Over 1 million tech questions and answers.

Infected With Adware.win32.insider.d & P2p-worm.win32.kapucen.b

Q: Infected With Adware.win32.insider.d & P2p-worm.win32.kapucen.b

Deckard's System Scanner v20071014.68Run by rad on 2008-05-21 08:51:36Computer is in Normal Mode.--------------------------------------------------------------------------------System Drive C: has 5.2 GiB (less than 15%) free.-- HijackThis (run as rad.exe) -------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:52:58, on 2008-05-21Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\IPSSVC.EXEC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\WINDOWS\system32\oodag.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\System32\TPHDEXLG.EXEC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exec:\program files\lenovo\system update\suservice.exeC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\Zoom\TpScrex.exeC:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exeC:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\Documents and Settings\rad\Moje dokumenty\?racle\?hkdsk.exeC:\Program Files\WordWeb\wweb32.exeC:\WINDOWS\system32\wscntfy.exeC:\DOCUME~1\rad\DANEAP~1\SKS~1\msiexec.exeC:\Program Files\The Bat!\thebat.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exeC:\apps, utils\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\rad.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ngohq.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ngohq.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO2 - BHO: (no name) - {94AF60A1-D349-A1C3-1994-A78F05232BB1} - C:\WINDOWS\system32\dpdwug.dllO4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeO4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitorO4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLogO4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exeO4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exeO4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeO4 - HKCU\..\Run: [Nrst] "C:\DOCUME~1\rad\DANEAP~1\SKS~1\msiexec.exe" -vt ndrvO4 - HKCU\..\Run: [Uddasm] "C:\Documents and Settings\rad\Moje dokumenty\?racle\?hkdsk.exe"O4 - HKCU\..\Policies\Explorer\Run: [{E0F8DC2B-0724-1045-0614-071221060030}] "C:\Program Files\Common Files\{E0F8DC2B-0724-1045-0614-071221060030}\Update.exe" te-110-12-0000073O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - S-1-5-18 Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'SYSTEM')O4 - .DEFAULT Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'Default user')O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: New Honeybee - C:\Program Files\Altercept\TheEasyBee Free\Binaries\html\IEContextMenu.htmO8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dllO9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PDFill\DownloadPDF.exeO9 - Extra button: The Easy Bee - {CC272EC2-0153-4CC9-B3B3-D79E63C94268} - C:\Program Files\Altercept\TheEasyBee Free\Binaries\html\IEContextMenu.htm (HKCU)O11 - Options group: [JAVA_IBM] Java (IBM)O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193598516421O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO18 - Protocol: atc - {5A8A8455-B97B-424D-8199-3954F7A62022} - C:\Program Files\Altercept\TheEasyBee Free\binaries\ATCPrtcl.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exeO23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXEO23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exeO23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeO23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exeO23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeO23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXEO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exeO23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exeO23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe--End of file - 10573 bytes-- Files created between 2008-04-21 and 2008-05-21 -----------------------------2008-05-21 08:52:50 0 d-------- C:\Program Files\Trend Micro2008-05-20 22:20:19 60928 -----n--- C:\WINDOWS\system32\dpdwug.dll2008-05-19 22:00:48 0 d-------- C:\Program Files\Common Files\FontLab2008-05-19 22:00:47 0 d-------- C:\Program Files\FontLab2008-05-19 22:00:35 37376 -----n--- C:\WINDOWS\mrofinu1749.exe2008-05-14 21:08:10 0 d-------- C:\download2008-05-14 13:40:42 0 d-------- C:\WINDOWS\system32\pl-pl2008-05-14 13:40:41 0 d-------- C:\WINDOWS\system32\pl2008-05-14 13:40:41 0 d-------- C:\WINDOWS\system32\bits2008-05-14 13:40:41 0 d-------- C:\WINDOWS\l2schemas2008-05-14 13:38:42 0 d-------- C:\WINDOWS\ServicePackFiles2008-05-14 13:36:45 0 d-------- C:\WINDOWS\network diagnostic2008-05-14 02:47:39 0 d-------- C:\IBMSHARE2008-05-10 21:10:50 0 d-------- C:\Program Files\SlySoft2008-04-24 23:32:39 0 d-------- C:\Program Files\LowRateVoip2008-04-21 01:28:56 0 d-------- C:\Program Files\archicad10-- Find3M Report ---------------------------------------------------------------2008-05-21 08:20:46 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\The Bat!2008-05-21 08:20:27 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\??sks2008-05-20 23:37:42 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\foobar20002008-05-20 23:10:50 0 d-------- C:\Program Files\Common Files2008-05-20 21:48:59 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\uTorrent2008-05-20 19:35:44 0 d-------- C:\Program Files\ALZip2008-05-19 10:20:56 0 d-------- C:\Program Files\emulextreme2008-05-15 22:13:14 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Skype2008-05-15 02:57:51 0 d-------- C:\Program Files\Soulseek2008-05-15 01:09:28 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Nokia2008-05-15 01:09:28 31842 --a------ C:\Documents and Settings\rad\Dane aplikacji\NMM-MetaData.db2008-05-15 00:41:42 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Nokia Multimedia Player2008-05-14 22:26:42 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Adobe2008-05-14 13:54:45 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\JAM Software2008-05-14 13:50:47 464434 --a------ C:\WINDOWS\system32\perfh015.dat2008-05-14 13:50:47 81584 --a------ C:\WINDOWS\system32\perfc015.dat2008-05-14 13:40:56 0 d-------- C:\Program Files\Messenger2008-05-14 13:40:41 0 d-------- C:\Program Files\Movie Maker2008-05-13 22:46:27 0 d-------- C:\Program Files\NAPI-PROJEKT2008-05-10 18:36:27 0 d-------- C:\Program Files\Steam2008-04-24 23:53:40 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\LowRateVoip2008-04-21 01:28:03 0 d-------- C:\Program Files\acad102008-04-14 12:00:58 0 d-------- C:\Program Files\WIBU-SYSTEMS2008-04-14 12:00:58 0 d-------- C:\Program Files\WIBUKEY2008-04-14 11:57:27 0 d-------- C:\Program Files\Graphisoft2008-04-11 10:44:41 0 d--h----- C:\Program Files\InstallShield Installation Information2008-04-11 10:43:36 0 d-------- C:\Program Files\ArchiCAD 112008-04-07 14:18:53 0 d-------- C:\Program Files\Polaroid Dust and Scratch Removal2008-04-07 02:13:58 0 d-------- C:\Program Files\iMacros2008-04-07 02:08:14 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\TheEasyBee Free2008-04-06 16:19:31 0 d-------- C:\Program Files\Silv2008-04-06 00:23:35 0 d-------- C:\Program Files\Altercept2008-04-03 01:33:40 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Extensis2008-04-03 01:32:22 0 d-------- C:\Program Files\Extensis2008-04-03 00:51:05 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\FontExplorerX2008-04-01 00:42:11 0 d-------- C:\Documents and Settings\rad\Dane aplikacji\Lasersoft Imaging2008-03-29 16:59:13 0 d-------- C:\Program Files\Lavalys2008-03-26 17:17:27 0 d-------- C:\Program Files\sXe Injected2008-03-21 03:45:46 0 d-------- C:\Program Files\Kaspersky Lab2008-03-21 02:56:42 0 d-------- C:\Program Files\nvcoi2008-03-20 00:47:03 376832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>2008-03-20 00:03:52 188 --a------ C:\WINDOWS\x-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94AF60A1-D349-A1C3-1994-A78F05232BB1}]2008-04-11 19:51 60928 --------- C:\WINDOWS\system32\dpdwug.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 11:21]"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 02:30]"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 02:30]"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-01-11 03:21]"LPMailChecker"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-01-11 03:21]"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-19 15:23][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Nrst"="C:\DOCUME~1\rad\DANEAP~1\SKS~1\msiexec.exe" [2008-05-21 08:20]"Uddasm"="C:\Documents and Settings\rad\Moje dokumenty\?racle\?hkdsk.exe" [2008-04-11 19:52][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialogC:\Documents and Settings\rad\Menu Start\Programy\Autostart\WordWeb Pro.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-05-21 00:15:32][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"disableregistrytools"=0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoChangeStartMenu"=0 (0x0)"NoLogOff"=0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]"{E0F8DC2B-0724-1045-0614-071221060030}"="C:\Program Files\Common Files\{E0F8DC2B-0724-1045-0614-071221060030}\Update.exe" te-110-12-0000073[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 2006-03-23 03:03 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\WINDOWS\system32\psqlpwd.dll 2007-08-14 16:54 89600 C:\WINDOWS\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2007-12-14 17:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]@="Volume shadow copy"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^AutoCAD Startup Accelerator.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\AutoCAD Startup Accelerator.lnkbackup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^PCSuiteForNokia6600 Detect.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\PCSuiteForNokia6600 Detect.lnkbackup=C:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^PCSuiteForNokia6600 TS.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\PCSuiteForNokia6600 TS.lnkbackup=C:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Status Monitor.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Status Monitor.lnkbackup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Suitcase 11.0.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Suitcase 11.0.lnkbackup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rad^Menu Start^Programy^Autostart^Last.fm Helper.lnk]path=C:\Documents and Settings\rad\Menu Start\Programy\Autostart\Last.fm Helper.lnkbackup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]"C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]"C:\Program Files\iTunes\iTunesHelper.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]C:\WINDOWS\system32\oodtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]"C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]eapsvcs eaphostdot3svc dot3svcHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsnapagenthkmsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a06a0368-93e6-11db-ade7-0018de652cb1}]AutoRun\command- H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exeopen\command- H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{88ABC5C0-4FCB-11BB-AAX5-81CX1C635612}]C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe-- End of Deckard's System Scanner: finished at 2008-05-21 08:54:49 ------------

RELEVANCY SCORE 200
Preferred Solution: Infected With Adware.win32.insider.d & P2p-worm.win32.kapucen.b

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected With Adware.win32.insider.d & P2p-worm.win32.kapucen.b

Hello Paularden and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.3. Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.It must be saved directly to your desktop.Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proceeding !!Greetings,Thunder

Read other 6 answers
RELEVANCY SCORE 115.6

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 101.2

I don't know how to remove them, our computer automatically shuts down sometimes.

DDS (Ver_09-09-29.01) - NTFSx86
Run by user at 20:03:13.70 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.192 [GMT 8:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Application Data\Transcend\JFSW2\JFSW2Launch.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\inte... Read more

A:Infected with Win32/Heur, Adware Toolbar.GP, Trojan Horse, Worm

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.Your log will be analyzed and you will be instructed on what to do next as soon as possible.

Read other 13 answers
RELEVANCY SCORE 98.8

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 98.4

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 98.4

Hi guys need some urgent help....i have AVG 8.5.427 free edition installed on my system ,wherein the operating system is Windows XP Profesional .....i ran a scan on my system and the scan reported Trojan Horse Generic11.ATHC and the resident shield log reported the remaining viruses(Worm/Downadup,Win32/Virut,Win32/Cryptor).I deleted the corresponding folders but still the system is very slow.It would be of immense help if anybody could provide expert advice on this matter.I am providing the hijackthis log herewithLogfile of Trend Micro HijackThis v2.0.2[/u][/u]Scan saved at 4:18:32 PM, on 12/21/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exeC:\WINDOWS\system3... Read more

A:Infected with Trojan horse generic11,Worm/Downadup,Win32/Virut,Win32/Cryptor

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

Read other 3 answers
RELEVANCY SCORE 98

Hello there,For almost a week, I have been encountering an issue with Google where search results open in a new tab as arbitrary sites, most commonly monstermarketplace.com. As I began researching the issue, I also discovered that malware solution sites such as bleepingcomputer.com all displayed a "Page Load Error" "Failed to Connect" regardless of whether I was using Firefox or IE. My scans with Spybot and AdAware didn't bring up any unusual results, but my Avast scan (only when the archive files option was selected) did identify the following:ERROR OCCURRED DURING MOVING FILE TO CHEST: THE OPERATION IS NOT SUPPORTED FOR THIS TYPE OF ARCHIVEC:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content.IE5\5HUMMQG0\Uninstaller[1].exe\0.exe Win32:Frauder-F (Trj)C:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content.IE5\5HUMMQG0\Uninstaller[1].exe\1.exe Win32:Frauder-F (Trj)C:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content.IE5\5HUMMQG0\Uninstaller[1].exe\2.exe Win32:Frauder-F (Trj)C:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content.IE5\5HUMMQG0\Uninstaller[1].exe\3.exe Win32:Frauder-F (Trj)C:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content... Read more

A:Infected With Win32:frauder-f Trojan And Win32:adware-gen Adware

Hi juffy,I'm sorry it's taken so long for you to get a response!With the "show hidden files" option turned on, I attempted to navigate to the location to see if the files could be manually deleted, but reached a dead end when, after getting to the Local Settings folder, was only able to view folders named "Application Data", "Temp", and "Apps".The folder in which those files are located is a special folder and not easily accessible using Windows Explorer. Don't worry, we'll clean out anything bad in there during the course of cleaning.Download RSIT by random/random to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)Double click RSIT.exe to start the program, and click Continue at the disclaimer screen.When the scan is complete, two text files will open - log.txt <- this one will be maximized and info.txt <-this one will be minimizedMake sure Format->Word Wrap is uncheckedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt and info.txt in your replyOnce complete, please post both RSIT logs, you won't need to produce a new HijackThis log as RSIT produces one for you.

Read other 20 answers
RELEVANCY SCORE 98

Here is the history of the problem:Two days ago using Firefox I entered a google search and a page came up explaining that I most likely had some sort of malware and they were blocking my search due to automated searches coming from my computer. The google page suggested I check with an Adware program. I did use Ad-Aware and it found and removed Win32.Worm.LovGate. However this hasn't appeared to be the end and my firefox has not been running as normal. I am vague on what else has tipped me off as to a continued problem however here are some other things I have noticed:This website : <http://maplestreetpress.com/book.cfm?book_id=44> redirected itself all day yesterday to another website in turkish I believe.Again my firefox seems to be running slower than usual, for instance I closed it sometime yesterday to again run Ad-Aware and it took forever to close and I was unable to use Ad-Aware to manually update a virus definition file until I used CNTR-ALT-DEL to end firefox.I think I perhaps this program I also used after searching my worm came up with a removal software:<http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/>While installing my McAfee deleted "Generic PWS.y (Trojan) from c:\documents and settings\...\virus removal tool\is-0CI9R\is-1DDDQ.tmpI have now downloaded the 8.0 version of Ad-Aware and just run it and it found and got rid of the Win32.Iroffer.1227 worm but the previously mentioned website problem has now just now ... Read more

A:Infected with Win32.Worm.LovGate then Win32.Iroffer.1227

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for p... Read more

Read other 2 answers
RELEVANCY SCORE 96.8

Athlon AMD pc Windows XP Service pack3

My F-Secure antivirus keeps warning me about malware eg koobface but can only deal with it by renaming it. Spybot and Malwarebytes have identified Win32.agent.pz, Win32.BHO.je,and virtumonde.dll (among others). I have tried turning off System Restore and have used Safe Mode but all to no avail as they keep returning.
I have downloaded Hijack this so could post a log if required.
Any help would be much appreciated. Thank you.
 

Read other answers
RELEVANCY SCORE 96

Hey, Recently my computer has been infected with a virus. The desktop background on my computer changed by itself to a white screen that warns me that I have been infected with Win 32 Adware Virtumonde and Win 32 Privacy Remover. N 64 and that I should download spyware removers to get rid of it. I have no idea how I got this virus. Now, my computer won't load certain web sites, my email won't send anything out, and other various problems occur. I have tried running virus scans and using ad aware but I still can't find the problem. I do not know much about these things so any and all help would be greatly appreciated. Thanks. I will post my Hijack This log below.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:33:18, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\De... Read more

A:Infected With Win32/adware.virtumonde + Win32/privacyremover.n64

Hello and welcome to BC,Please download SDFix by Andy Manchesta and save it to your desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Please then reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press Enter.Choose your usual account. In Safe Mode, right click the SDFix.zip folder and choose Extract All, A new folder will be extracted to your %systemdrive%, typically C:\SDFix Open the extracted folder and double click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.NEXTPlease visit below webpage for instructions for download... Read more

Read other 4 answers
RELEVANCY SCORE 96

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 94

Hello,Please help if you can .I ran free Avast! version 5.0.677 on my Windows XP desktop computer (Pentium 4, 1.5 Ghz CPU, 1 gb ram), and came up with the following virus warnings. Unfortunately the Avast! software internal tools to remove it are grayed out and not functioning. I tried a couple of things to remove viruses from help online and then realized I was in way over my head. I found this forum and am now requesting help.Avast! says I am affected with:JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and Win32:VirutAttached a screen shot of Avast! with viruses and partial path to them. Computer's Symptoms (not sure if these are all due to old slow processor or malware):Computer is freezing often;When it is in sleep mode it is turning itself on;Seems to be downloading stuff often and slowing down;Monitor is going black forcing reboots often;Couple weeks back I began getting floating ads that pop up when browsing online;I get an error message daily that says AdAware has shut down unexpectedly, do I want to send a report? I have been ignoring this, not knowing if it was important, been several weeks.Ok, I think that is all I can think of to share. Please help if you can. I appreciate it.Thanks,Dancer~~~~~~~~~~DDS (Ver_10-03-17.01) - NTFSx86 Run by ljk at 15:52:28.93 on Mon 09/20/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.102... Read more

A:Please Help ~ Infected with JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.I ask that you please refrain from running tools other than those I su... Read more

Read other 42 answers
RELEVANCY SCORE 93.2

I have an F-Secure internet security software suite on this computer, and it is up-to-date and functioning. I also have MalwareBytes (free) installed and have been running it regularly, and I use the ESET Online Scanner as well. The OS is Windows XP, and it is up-to-date.About three weeks ago I cleaned around three trojans from this computer using MBAM and the online scanner. A few days ago, Adware.Win32.WebHancer.x was found by F-Secure, and is currently quarantined. Today, several instances of the two Trojan-Spy programs were found and quarantined by F-Secure; they infect system files and system restore files. I already looked up information on cleaning the system restore files by stopping and restarting system restore (and scanning inbetween). I deleted the quarantined files.All of the Spy-Trojan's found are infecting in C:\hp\recovery\wizard\fscommand\. The file names are:AppRecoveryLink_ret.exeCDLogic_ret.exeCreatorLink_ret.exeRestoreLink_ret.exeRTCDLink_ret.exeRunLink_ret.exeSysRecoveryLink_ret.exeWizardLink_ret.exeThe Adware infected a .dll file, and I was advised not to delete it.CDLogic_ret.exe is Agent.bdzz; the rest are Agent.beafI have run my antivirus, MBAM, and the online scanner again and they picked up nothing. Also, the Adware and Trojan-Spy's were all found during MBAM scans, but F-Secure picked them up.I have attached a HiJackThis log and a DDS log; GMER froze my computer partway through the scan when I used it. I have ran a... Read more

A:Infected with Trojan-Spy.Win32.Agent.bdzz, Trojan-Spy.Win32.Agent.beaf, and Adware.Win32.WebHancer.x

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 90.8

PLEASE HELP!!! I've tried absolutely EVERYTHING and don't have the $$ to take my computer in to get fixed. I'm infected with a bunch of worms and I've followed all the directions for removal from this site and NOTHING is working! I've even printed off the directions for the new user orientation to scan and remove everything possible from my computer and the virus/worms have infected everything! I'm unable to download Housecall and Panda Anti-virus and when I downloaded Bit Defender I now have the WIN32:VB-ELN worm that pops up every other second from my Avast anti-virus alert. I've tried uninstalling the Bit Defender and I can't find it anywhere! My computer tells me I need to uninstall it under my control panel and it's not there! HELP! I was going to download McAfee AVERT Stinger and it said to disable/turn off my system restore first and my computer won't allow me too! I don't know what to do!!! Following is a list of worms/virus that my computer keeps saying I have...

WIN32:small-GWM [trj]
WIN32:VB-ELN [wrm]...pops up every other second!
WIN32:Adware-gen [Adw]
WIN32:CTX
Worm.IM.Sohanad

and there's a list of more, but those are the ones that keep popping up the most! PLEASE HELP!!!!!

A:Help! I'm Infected W/win32:vb-eln [wrm], Win32:adware-gen [adw]

Have you done a boot time scan with avast yet?

Read other 11 answers
RELEVANCY SCORE 88.8

Hi ,I seem to have a virus, worm and/or Trojan horse. I think I got it off of Limewire. I accidentally downloaded a .exe program (which I never do ? except this time ? idiot!) and I believe that?s when I got it/them.Per the prep guide, I have cleaned out my temporary internet files, temp files and recycling bin.I have updated versions of Ad-Aware SE and Spybot and have run them both, restarted my computer and then run them again.I have run Housecall Anti Virus and Bit Defender (twice each), but couldn?t get Panda Anti Virus to work. I have also run McAfee VirusScan (build 9.1.08 engine 4.4.00 DAT version 4.0.4585) and Bazooka Scanner v1.13.03 (?nothing detected?).I have loaded and run McAfee AVERT Stinger.I have McAfee Personal Firewall Plus (6.1.6144) running and is up-to-date. It is blocking specifically winlog.exe and svchost.exe. My firewall detected winlog.exe trying to connect to the internet immediately when I accidentally (and stupidly) downloaded that .exe file. I blocked all access to the internet for it. I believe the svchost.exe was blocked previously, but I don?t remember. Setup.exe (outlook.exe) is also blocked for some reason (I tend to block any connection that I?m not sure about). Run a DLL as an app (rundll32.exe) is also blocked. Most other stuff I recognize. Except for ping.exe (ping.exe). That?s, for some reason, at ?allow full access?. Is this okay?I am running Windows XP SP2 that is up-to-date. My browsers are IE (v 6.0.2900.2180.xpsp_... Read more

A:New Malware!bot, Win32.worm.vb.ymeak.a, Win32.worm.vb.dw And Backdoor.rbot.cmn

Hi KevinF2020 and Welcome to the Bleeping Computer!1. Please download Ewido Anti-MalwareInstall ewido anti-malwareLaunch ewido, there should be an icon on your desktop, double-click it.The program will now open to the main screen.When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")Exit Ewido, do not run the scan yet!If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates2. Please download Brute Force Uninstaller to your desktop.Right click the BFU folder on your desktop, and choose Extract AllClick "Next"In the box to choose where to extract the files to,Click "Browse"Click on the + sign next to "My Computer"Click on "Local Disk (C:) or whatever your primary drive isClick "Make New Folder"Type in BFUClick "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.Save it in the same folder you made earlier (... Read more

Read other 19 answers
RELEVANCY SCORE 88.4

hi , kaspersky scan(included at the end ) came up with a few infections, please help me with removal logs:Logfile of random's system information tool 1.04 (written by random/random)Run by Yanai Michael at 2008-12-14 13:16:05Microsoft Windows XP Home Edition Service Pack 3System drive C: has 4 GB (9%) free of 53 GBTotal RAM: 1526 MB (53% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:16:16, on 14/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Microsoft LifeCam\... Read more

A:got Trojan.Win32.Agent.asvc Trojan-GameThief.Win32.Magania.amrr Worm.Win32.AutoRun.trh

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. After it has finished, two logs will open. Please post the contents of both. log.txt will be maximized and info.txt will be minimized. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do... Read more

Read other 7 answers
RELEVANCY SCORE 86.8

Hi, im having a problem with popups. When I run Avast it finds files and gets rid of them but it seems that every time i do a scan it picks up something new. here is a list of the files its deleted so far.

A0007433.dll win32:trojan-gen
A0007484.dll win32:rootkit-gen
A0007485.dll win32:adware-gen
geBqQJYp.dll win32:trojan-gen
pmnOHXoL.dll win32:rootkit-gen
trz1.tmp win32:rootkit-gen
tuvvpjgd.dll win32:adware-gen

here is the DDS log

DDS (Ver_09-01-19.01) - NTFSx86
Run by Administrator at 7:09:47.25 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.250 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090125-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C: ... Read more

A:Pop ups, win32:trojan-gen, win32:adware-gen, win32:rootkit-gen

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Read other 8 answers
RELEVANCY SCORE 86.4

this is like the nth time i've tried posting this. ie keeps crashing just before i hit the post button.anyway, i'll keep this short lest i die of frustration once my ie crashes again.pleasepleaseplease help me get rid of the trojans/worms infecting my pc. right after i noticed my exe files going wonky (double clicking only yielded a black windows script/run box instead of opening the program), i scanned my pc using trendmicro, which zapped a couple of problems. when i commenced scanning using panda, my pc crashed and kept restarting. so i ran it in safe mode, scanned using bitdefender which deleted most of my exe files (since i didn't realize my preferences were set at disinfect/delete.)according to the scan results, my pc was infected with a couple of strains of the PWS Trojan : PWS.OnlineGames., Generic.PWStealer., Generic.Onlinegames., Trojan.Dropper.OnLineGames.A, DeepScan:Generic.Malware., Trojan.PWS.Nilageand Win32.Worm.Delf.NDQandWin32.Worm.Vikingamong others.after the online scans, here are the things i've done so far:1. installed ad-aware and scanned in safe mode 2. installed spybot and scanned in safe mode3. spybot ran diagnostic scan after restart. was able to run windows in normal mode4. scanned using avg, disinfected5. scanned using ad-aware. 6. scanned using spybot. went on with my life for a couple of days.7. scanned using spybot. found a couple of threats... disinfected and clicked immunize. no more threats found after8. scanned using ad-aware. no results oth... Read more

A:Win32.worm.delf, Win32.worm.viking, Pws.onlinegames, Among Others

Welcome to the BleepingComputer HijackThis Logs and Analysis forum pill My name is Richie and i'll be helping you to fix your problems.Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.You should copy/print the following because you need to be in Safe Mode from here on.Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".Scan with DrWeb-CureIt as follows:* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings* Choose the "Scan tab" and UNcheck "Heuristic analysis"* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.* When done, a message will be displayed at the bottom advising if ... Read more

Read other 6 answers
RELEVANCY SCORE 84.8

Hello all,Because of my careless actions while using my computer and IM i got infected and now i cant get rid of it. Im getting now ad pop-up's only, and i think i got rid of some infections that came but still there are left a few. I got this infection about a week ago. Computer hasnt been used much after that 'cos i had to go away for a week and didnt have time to try to fix it then. Now i tried to fight with this for a couple of days, but no glorious victory for me here.Kaspersky's online scan report is last in my postIf you have time and knowledge to help me, i would appreciate it.Thanks in advancemain.txt:Deckard's System Scanner v20071014.68Run by Jaybird on 2008-06-07 14:21:17Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as Jaybird.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:21:28, on 7.6.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\W... Read more

A:Infected With Win32.virtumonde/win32.monde/win32.ircbot

Hello Jay-EM and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed,... Read more

Read other 2 answers
RELEVANCY SCORE 84.8

Firefox and Mostly IE is experiencing redirects when I search through any search engine. Avast is continuously stopping malware in the Windows\Temp folder.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricardo at 15:09:36.31 on Sun 12/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2184 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\... Read more

A:Infected with Win32:Malware-gen, Win32:Rootkit-gen, and Win32:Spyware-gen

Please close this post. I'm reformatting and reinstalling an Acronis Image prior to the infection. Thanks anyway.

Read other 2 answers
RELEVANCY SCORE 84.4

please help me....idk what to do....i've removed a lot of other things that were on here but my nod32 didnt detect the following infections.....what can i do next to get rid of all this stuff? and i also have a file called fdccffbffbd.dll that keeps showing up...and i cant delete it....thank you..........and happy thanksgiving*KASPERSKY ONLINE SCANNER 7 REPORT*Wednesday, November 26, 2008Operating System: Microsoft Windows XP Home Edition Service Pack 3(build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Wednesday, November 26, 2008 09:59:47Records in database: 1418243*Scan settings*Scan using the following database extendedScan archives yesScan mail databases yes*Scan area* My ComputerA:\C:\D:\*Scan statistics*Files scanned 101537Threat name 5Infected objects 14Suspicious objects 0Duration of the scan 03:13:31*File name* *Threat name* *Threats count*C:\RECYCLER\S-1-5-21-1951078608-3892172462-226310285-2436\service.exeInfected: Trojan.Win32.Inject.klc 1 C:\WINDOWS\E9799D51180EBCF428C0E71E5EC4E.exe Infected:Trojan.Win32.Qhost.kng 1 C:\WINDOWS\system32\217a4f513bda8c39391806b701df2f85.TMP Infected:Worm.Win32.AutoRun.sqi 1 C:\WINDOWS\system32\2efb3b0a17c581a7bec8fd94826f0358.TMP Infected:Worm.Win32.AutoRun.sqi 1 C:\WINDOWS\system32\76690fc87fd1453bc483de47389e1230.TMP Infected:Worm.Win32.AutoRun.sqi 1 C:\WINDOWS\system32\979e69aafdc832e6... Read more

A:Worm.Win32.AutoRun.sqi, Trojan.Win32.Inject.klc, Trojan.Win32.Monder.zfd

bump

Read other 19 answers
RELEVANCY SCORE 83.6

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:22:11, on 05/09/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\WINDOWS\system32\sistray.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\BearShare\BearShare.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Sly... Read more

A:Infected With Adware Agent Bn (a.k.a Adware/videocach [panda], Adware.win32.agent.ci [kaspersky], Adwar)

Welcome to the BleepingComputer HijackThis Logs and Analysis forum beaverbottoms My name is Richie and i'll be helping you to fix your problems.Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.Download Combofix and save to your desktop:Note: It is important that it is saved directly t... Read more

Read other 3 answers
RELEVANCY SCORE 83.6

Hello to all and thanks in advance for you support and HELPI do appreciated very much If you are able to help meI have signed up long ago I cannot remember password etc. cannot access email I have created a new account for this post, my first post.I am infected with NMC.WORM.WIN32.NUQEL.FEQ[HKLM_KEY]=\SYSTEM\CurrentControlSet\Services\ekrn[FILE_DEL]=%appdata%\MusaLLaT.exeFor weeks I have been trying to remove it with EMCO Malware DestroyerIt says it is removed but it is there on every re-scan it is the only Antivirus/malware remover tool that can detect it, I have scanned with tdsskiller, Microsoft, spybotSD, Malwarebytes Anti-Malware, end more,  no detection.My desktop has windows 7 SP 1 and 4 MB ram, internet explorer and fireboxMy Yahoo Email account has been hijacked for months and Yahoo had not helped at all I can log in email, cannot delete spam messages, cannot reed messages, cannot open messages, I have replaced password some time ago with no changes,  my acc. Infected ([email protected])this line below appears on the pages of Yahoo mail, sometime in browser as well<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright © 2003-2006 Right Media*/var rm_ban_flash=0;var  Before this was single line now is a full page.when opening a message a small box opens with this message:Network ErrorYahoo!7 Mail was unable to connect. Please reload the pageor verify that you network... Read more

A:I am infected with NMC.WORM.WIN32

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete tab follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).===--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, pleas... Read more

Read other 49 answers
RELEVANCY SCORE 83.6

Hi there,

Yesterday I downloaded and installed Google's Chrome browser and twice now, yesterday and again today I have got a BSoD and crashed suddenly. After re-booting today I also got a warning from Avast saying this file is infected:

C:\WINDOWS\SYSTEM32\process.exe
Rootkit: hidden process

It prompts me to re-boot and run a boot scan, which came up with one file infected with the Win32:VB-ALP worm, but I couldn't complete the scan as it just hangs after running for about 2hrs.

Spybot S&D scan comes up clean, and 2 attempts at a system restore have both failed.

I'm hoping you can help me, here's my HJD log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:49, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WI... Read more

A:Infected with Win32:VB-ALP worm

Read other 7 answers
RELEVANCY SCORE 83.6

I am about to literally go insane and that is no joke. Something is affecting my system. And before you tell me to read the sticky and do the scans you reccomend and load the logfiles here, just let me say I tried running them both and they both get shut down by whatever is affecting my system. I suspect it is a badboy worm. Let me give you the details of what has happened thus far and maybe you can advise me how to proceed:

About a Week or so ago I had just logged off my Facebook account and went to Myspace and was logging in there, (I am running Windows XP Professional Edition) I had Avast Free Edition AV Software installed, it came up and told me that it had caught something, (I cant remember the exact thing) I clicked to open it up and quarantine it and immediatly it locked up and then I started getting all this Rouge Type Spyware coming onto my system, mainly Advanced Antivirus 2010. From there my system took a downward spiral, whatever was on here kept downloading Trojans, several to be exact and exploiting my system. I deleted Avast and installed AVG and it caught several Trojans and quaranteened them, some of the newest ones have been:
PDF/Exploit.Gen.Trojan (I was able to remove that with EST Online Scanner, once I removed that , that scanner locked up on me. I have ran VIPRERescue 5387 once on my system and it caught and removed several Trojans. Here are the symptoms I am experiencing:

1. Every Antivirus Program that I have installed and tried thus far locks... Read more

A:Please Help Infected with Win32 Worm!

Sorry for the second post but I also wanted to mention that I found the list of the Trojans I had and they are/were:

Win32/Cryptor
Generic14.AQUV
SHeur2.BCKX

I am hoping someone can help me, I am still not able to run the two scans, they shut down immediatly, I even tried in Safe Mode with Networking. Thanks in advance again!

Read other 19 answers
RELEVANCY SCORE 83.6

Hi
my comp has been infected and i really need you guys to help, its running at 100% cpu as soon as i try to run anything and is very slow, i've run varius anti virus programmes but cant shift these ones:
SYSPROTECT, Win32.Jeefo.a, Email-Worm.Win32.Sober.z

i get the friend finder pop up and it keeps telling to download a virus programme

hope you guys can help.
here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 22:21:24, on 08/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\... Read more

A:Solved: SYSPROTECT,Win32.Jeefo.a,Email-Worm.Win32.Sober.z PLEASE HELP REMOVE!!

Read other 15 answers
RELEVANCY SCORE 83.6

It appears that I may have the Internet Security 2010/trojan.win32/worm.win32.netsky/TrojanSPM/LZ (or whatever it's called) virus on my laptop and would greatly appreciate your assistance. When I turned it on, it started giving me the below "Spyware Alert!" message followed by the below "WARNING" message after I logged in. My desktop background had NOT changed, as I've seen other people report. I (stupidly) tried to start removal of the virus without your assistance by deleting some of the suspected files. Now, when I login, it immediately logs off. (This happens regardless if I "Start Windows Normally" or go into "Safe Mode") Obviously, before I can post/attach a DDS or HJT log and begin the process of removing the malware, I will need assistance getting logged in. Thanks in advance for your assistance.

============================================

Spyware Alert!

Security Warning!

Worm.Win32.NetSky detected on your machine.
This virus is distributed via the Internet through e-mail and Active-x
objects.
The worm has its own SMTP engine which means it gathers e-mails
from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.
Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vi... Read more

A:Possible Internet Security 2010/trojan.win32/worm.win32.netsky/TrojanSPM/LZ

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum so we can get you started. ~ OB

Read other 3 answers
RELEVANCY SCORE 83.6

My avast antivirus software keeps detecting recurring instances of a Win32: Sality virus, along with Malas.B [wrm]. I scanned the infected files with an online Kapersky tool, and it said they were infected with P2P-Worm.Win32.Malas.r.

I've been getting these messages every once in a while for a month or two now. I've scheduled boot-time virus scans with avast, and other anti-virus programs without successfully detecting anything.

I've noticed some of my processes refuse to exit, even though I start task manager to end the process/process tree. Such includes Firefox and Chrome processes, even though the programs have already disappeared from the screen. Additionally, whenever I start Avast, I am blocked from accessing the internet with chrome, internet explorer, or firefox.

Could anyone lend a hand? Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:11 AM, on 7/7/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Camera Assistant Software f... Read more

A:Antivirus Detects recurring instances of P2P-Worm.Win32.Malas.r, Win32: Sality

Read other 16 answers
RELEVANCY SCORE 83.6

It appears that I may have the Internet Security 2010/trojan.win32/worm.win32.netsky/TrojanSPM/LZ (or whatever it's called) virus on my laptop and would greatly appreciate your assistance. When I turned it on the other day, it started giving me the below "Spyware Alert!" message followed by the below "WARNING" message after I logged in. My desktop background had NOT changed, as I've seen other people report. I (stupidly) tried to start removal of the virus without your assistance by deleting some of the suspected files and got caught in the Login/LogOff loop. I am now able to get logged in after following the advice here: http://windowsxp.mvps.org/peboot.htm (Thanks to BartPE, What a great tool!). Now, when I try to launch most any (I hesitate to say ALL) applications, even the Task Manager, I get the "WARNING - Application cannot be executed. The file is infected. Please activate your antivirus software." message.When I ran DDS it did not automatically open the logs in Notepad, even though I still have the "WARNING - Application cannot be executed. The file is infected. Please activate your antivirus software." message open so that I could get DDS to launch. (I saw this suggestion somewhere as a work around.) Instead I found them in "C:\WINDOWS\Temp" and have provided them here. Also worth mentioning, I noticed that there were two additional files with the same date/time stamp in the &quo... Read more

A:Possible Internet Security 2010/trojan.win32/worm.win32.netsky/TrojanSPM/LZ

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 35 answers
RELEVANCY SCORE 83.2

Hi bleeping computer helpers,I was infected by the worm.win32.autorun.avz which quickly overwhelmed my AVG scanner which was up to date and operating at the time.I installed Kaspersky Internet Security 7.0.1.321 and it found over 230 examples of the autorun worm as well as lots of the trojan PSW.Win 32.OnLineGames.lej (and numberous other OnLineGames.---) as listed above. At first the virus was restarted every time I restarted the computer but now I have "clean" results from Kaspersky after multiple full system scans.I have also done the following as per the instructions in the prep guide:- Cleaned out temp files- scanned with Ad-Aware and Spybot- scanned with Housecall, Panda and Bit Defender- Run McAfee AVERT stinger- my Kaspersky firewall is active- I have the latest Windows Updates downloaded and installedAll of these came back with a "clean" report with the following exceptions which I believe to be false positives based on googling the name of the "problem".One or more of the scanners objected to the following issues:LvPrcSrve.exe which I believe is a valid part of the Logitech Quickcamwltrysvc.exe which I believe is part of the Belkin Wireless strength monitorKeylogger \Driver\mhk which I believe is part of my BestCrypt programSbRecovery.ini which I believe is part of Spybotsvchost.exe which I believe is a part of Windows despite Kaspersky telling me 5-6 times in a row that an "executable file has been modified since last s... Read more

A:Worm.win32.autorun.avz And Trojan-psw.win32.onlinegames.lej And Also Ending W/ .lek .isb .loi .leh .hfr

Hello GDW and welcome to the BC HijackThis forum. Let's see what else shows up with a different scanner.Before running the scan let's clean out the temporoary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.Close ALL Internet browsers (very important).Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).Check the box for Include MD5 on the toolbar.In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select ... Read more

Read other 6 answers
RELEVANCY SCORE 83.2

Hello - this is my first time posting (or even having a virus for that matter). My computer and flash drive have been infected with a virus (thanks to one of my colleagues) and I have spent hours trying to get rid of it. I am at the end of my rope! The virus originally showed up as "windowsmsnlive.exe" and I worked like hell to get rid of it, running NAV, Malwarebytes, and eventually SDfix. But somehow the virus kept coming back. I realized it was the autorun feature on my CPU and flash drives, so I disabled that and have not seen windowsmsnlive.exe for a couple of days. However, my paranoid nature will not allow me to believe that I have gotten rid of it and i am afraid to plug my flash drive into my home computer for fear of spreading something. I ran Kaspersky today and got the following report:

File name Threat Threats count
C:\Documents and Settings\Admin\Desktop\Docs and pics\autorun.inf Infected: Worm.Win32.AutoRun.efg 1
C:\Documents and Settings\Admin\Desktop\Docs and pics\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe Infected: Trojan.Win32.Buzus.bkbe 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Buzus.bkbe 1
C:\SDFix\backups_old\backups.zip Infected: Trojan.Win32.Buzus.bkbe 1
C:\SDFix\backups_old1\backups.zip Infected: Trojan.Win32.Buzus.bkbe 1
E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-... Read more

A:Trojan.Win32.Buzus.bkbe AND Worm.Win32.AutoRun.efg

Hello - this is my first time posting (or even having a virus for that matter). My computer and flash drive have been infected with a virus (thanks to one of my colleagues) and I have spent hours trying to get rid of it. I am at the end of my rope! The virus originally showed up as "windowsmsnlive.exe" and I worked like hell to get rid of it, running NAV, Malwarebytes, and eventually SDfix. But somehow the virus kept coming back. I realized it was the autorun feature on my CPU and flash drives, so I disabled that and have not seen windowsmsnlive.exe for a couple of days. However, my paranoid nature will not allow me to believe that I have gotten rid of it and i am afraid to plug my flash drive into my home computer for fear of spreading something.

Here is the DDS report:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Admin at 8:38:16.14 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.509 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Sy... Read more

Read other 3 answers
RELEVANCY SCORE 83.2

Hello and thank you in advance,I have attached the DSS reports and the Kapersky report below. Besides having a slow computer, I have noticed that in my "suspect e-mail folder" in my Earthlink account I have lots of messages reading "delivery error" and there are a lot of messages I never sent. I'm pretty sure this would be the e-mail worm that's in the Kapersky report. I'm not sure about all the rest. We use the Windows Firewall and AVG Free 8.0. I also have used SpyBot Search and Destroy. I think Kapersky found more than everything else combined. Can you please help me clean up my computer? Thanks!!!THE DSS Main.txt report:Deckard's System Scanner v20071014.68Run by Meredith on 2008-07-28 07:25:29Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --84: 2008-07-28 14:26:14 UTC - RP763 - Deckard's System Scanner Restore Point83: 2008-07-27 16:48:35 UTC - RP762 - System Checkpoint82: 2008-07-26 16:47:22 UTC - RP761 - System Checkpoint81: 2008-07-25 16:17:28 UTC - RP760 - System Checkpoint80: 2008-07-24 15:54:47 UTC - RP759 - System Checkpoint-- First Restore Point -- 1: 2008-04-29 22:03:55 UTC - RP680 - System CheckpointBacked up registry hives.Performed disk cleanup.Total Physical Memory: 255 MiB (512 MiB recommended... Read more

A:Trojan-downloader.win32.vb.ah And Email-worm.win32.sircam.c

Just wondering... how long does it take for someone to respond?

Read other 30 answers
RELEVANCY SCORE 83.2

As you can see from the title, I got a bad infection. I am getting the same screen warning others are getting in other threads concerning this same infection. I am not on this computer as I am afraid to plug it into my home network. I used a memory stick to get this log. Can you please help me? Thanks in advance.
Here is Highjackthis log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:34 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\... Read more

Read other answers
RELEVANCY SCORE 83.2

Hello,

I have a Dell Latitude CPIa with Win XP Pro that seems to be infected with both a worm and a trojan. The trojan turned up first. Name Win32:Small-EPJ. while trying to remove it, I suddenly got warnings from my Avast that it was also infected with a Win32:Zhelatin-BJL worm. My questions are this. How do I remove them and is it possible to find out where I picked them up?

My deepest thanks to anyone who can help me!
After an avast bootscan I have two other trojans trying to make a connection with my laptop. They are Win32:Agent-Kir and win32:Agent-MEB

A:Probs With Win32:zhelain-bjl Worm & Win32:small-epj Trojans

Hello run these 2 items1)Panda Activescan?. This Online scan should find and remove most Virus/Trojans.2)Next:download,install and update. SuperAntispywareThen reboot back to Safe ModeScan your root drive (C:\) and quaratine all items found.Double-click SUPERAntiSpyware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Do not run a scan just yetReboot in "SAFE MODE using the F8 method and launch SUPERAntispyware.In the main screen, under "Scan for Harmful Software" click Scan your computer.There are three scanning options. Choose "Perform Complete Scan" and click "Next".After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".Make sure they all have a checkmark next to them and click "Next".A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.If asked to reboot, click "Yes".If not, select Close to exit the program and reboot normally.Let us know how ut... Read more

Read other 7 answers
RELEVANCY SCORE 83.2

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 82.8

My computer is infected, first with something called Live AntiSpy 2.1, now my popups claim infection by Worm.Win32.Netbooster. I cannot connect to the internet of my own volition. Instead, I get "IE cannot display the web page". I can occasionally connect if a hijacker sends my browser to his site. Then I can manually redirect to an anti-spyware site, but all downloads attempted get put into an infinte loop or just stop on their own. I tried downloading Spybot to a thumbdrive and running the executable on the infected machine, but it makes a call over the internet, then goes into an infinite loop. I have no control over the desktop wallpaper, and the Task Manager has been "disabled by the administrator.

My system runs WinXPn Pro SP2; browser = IE 7.

Any help greatly appreciated.

mccullma

A:Infected With Worm.win32.netbooster, Among Others

Hi welcome to BC. Please run this scan..Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner sc... Read more

Read other 2 answers
RELEVANCY SCORE 82.8

I think this all started when I accidentally downloaded a program mistaking it for something else. I uninstalled it asap but now there's other problems. I can't run Disk Cleanup on C drive nor use system restore.This frequently pops up. There's a lot of them in quarantine now.Help is much appreciated, thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:55:40 PM, on 11/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exeC:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Tablet.exeC:\WINDOWS\system32\WTablet\TabUserW.exeC:\WINDOWS\system32\Tablet.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\VTtrayp.exeC:&#... Read more

A:Infected with Worm.Win32.AutoRun

Hello ShadowDorumon,I will be assisting you with your malware issues.Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!Please bookmark or favourite this page. In case you need it as reference or etc.IMPORTANT NOTE:If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.----------------------------------------------I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.Thank you for your patience.

Read other 2 answers
RELEVANCY SCORE 82.8

I opened IE7 this morning and it immediately opened to a page saying "Warning! Restricted Site!" I then started getting a message from my system tray that I was infected with Malware-"Click here to protect your computer from Spyware" (which I ignored) and pop-ups saying I have Worm.Win32.Netsy. I am running Windows XP with Service Pack 3.I have followed the instructions in your new user forum. However, I cannot get DDS to run. I get an error that says-Application cannot be executed. The file is infected. Please activate your anitvirus software. Then a "Data Execution Prevention - Microsoft Windows" pop-up opens. I have done nothing with this either.I did run RootRepeal and Hijack This. Logs are attached.

A:Infected with Worm.Win32.Netsky

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 82.8

After downloading and installing the Google Chrome browser I got a BSoD twice followed by a sudden crash. I uninstalled Chrome after which Avast alerts me to a suspect file and prompts me to re-start and run a boot scan. The boot scan gets so far, finds one infected file C:\WINDOWS\SYSTEM32\process.exeRootkit: hidden process. The scan then hangs after running for about 1 hour, this has happened 3 times.I tried to do a system restore, but 5 restore points I tried all failed. Spybot S&D scan came up clean. Also the windows update doesn't seem to be working either, it keeps failing to install the Validation Tool.I tried the Kaspersky online scan, this failed 3 times after running for several hours as well. I am including the report of what it found before it failed though. What's weird though is that I don't have Norton Antivirus on my computer, or so I thought.....Please help if you can!ThanksKASPERSKY ONLINE SCANNER 7 REPORT Tuesday, December 16, 2008Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Tuesday, December 16, 2008 07:42:54Records in database: 1464925 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\D:\E:\ Scan statistics Files scanned 81010 Threat name 3 Infected objects 10 Suspicious objects 0 Duration of the scan 03:42:52 File name Threat ... Read more

A:Infected with Win32:VB-ALP worm and other trojans

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part... Read more

Read other 14 answers
RELEVANCY SCORE 82.8

DDS (Ver_09-06-26.01) - NTFSx86 Run by William at 18:34:19.70 on 16/07/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3326.2618 [GMT 1:00]AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}============== Running Processes ===============D:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeD:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeD:\WINDOWS\system32\svchost.exe -k netsvcsD:\Program Files\Windows Defender\MsMpEng.exeD:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeD:\WINDOWS\system32\Ati2evxx.exeD:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exeD:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeD:\WINDOWS\system32\spoolsv.exeD:\Program Files\Creative\Shared Files\CTAudSvc.exesvchost.exeD:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeD:\Program Files\Bonjour\mDNSResponder.exeD:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeD:\Documents and Settings\All Users\Applica... Read more

A:Infected with Worm:Win32/Bagle.gen!C

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 9 answers
RELEVANCY SCORE 82.8

I have a really irritating worm on my PC.
I have removed several times with zonealarm antivirus / antispyware but it just keeps coming back.
Also the computer hangs for about 15 - 30 seconds once every 1-2 hours.
When ever I plug in an external drive I get a popup from zonealarm reporting the same worm is on the external drive I have renamed, deleted and quarintined, but none of those seem to fix the problem. After a day or so it just comes back.

I read on another forum that a program called "Flash_Disinfector" would fix the problem, but that did not help.

I have attached a zipped file with kaspersky scan report and zone alarm report.

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:03:05, on 21/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_Post... Read more

Read other answers
RELEVANCY SCORE 82.8

im infected with worm.win32.netsky and i dont know how to get it off. im on my moms labtop and my desktop got infected, how do i get it off?

A:Im Infected With Worm.win32.netsky Plz Help

Welcome to Bleeping Computer madphizxPlease run these tools and let us know.Download Super Antispyware,free Home version.Double-click SUPERAntiSpyware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from HERE.)Under "Configuration and Preferences", click the Preferences button.Click the Scanning Control tab.Under Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen.Reboot to Safe Mode and Reopen the programHow to Start windows in Safe ModeBack on the main screen, under "Scan for Harmful Software" click Scan your computer.On the left, make sure you check C:\Fixed Drive.On the right, under "Complete Scan", choose Perform Complete Scan.Click "Next" to start the scan. Please be patient while it scans your computer.After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".Make sure everything has a checkmark next to it and click "... Read more

Read other 1 answers
RELEVANCY SCORE 82.8

Hello,
I recently was having problems with firefox redirecting and internet explorer opening up in the task manager processes even though i NEVER use it. My computer has also recently been giving me the blue screen of death and now it just rebooted on its own and gave me a message about my computer being infected by worm.win32.netsky. It disabled my task manager which i was able to get back by changing the value for "DisableTaskMgr" under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to zero instead of one. I'm not sure what else to do at this point to eliminate the virus.

I am running Vista on a Gateway laptop

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:37 AM, on 1/24/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\regedit.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Search... Read more

A:I have been infected by worm.win32.netsky

Read other 16 answers
RELEVANCY SCORE 82.8

i have been infected with worm.win32.netsky and norton cant delete it. i am getting pop up antivirus programs like xp antivirus,privacy protector and a couple of others. how do i go about deleting these programs. also i am using windows xp. i have tried system restore and using norton antivirus

A:Infected Says Worm.win32.netsky

If your using Win XP or 2000, do this:Please print out and follow the generic instructions for using "SmitfraudFix". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)Under the "Configuration and Preferences", click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchec... Read more

Read other 3 answers
RELEVANCY SCORE 82.8

Computer was thought to be infected with Worm.Win32.NetSky. Warnings popped up to click for a site to get
rid of virus and Desktop backround changed color. While checking online I was prompted to install Combofix.
I now have run it before reading the warning signs. Not sure I should turn off computer now, after reading
the warnings.Thanks

A:infected with Worm.Win32.NetSky

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Read other 1 answers
RELEVANCY SCORE 82.8

Dear all,

I am using Kaspersky Internet Security 7.0 and it told me that:
C:\System Volume Information\_restore{7BF45701-A36D-4015-A066-3F6D33D97370}\RP1\A0000005.dll
is infected by "Worm.Win32.AutoRun.bmn"

I tried to remove it but Kaspersky said that it fails to move or delete the file.

Actually I tried BitDefender before and it also told me that it cannot move the file.

On the other hand, do I need to post a HijackThis Log for the experts to analyse me problem?

Hope some experts can help me to solve this problem. Thanks!

Ken

A:Got Infected By Worm.win32.autorun.bmn

The infected RP***\A0000**** file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it. System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

Read other 5 answers