyware. I then used Avast! and it picked up a Win32:Cossta and the Alureon Rootkit. The Cossta trojan was cleaned. The rootkit has remained.

MBRCheck diagnosed the MBR Code as being non-normal or infected. Boot_remover identified the code as 'FAKED!'

After cleaning as much as I could with Avast! Boot scans, I attempted to use both MBRCheck and boot_remover to 'fix' the MBR. Neither were able to.

My next step was to download aswMBR.exe but it would not run. I then attempted to download GMER but the options were greyed out. I then downloaded TDSSKiller which detected 1 Rootkit which I 'cured' and 1 locked file which was 'skipped'. A log is provided below.

This allowed me to access aswMBR.exe which I ran, and posted the log below. After this I ran ComboFix (sorry!!) which said I had Rootkit: Zero Access. ComboFix rebooted and successfully went through all its 'stages'. The ComboFix log is provided below. Interestingly, I had uninstalled all my Anti-Virus software prior to running ComboFix, except for Malware Anti... Read more

A:Infected with Rootkit: Zero Access from Security Tool 2011 [Also potentially Rootkit: Alureon]

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427038 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 14 answers
RELEVANCY SCORE 32.8

Got some problems.I am running Vista on a Gateway. Everytime I run a AVG or otherscan the computer just restarts itself without being prompted. Before it restarts it shows a Trojan, Windows Antiviruspro and Rootkit.cloaked/service-gen 3. RootkitRepeal and dds will not run but HJT will run.Any help is appreciated.Here is a HJT logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:18:36 PM, on 8/18/2009Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16890)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\sttray.exeC:\Windows\System32\hkcmd.exeC:\Windows\WindowsMobile\wmdc.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\igfxpers.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEC:\Program Files\Glance23\Glance.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software ... Read more

A:> Rootkit, Trojans and Windows Antiviruspro, cannot run rootkit tool, restarts computer on scans

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.Your log will be analyzed and you will be instructed on what to do next as soon as possible.

Read other 21 answers
RELEVANCY SCORE 32.8

Hello,I have been working on cleaning this system(Desktop PC: Dell Optiplex 7500: Windows XP SP3)for a few days now after discovering an old partially removed infection of Paladin Antivirus. Ran the usual removal tools, MBAM, Combofix, Avast Boot Scan, and F-Secure Online scans, and all show up clean now; however, the Avast real time behavior scanned is still flagging a latent Rootkit service: SVC:PRAGMApxevsticxr. Of course when avast asks what I want to do I choose delete, and it recommends boot scan which comes up clean, and the avast process starts again. Knowing I was still infected, I decided to go to the ever trusty, but lengthy ESET online scanner which found: C:\WINDOWS\PRAGMApxevsticxr\PRAGMAc.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\PRAGMAd.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz1D.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz3.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz7.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedand then in a subsequent ESET scan: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000075.dll a variant of Win32/Krypt... Read more

Read other answers
RELEVANCY SCORE 32.8

On Feb 14th, I posted about a rootkit that is on my system HERE in the 'Am I infected" section. It has been a very long time since I have been here, but I believe you used to have to post there first and only ended up here once someone started helping you, but I truely can't recall. Should I leave that where it is and wait for a reply there? or can that post be moved here? can the topics be merged? or should I repost my issue here and delete that post? I apologize that I am so out of touch with forum protocol here, but on the other hand, I don't want to waste anyone's time by posting in the wrong place and clogging up the wrong queue.I do have a nasty version PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant. All other infections have been removed, and I believe the bulk of the rootkit has been disabled. I *think* I just need to drop a custom script into ComboFix or Avenger2 to finish the removal; however, I am not sure because I haven't seen a piece of malware this resiliant in years.The following scans have been run and their logs are saved and available for posting:DDSGMERRkillCombofixRootRepealHijackThisMBAMESET Online ScanFSecure Online ScanSuperAntiSpywareAvast Boot ScanAs well as a manually created record of all self deleted registry keys related to PRAGMA.The bulk of the pertinent information (at least what I *think* is pertinent) is in the original thread linked above with the exception of the GMER info on the rootkit.Please advis... Read more

A:PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant

Post removed due to Crossposts

Read other 28 answers
RELEVANCY SCORE 32.8

I would really appreciate some help from someone with experience with this matter.

Introduction:

Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.

Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.

B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.

Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned d... Read more

A:Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

Mike,

You need Jacee and/or Corinne's help with this - they are our resident security MVP's. No doubt they will see this, but I'll drop them a message and ask them to have a look at this for you.

Regards,
Golden

Read other 9 answers
RELEVANCY SCORE 32.8

Hi,Since Friday my computer started to run slow and kept crashing. I also noticed it would redirect Google searches to various webpages and not the actual link it was meant to...I have McAfee Security Centre (updated daily), so ran a scan. It revealed some trojans, namely "Spy-Agent.bw!mem, DNSChanger!ba and Generic FakeAlert!cd". Some of it was removed/quarantined while 1 or 2 files couldnt be fixed by McAfee.I then ran MBAM which managed to clear everything. Here is the log from then (28th Aug):[/color][/color]-----------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.40Database version: 2709Windows 5.1.2600 Service Pack 328/08/2009 18:07:25mbam-log-2009-08-28 (18-07-25).txtScan type: Full Scan (C:\|)Objects scanned: 165024Time elapsed: 36 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 1Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C... Read more

A:Infected with Google redirect & Rootkit TDSS and Rootkit.Agent/Gen-Rustock[KBI]

UPDATE:Did an online scan with Eset, it reported the following: C:\Documents and Settings\Amit Sinha\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2a20046a probably a variant of Win32/Agent trojan deleted - quarantinedSo lloks like there are still some remanents...Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are... Read more

Read other 4 answers
RELEVANCY SCORE 32.8

Hello, I was sent here from the Am I Infected Forum by garmanma. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/260361/requesting-virus-help-malware-greenav-and-rootkit-etc/ ~ OBPrior to posting in that forum. I tried to run MBAM, Spybot, Spyunter. The programs would not run at all, I would get an error stating I didn't have appropriate permissions. I downloaded the DDS.scr file and tried to execute a scan. The scan screen popped open for about one second and closed....every program that I try to run will either not run at all, or if it does run, it will close a few seconds into the scan then shut down. If I try to run it again, I'll get an error saying I don't have permission to run that file.I have tried online scans from Bitdefender, Microsoft's OneCare, and one more (forgot the name)...but every online scan shuts down the entire browser. Also, on occasion I get a fake page saying that the webpage I requested has been blocked due to my infections, and links to me to a page regarding GreenAV. I could not run most of the tools in the preparation guide, even after renaming them. However, in the other forum I was able to run a couple of scans before the programs shut down. I was requested to start a new topic here and post the logs that I have. Thanks in advance:I was instructed to download "peek.bat" and run that program and also RootRepeal. The results from both are listed below:Peek.bat Log:Volume in drive C is SQ004214P01Volume Serial Number i... Read more

A:Rootkit and Spyware Problems: Antispyware/Antivirus/Rootkit Scanner programs all shut down when executed...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 32.4

I have tried Norton AntiVirus and also Kapersky's TDSSKiller and neither have found any Trojans. However, I know I have one because my whenever I do a google search the results pop up but when I click on something I get redirected to another website via Click.LiveSearchNow (the addresses usually aren't website names, they're random IP addresses to sites). I have attached my logfile from HijackThis below. Any ideas?
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:51:54 PM, on 11/25/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Users\Brendan\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Users\Brendan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Users\Brendan\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxi... Read more

A:Trojan / Rootkit - Click.LivesearchNow - Not Detected by Rootkit Removers

I'm going to try the Junkware Removal tool since I didn't have any luck with any of the other programs I've seen thus far. I will paste the log when I'm done per the instructions I saw in another thread (see below for those).

Shutdown your antivirus to avoid any conflicts.
Right-mouse click JRT.exe and select Run as administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message

Read other 21 answers
RELEVANCY SCORE 32.4

A. McAfee scan has found multiple instances of a ?Generic Rootkit.d!rootkit?, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once ?removed,? they appear again in no time.
B. McAfee ? Update Error
?An error occurred in updating. Please reinstall these programs:
- McAfee Security Center?
NOT DONE ? Expected to be repetitive.
C. Defrag ? no access
1) Norton Speed Disk won?t start. Error Message:
?An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.?
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
?Disk Defragmenter could not start.?
D. Backup ? presently unable to back up.
1) My backup utility, XXCLONE, will not start. (Last backup was WAY too old.) It returns following Error Message from its initial disk scan:
?The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.?
2) Windows XP Accessories backup component refused to start as well. Error message:
?The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices. Please exit and start the Removable Storage service using the System Services function of the Management ... Read more

A:Hijacked; Generic Rootkit.d!rootkit (NTOSKRNL-HOOK); certainly other probs.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 1 answers
RELEVANCY SCORE 32.4

Hello to any and all helpers,
I am new to this forum, so please help me follow the rules. I downloaded/ran the scans on the "new instructions" thing and will connect them to this post. 2 wks ago Friday I checked "the official" website of St. Exupery to see if one book was written before the other and up pops McAfee saying it identified 2 instances of the trojan named in the title of this thread. I was already late to class so I closed the window (IE7) and shut down the comuter, hoping it would be better later(bad move!). When I got home.. I'm trying to remember, I believe the computer started up ok to run the scan, somewhere in that day I had to restart several times because it stalled (windows was open but wouldn't do anything). I did run the McAfee scan and delete the trojans, but my computer wouldnt restart fully until the next day, when I discovered that my internet connection would no longer work (it may not have been working right away, I'm sorry I dont remember). It said it was connected but no pages would load. Since then it has not worked, even though I tried to reconfigure the connection (and my IP address). I would say that this is a problem with the modem/router, but my bf's computer is connected to the same and it works fine (this is the computer Im writing from btw, and he has no antivirus and is resolutely against it and so I can do nothing about it. I wanted to try to reestablish my internet connection before starting a thread so that I do... Read more

A:NTOSKRNL-HOOK, Generic Rootkit.d!rootkit & NO INTERNET CONNECTION

Hello, Exams+this :)
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it'... Read more

Read other 19 answers
RELEVANCY SCORE 32.4

Dear Folks,

It looks like my computer is infected with Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

I use McAfree Antivirus. Whenever I scan, it shows the following log and it says detected 1 and fixed 1.

8/1/2009 10:24:13 PM Scan Started: 08/01/2009 10:24:13 PM
8/1/2009 10:24:59 PM Scan Started: 08/01/2009 10:24:59 PM
8/1/2009 10:25:44 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/1/2009 10:29:00 PM Total objects scanned: 12981
8/1/2009 10:29:00 PM Objects detected: 1
8/1/2009 10:29:00 PM Scan Done: 08/01/2009 10:29:00 PM

Also I get BLUE Screen very often and my system gets rebooted automatically (screenshot attached).

Please help me in resolving this issue.

I downloaded "ComboFix.exe" from your website but didn't run it as I saw many times that I should not be run without the proper instruction / help from Technical Folks.

I'm just waiting for your response. Please help..!!

Thanks in advance.

Cheers,
Siraj

A:Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

Hi Folks,Thanks for responding for my "Personal Message" from Orange Blossom ~ forum moderator and email from Administrator.As mentioned in the email, I followed the steps mentioned in the following "Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools" which is located @ http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/1. Data Backup - Done2. Verified that my computer is infected by NTOSKRNL-HOOK trojan3. Steps 3, 4 & 5 are also done6. Downloaded DDS and scanned my computer. When I tried to run this scan, I got the warning in the same Command Prompt with the message three times like "Not enough memory to complete the sort.". After that the scan has produced two files (DDS.txt and Attach.txt).7. Responded to my own topic which I've created on Aug 2nd, 2009. Please help me out in resolving this issue ASAP.Please find the log from DDS.txt file which is pasted at the bottom of this message.I'll upload the Attach.txt file, if you want. Please let me know.Problem with my computer is that - I get blue screen often and gets rebooted by itself (I'm loosing all the data). - System hangs when Windows Logon Screen appears (only sometimes); I'm not able to login. I've to hardboot.Just curious: When DDS.scr was scanning, I found that the following EXE files processing in the background in "TASK MANAGER". Please confirm are they genuine.fi.exewregs.exefindstr.exedds.screds.execs... Read more

Read other 13 answers
RELEVANCY SCORE 32.4

well once again my co workers have managed to get something that i cannot remove, last time i had a issue you guys fixed it perfectly and i am here again asking for help, somehow this computer got a virus on it that has been spamming e-mails, because of this our ip has been blacklisted and e-mails we need to go out are not going out ect ect... i would just reformat this machine but it has very specific software on it and i cannot

as far as i know the virus's are called
rootkit-agent, rootkit.protector, and agprotector, here is my DDS.txt and again i hope i have done everything correctly and i hope you can help, thank you again


DDS (Ver_09-12-01.01) - NTFSx86
Run by Big Fox at 15:18:51.93 on Thu 12/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.389 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe... Read more

Read other answers
RELEVANCY SCORE 32.4

 Attach.zip   4.33KB
  1 downloadsThis was a redirect by OBlossom,Hi Hope you can help. I clicked on a link to a web page that I shouldn't have and got a popup saying I needed to update my Adobe, thinking all was ok! When I did that another popup came and said I may be infected and it wanted me to click on their link. Which I didn't, instead I tried closing the windows, even with Ctrl-Alt-Del, it wouldn't let me. Then returning to desktop, McAfee said something wanted access and if I allowed. Again, no! The only way out was a reboot, which took some time to shutdown. When the system came back on I got a window saying Google installer had a problem and had to close, never had that before. It did have a "more info" link, which I clicked and a new window opened up saying something about UACD.SYS & WJQS.EXE! I found them in the registry, I knew I had a problem. After running McAfee it said something about NTOSKRNL-HOOK and Generic RootKit.d!RootKit. Needless to say I am here. I would continue to get that popup, about Google Installer needing to close. Also when I did a search and would click on a link I would get the "WindowsClick" and was redirected to another web page. Ok, try to shorten it, I tried a lot and nothing seemed to help. Until I read here and ran ComboFix, it seemed to work! Had to make note of some files "UAC******.dll and one UAC******.dat another was Service_Uac.sys, ... Read more

A:NTosKrnl-Hook UACD.SYS WJQS.EXE Generic RootKit.d!RootKit

I just wanted to mention an oddity I've noticed, my msn.com link in favorites keeps disappearing, I've saved it then, it's gone again! I'm not proceeding with anything else until told to do so. Though I do hope to understand this soon and rectify its problems!?thanks again,Hello RikCab,We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.Thank you for understanding.Regards,The weatherman (Moderator)Thanks weatherman, I did just read about that while scanning another's post. I was going to make a note of it here, but you beat me to it, lol. I did try to edit m... Read more

Read other 17 answers
RELEVANCY SCORE 32

Hello! I believe my computer has an infection, and I'm not sure what it is or how to get rid of it. Hopefully I have followed the log and posting instructions carefully as I would like to avoid any delays and try to resolve this as soon as possible.What my computer is doing:It's slower than normal, but the big thing that seems to have started on Saturday 12/12/09 is that whenever I log into my eBay and PayPal account, the next page I'm directed to is a Fraud Prevention page asking me to submit a ton of personal and financial information, everything from my SS# to my ATM + PIN number. I am on the official eBay and PayPal website, happens after I log in using my username and password, I see no way to skip it, and no way to get rid of it. This is NOT eBay or PayPal, it's absolutely fake, neither site would ask for such information, there are even spelling errors. You can view a screen shot of the page here:Screenshot of Fake eBay Fraud Prevention PageDoesn't appear every single time, but often enough throughout the following day (today), at least 5-6 times out of 10. I have several eBay listings currently listed, eBay and PayPal are both important to me.What I have done - my computer infoI'm running Windows XP, sp 3, Firefox browser, Dell desktop, wired DSL connection. Only things I have done "prior" to the logs and steps asked by BleepingComputer are: 1. ran a scan with Malwarebytes (4 objects found)2. scanned with Avast antivirus (nothing found) 3. scanned... Read more

A:Rootkit infection - MBR Rootkit?? eBay & PayPal affected

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow ... Read more

Read other 32 answers
RELEVANCY SCORE 32

Currently system shows to have ntoskrnl-hook - generic rootkit.d!rootkit 5. The only AV that seems to detect it is Mcafee. It states that it has removed it and it keeps coming back. System restore is off. The different scans I have ran have seemed to taken most of it out but it just starts over and infects more. Below are the reports. Thanks for any and all help in advance. Below is DDS and I have attached the other DDS "Attach" and the RootRepeal report "ark".
DDS (Ver_09-07-30.01) - NTFSx86
Run by Bryan Miller at 20:30:32.37 on Tue 08/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Offi... Read more

A:Infected with ntoskrnl-hook - generic rootkit.d!rootkit 5

Hello.One of the infection is a rootkit.Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?Although the rootkit has been identified and may be removed, your PC has l... Read more

Read other 11 answers
RELEVANCY SCORE 32

Yes I've tried running almost every possible program in safe mode to remove this trojan, but everytime I reboot I get either continuious cycle of reoccuring blue screens that reboot the computer or anytime I trying running a program the a physical memory dump occurs and the computer restarts this way. I've been working on this for about 2 weeks now and its really starting to get annoying. Please help.

A:Can't remove generic rootkit.d rootkit NTOSKRNL-HOOK

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

Read other 1 answers
RELEVANCY SCORE 32

Hi,

I am here to ask for help with removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit infection that appears to be redirecting most browser search attempts indicating 'www.clickover.cn' within the url.

I have run DDS and included the resulting .txt and Attach as instructed.

Thank you for your support!

Regards

DDS (Ver_09-06-26.01) - NTFSx86
Run by Norm at 1:38:45.54 on Thu 07/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1287 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\p... Read more

A:Please Help Removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello and welcome to TSF!

Regarding the rootkit and backdoors in general:

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


----

If you wish to continue follow the steps below, otherwise let me know



We are going to start with Combofix.

Download and Run ComboFix

Note to readers of t... Read more

Read other 19 answers
RELEVANCY SCORE 32

Hello,
Malware has been detected on my computer and I cannot seem to to get rid of it. AdAware detected the rootkit specified in the post title, and what sound like radio ads are playing even when I have no programs running. I downloaded and ran the DDS program but the dds.txt file did not generate. The attach.txt file did generate but I can't attach it since I had to write this on my iPad (see below).
I'm trying to give as much information as possible, so here are two more issues that I believe are related:
1. IE was barraged with unrequested cookies from random websites until I changed the settings to reject all cookies. IE and Firefox also now take 1-2 minutes to load a page, and in some cases never load it. This is also what happened when I tried to submit this post from my computer (I'm now typing this on my iPad).
2. McAfee has blocked about 25 executions of svchost.exe as mass mailing worms. I can upload that log file if needed.
Please help me get rid of the malware on my computer, and adjust my settings to increase security and prevent future infections.
Thank you!

A:Rootkit detected [Rootkit.MBR.Mayachok.B (Boot image)]

Hello, I am a Computer Software Technician. I will help with your rootkit. There is a few different solutions to your rootkit. (I GAVE EXTRA INFO TO HELP YOUR COMPUTER SPEED INCREASE.)
 
1. Install and Run TDSS Killer (download from bleepingcomputer.com)
 
2. Install and Open MalwareBytes DO A THREAT SCAN (malwarebytes.org) download it from there and make sure you go into settings and then detection and protection and set it to scan for rootkits. Fix anything it finds. Restart computer. There is manual ways of removing viruses but that I will not tell you. You can damage your computer. You have to be highly skilled to know what to delete.
 
3. Run Hitman Pro (download from surfright.nl) and delete what it finds and restart your computer. It will find what Malwarebytes did not. If anything was not found.
 
4. Download from bleepingcomputer.com AdwCleaner and run it and delete anything it finds. That will speed up your computer. Will delete adware and registry issues. Restart Computer
 
5. Download CCleaner free version from piriform.com. Run the cleaner and registry cleaner and delete everything it finds.
 
6. Click the Start Orb type run in the search box and click it. Type temp and clear everything out of that folder and then repeat opening run and type %temp% and delete everything in that folder. Run once more and type prefetch and delete everything in that folder. Restart computer. This will speed up your computer as well. MalwareBytes may hav... Read more

Read other 8 answers
RELEVANCY SCORE 32

I've tried almost everything to get rid of this trojan and I alway end up with one of two results. First either when the computer reboots it automatically reboot through a continous cycle once it hits the window screen. Second, I log onto windows and start to run a program, a physical memory dump occurs. I also think my external hard drive has the virus on it, although none of the hundreds of virus scans I've completed show a virus on the drive. Please give me some insite on what to do. Thanks



DDS (Ver_09-07-30.01) - NTFSx86
Run by paul at 19:41:12.95 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT 4.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\WINDOWS\system32\ZuneBusEnum.exe ... Read more

A:generic rootkit.d rootkit NTOSKRNL-HOOK problems

Hi there,

Looks a lot better, but lets run a few more checks.

1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Code:
FileLook::
c:\windows\S0A0D9E6F.tmp
c:\users\paul\cc_20090725_201550.reg

DirLook::
c:\program files\My-Proxy
c:\users\paul\APPLIC~1\lsptttiq
c:\users\NetworkService\Application Data\lsptttiq

RegNull::
[HKEY_USERS\S-1-5-21-436374069-1715567821-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{52432C9E-AC35-115A-59A8-20D2B4352033}*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d620a955-eb2d-4b83-8024-1840b1f2d536}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download RegQuery by Noviciate to your desktopCopy the following registry keypath by highlighting the text an pressing CTRL and C at the same time
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogonDouble click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Cli... Read more

Read other 5 answers
RELEVANCY SCORE 32

Earlier tonight, I was apparently infected with the above rootkit. I started to get Symantec AntiVirus notifications that downloaders were being deleted, and Windows Firewall kept popping up asking me if I wanted to block access to different nefarious items, the first being Rootkit.Win32.Agent.PP. I did a google search for this and found this site, in particular, this page. I started to follow the instructions on this page, so I ran MalwareBytes, which found a rootkit, among other things. I also ran the TFC program mentioned next. I rebooted after each of these. However, before doing anything else, I stopped and read the preparation guide for this forum. I next ran DDS and RootRepeal and am attaching the log files to this post.Before running MalwareBytes, I was getting frequent Symantec AntiVirus notifications, and frequent Windows Firewall notifications as mentioned above ("frequent" being 1 every minute or so). After running it and TFC, I have not gotten any more notifications. Upon reboot, though, Symantec AntiVirus reported that there were items it could not remediate after rebooting. So, I'm not entirely sure if I've gotten everything or not. I'm pasting my MalwareBytes log below, and then the DDS log.Thanks in advance for any help you can provide. Just to be safe, I am disconnecting my computer from the network tonight and will check any replies from another computer.-----MalwareBytes log:Malwarebytes' Anti-Malware 1.43Database version: 3485Windows 5.1.2600 Service Pack... Read more

A:Rootkit infection (possibly Rootkit.Win32.Agent.PP)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

Read other 11 answers
RELEVANCY SCORE 32

I need help removing Generic Rootkit.d!rootkit from my computer using Windows 2000. My McAfee virus scanner is erasing it but it keeps coming back. I've tried to run McAfee in Safe Mode but it won't run. I've also tried to install and run Malwarebytes' Anti-Malware but it won't run. I was able to run Stopzilla in Safe Mode but it didn't do anything. Can't get PC Tools to run either.

Any help would be appreciated.

My other 2 laptops were infected also but they utilize Windows XP and I was able to get rid of this trojan/virus on those computers. Right clicked on My Computer and disabled system restore. Then ran Malwarebytes' Anti-Malware program which seemed to do the job.

Looking for something free to download and get rid of this.

Was afraid to try ComboFix.exe due to posts warning about this program

Read other answers
RELEVANCY SCORE 32

64 bit, Windows 7I was having issues with youtube. Streaming was very slow and would often times stop altogether. At first, I thought I had an issue with flash player and so I uninstalled it, installed it again, and checked on updates. I still had the same issues.I ran Spyware Doctor and Malwarebytes to see if the issue was malware. Previously, when I ran either program, it would show a lot of infections, but now there were none. I then thought that it could be a browser issue so I downloaded Google Chrome. Though it downloaded, Google Chrome would not open any sites. I got an error code. This is what it says:"This webpage is not available. The webpage at http://google.com/ might be temporarily down or it may have been moved permanently to a new web address. Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error."It said a couple of times that I wasn't connected to the server, but to me that didn't make sense because I was online and surf the web with Firefox.I downloaded other types of anti virus and malware programs to see if it would help. This is a list: spybots, ad aware, bitdefender, avg, kaspersky.None downloaded. I received messages saying that the files were corrupted. There would be a bunch of programs opening while doing this. They were moving so fast so I couldn't catch any of them.I tried to do online scans. Those didn't work either. Same message.I tried to download these programs in safe mode with networks. They did not download. I trie... Read more

Read other answers
RELEVANCY SCORE 31.6

My computer has been afflicted with a rootkit and associated malware according to McAfee Virusscan Version 13.3, Build 13.3.115. The DAT files used in the scan are version 5560.0000 and were created on 3/21/2009.

My computer is running XP Home Edition, with SP3 installed

The following is found when a scan is performed in SAFE MODE only. This does not show up in normal mode.


"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
3/21/2009 6:50:16 AM "C:\WINDOWS\SYSTEM32\UACTOHUVLQF.DLL" "Generic FakeAlert.k" "5"
3/21/2009 6:50:21 AM "C:\WINDOWS\system32\UACtohuvlqf.dll" "Generic FakeAlert.k" "5"
3/21/2009 6:50:21 AM "C:\WINDOWS\SYSTEM32\UACUDRIREJN.DLL" "DNSChanger.r" "5"
3/21/2009 6:50:26 AM "C:\WINDOWS\system32\UACudrirejn.dll" "DNSChanger.r" "5"
3/21/2009 9:11:19 AM "C:\WINDOWS\SYSTEM32\UACTOHUVLQF.DLL" "Generic FakeAlert.k" "5"
3/21/2009 9:11:24 AM "C:\WINDOWS\SYSTEM32\UACtohuvlqf.dll" "Generic FakeAlert.k" "5"
3/21/2009 9:11:24 AM "C:\WINDOWS\SYSTEM32\UACUDRIREJN.DLL" "DNSChanger.r" "5"
3/21/2009 9:11:29 AM "C:\WINDOWS\SYSTEM32\UACudrirejn.dll" "DNSChanger.r" "5"


Viruscan indicates that the rootkit is cleaned. In the quarantine area, two files show up UACTOHUVLQF.DLL and UACUDRIREJN.DLL.... Read more

A:Please help with NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello dgwaltney,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications McAfee in particular, will interfere with ComboFix's removal of the rootkit.

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the ... Read more

Read other 7 answers
RELEVANCY SCORE 31.6

Hi All,

My laptop had some unwanted pop-ups from FireFox so I scanned the whole system using McAfee and it found bunch of virus, all of which were said to be either cleaned or deleted by McAfee. I then rescanned it few times afterward and each time I get the following:

Name is "NtQueryDirectoryFile"
Detected As "Generic Rootkit.d!rootkit"
Detection Type "Trojan".

McAfee always says it is "cleaned" but it shows up each scan.

I would appreciate it if someone could help me clean it. Thanks in advance!

A:my laptop is infected with Generic Rootkit.d!rootkit

Hi and welcome to BleepingComputer The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Result... Read more

Read other 6 answers
RELEVANCY SCORE 31.6

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:17:21 AM, on 2/13/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\TechSmith\SnagIt 8\SnagIt32.exeC:\Program Files\TechSmith\SnagIt 8\TSCHelp.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ht... Read more

A:rootkit.pakes rootkit.agent..., too many to list!!!

hi all... saw the 5 day thread and judging by the number of posts today, i would probably still be in line tomorrow, so at the risk of offending i will pass on my request for help if nobody gets to me in the next 12 hrs or so

i have to get my system back up, so if fdisk is my only option i will need to start down that path... again, not meaning to be indignant, i am just in need of moving forward with repairs so if someone does have time, thank you... if not, thank you as well

Read other 6 answers
RELEVANCY SCORE 31.6

I have scanned over and over again, and McAfee says it is removed, but it reappears so it is not getting resolved. The browser (IE has difficulty opening and Firefox is redirected) is difficult to use. I am getting an excessive amount of popups, though the blocker is activated. The advertisements on webpages are for some sexual enhancements. Martha Stewart would have a fit if she knew about them on her site, I am sure. I ran through some preliminary steps from McAfee support by erasing cookies, temp files, history and pws. Restore will not run. Also seems to show up with NTOSKRNL-HOOK and Generic Artemis which the latter showing as potentially unwanted program. Please advise. I have taken the first steps and the information is as follows:




DDS (Ver_09-03-16.01) - NTFSx86
Run by Ann at 23:12:26.77 on Sat 03/28/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3317.2260 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
... Read more

A:Generic Rootkit.d!rootkit (Trojan) Infection

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

----... Read more

Read other 16 answers
RELEVANCY SCORE 31.6

Found some issues with browser redirects which may now be solved but had several instances. Extremely slow computer at first so used Ccleaner and then followed up with SuperAntiSpyware. That found 4 instances of Trojan.Agent/Gen-DocFake and 1092 pieces of spyware. Removed but still acting slow and very hesitant. Used TDSS Killer and located rootkit Pihar.b which it said it removed. Restarted and ran Combofix which found a lot of things and removed them also. Then followed up by installing Avast and using their boot time scan tool which then located rootkit Alureon.b.

The system strill appears to be haing issues and Spybot is sending me fake browser notices from my Google Search engine about certain URLs.

Below is my DDS.txt log and I'll zip and attach the Attach file for you below that.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 12:42:53 on 2012-09-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3003.1528 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Spybot - Search and Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A... Read more

A:Pirhap.b rootkit changed to Alureon.b rootkit

I see combofix has been run on this computer, can you please post the log(s) located at C:\ComboFix.txtNEXTdownload Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*... Read more

Read other 6 answers
RELEVANCY SCORE 31.6

I have used Rootkit Buster, Kaspersky Scan, TDSKILLER, Rootkit Unhooker, Malwarebytes, Hijackthis and pretty much any program you can think.

I cannot get rid of this rootkit. Every Time I restart, Symnantec Endpoint Protection Detects it.

The name of it in Endpoint is: Hacktool.Rootkit

Then name in Kaspersky is: Rootkit.Win32.ZAccess.C

A:Hacktool.Rootkit/Rootkit.Win32.ZAccess.C

You have a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.Please read the "Preparation Guide".If you cannot complete a step, then skip it and continue with the next.In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

Read other 1 answers
RELEVANCY SCORE 31.6

Initially got a System Security virus that was removed using Malwarebytes. Subsequently got several other virus all removed with Malwarebytes. Got a variety of BSOD's. Right now appear to have everything cleaned except a root kit since McAfee consistently reports a NTOSKRNL-HOOK Generic Rootkit.d!Rootkit that it consistently says removed but is actually not removed. Also Malwarebytes reports a \\?\globalroot\systemroot\ssytem32\geyekrlcbmkryv.dll (Trojan.TDSS) that it reports removed but is not actually removed. I suspect these are related. Also cannot start in Safe Mode right now. Additionally when running RootRepeal I got the following message "Could Not Read Boot Sector. Try Adjusting the Disk Acess Level in the Options Dialog." I tried with several different settings and got the same message. I also got the following message on RootRepeal "Could Not Read Sstem Registry! Please Contact the Author!" The details showed Unrecognized Partition Type 6 (0x6)!.
See DDS.txt, ark.txt files below and Attach.txt attached.
Thanks for your help.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Elaine at 18:27:20.10 on Fri 08/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1839 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA0... Read more

A:NTOSKRNL-HOOK Generic Rootkit.d!Rootkit

Hello PonchyRCA,Has your McAfee SecurityCenter (Antivirus) expired? Lets try running RootRepeal a different way.Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.Physically disconnect your machine from the internet as your system will be unprotected.Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...Click the tab at the bottom. Now press the button.A box will pop up, check the box beside Drivers area (leave the others unchecked). Now click OK.Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.The scan will take a little while to run, so let it go unhindered.Once it is done, click the Save Report button. Save it as RepealScan and save it to your desktopReconnect to the internet.Post the contents of that log in your reply please.Post those logs back in your next reply.

Read other 40 answers
RELEVANCY SCORE 31.6

G'day,Having some malware issues - I assume the TDSS rootkit.Symptoms are:*Redirecting IE and Firefox results from google*At any given time, 2xIE processes running (they come up again when closed)*The other day before this all happened, another bit of malware snuck up (fake notifier) - possibly leading to the download of this?*I kept getting "Hard Drive Failure" messages with the previous issue. When I rebooted, everything form the start menu was gone, as well as the desktop. It has all restored back to normal, but half of my files scattered through my computer have transparent icons (as if they're hidden)*I ran memtest (from unix GRUB) and used computer management to check the health of my hard drive - A-OK apparently.I foolishly didn't have any other protection on my system as a while ago AVG failed upon install and i never got around to it again.Steps taken so far:*Firewall was already on (Windows) - didn't reinstall zonealarm which was stupid of me.*Run AVG Thorough Scan + Anti-Rootkit, Kapersky antivirus, TDSSKiller, Spybot and as expected, nothing came up besides cookies, a couple of temp files, etc.*Used DeFogger, and got all the logs, and will paste below.Any help is greatly appreciated all! Thankyou very much =============================================================================================================================.DDS (Ver_2011-06-03.01) - NTFSx86 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20Run by Aa... Read more

A:Rootkit issue - assumedly TDSS.rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 31.6

I appear to have picked up this NTOSKRNL-HOOK Generic Rootkit.d!rootkit virus whilst sufing the net yesterday. My computer is/should be protected by the McAfee Security Center, however, it hasn't stopped this one and clogged my computer.

Whenever I try to start Windows normally, I get the Blue Screen error, I cannot turn off the restore system points either. I have run the virus scanner numerous times, which has alledgedly removed the infection, however, it normally reappears after the restart.

I have done the reports that you have requested, which now follow.

A:NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

Read other 5 answers
RELEVANCY SCORE 31.6

On startup:

Webroot Spysweeper gives a popup error:
"The installation has been damaged. Please reinstall the product. (105)

Followed by another popup error:
The connection to the program engine has been lost or terminated.
The program will now close and restart.
If you experience and problems please contact ....

MCAfee Security Center gives a popup error:
McAfee Virus Scan On Demand Scan has encountered a problem and needs to close. We are sorry for the inconvience ....

Followed by another popup error:
Scanning has encountered a problem from which it can not recover.
Here are the problem details:
-Error getting scan progress.
When finished you will return to the home window.

After startup:

1. I can not launch Spysweeper at all.
2. I can open McAfee and can sometimes run a scan which reports:
NTOSKRNL-HOOK Generic Rootkit.d!rootkit
3. Google searches return entries which are redirected to different sites when selected.

I was able to complete a DDS scan but not the GMER scan which would not open a user window once I downloaded it and unzipped it. It did run in the background and I could not find an ark file.

DDS (Ver_09-07-30.01) - NTFSx86
Run by warrenb at 15:42:18.87 on Tue 08/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.535 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FA... Read more

A:NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello.

Try RootRepeal instead:

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
Direct Download (Recommended)Primary Mirror
Secondary Mirror
Secondary Mirror
Secondary Mirror

Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)Primary Mirror
Secondary Mirror
Secondary Mirror

Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area

Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.

~Extremeboy

Read other 15 answers
RELEVANCY SCORE 31.6

Hello,Boopme directed me to this forum section, and instructed me to post the following logs. The first two are MBAM logs, and the last is a RootRepeal log. His parting statement goes as follows:You have a rootkit.As there are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team member.Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible. Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.The following are the logs that I was instructed to pass onto you (the HJT Team):Here is the first:Malwarebytes' Anti-Malware 1.40Database version: 2551Windows 5.1.2600 Service Pack 3 (Safe Mode)9/1/2009 3:30:18 PMmbam-log-2009-09-01 (15-30-18).txtScan type: Full Scan (C:\|E:\|H:\|)Objects scanned: 71585Time elapsed: 23 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Compo... Read more

A:Rootkit "Win32/Rootkit.Agent.ODG trojan"

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.*If you have since resolved the original problem you were having, we would appreciate you letting us know. *If not please perform the following steps below so we can have a look at the current condition of your machine. *If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.**If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.----------------------------*-------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is ne... Read more

Read other 15 answers
RELEVANCY SCORE 31.6

My computer has been having probelms for a few days now. It randomly restarts without warning, due to malware.I've scanned with a multitude of programs, which find and kill the trojan, only to have it reappear later.I've used Malwarebyes, TDSSKiller, iExplore, and Combofix (which I know I shouldn't use without supervision... I won't use it until instructed now. )Malwarebytes finds the process svchost.exe *32 and file C:\Windows\svchost.exe to be infected.TDSSKiller finds Rootkit.Boot.PihariExplore and Combofix delete various files which I don't remember.Every time I manually reboot, everything seems normal at first, but then the svchost process quickly pops up again.This has been going on for a few days now and I can't tackle it.This seems to be a deeply rooted trojan and I'm desperate to remove it. Help is much appreciated.--------------------------No GMER log is attached as I am using Windows 7 x64Here is my DDS Log:.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26Run by Jophuz at 21:20:27 on 2012-02-06Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2860 [GMT -6:00].AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}FW: PC Tools Firewall Plus *Enabled* {175D0B73-9F8F-2CA9-8BF1-62277A276DC9}.==... Read more

A:svchost.exe rootkit - "rootkit.boot.pihar"

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 14 answers
RELEVANCY SCORE 31.6

Rootkit.TDSS Hacktool.rootkit

just showed up, have not had a problem for a few months. Please Help with removal. and is someone hacking me or is this common virus floating around? THANKS!

A:another virus Rootkit.TDSS Hacktool.rootkit

bump

Read other 11 answers
RELEVANCY SCORE 31.6

One of my friends managed to install this nasty rootkit on to my Vista Ultimate machine and I have had nothing but problems since. First It redirected search engines, then it installed win police pro, then it killed access to all windows executable unless you ran them in administrator mode. The rootkit was identified as a Rootkit.TDSS by Malware bytes, and Spyware Doctor, but it was identified as Rootkit.Rustock[KBI] by SuperAntispyware. Spyware Doctor and SuperAntispyware failed to rid me of the pest, but Malware bytes managed to remove most of it. Right now im stuck with 4 TDSS regkeys that wont delete. Malware detects them, but will not remove them. I've tried manual removal, and checked the added approprite registry permissions. The just wont go away and im afraid I havent removed the infection. Although, the computer appears to work perfectly.

Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6000
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmfqnmkfeu (Rootkit.TDSS) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmlhphykoy (Rootkit.TDSS) -> Delete on reboot.

I can view these 2 keys but not delete them, they are where the injector is held. Although, i did manage to delete SOME of the files contained in there.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ytasfwqespetxa (Rootkit.TDSS) -> Quara... Read more

A:Rootkit.TDSS or Rootkit.Rustock[KBI] Trouble

We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check only the Files box: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Read other 2 answers