Over 1 million tech questions and answers.

Solved: Internet worm I-WORM/VB.FZ and other pesties

Q: Solved: Internet worm I-WORM/VB.FZ and other pesties

Hello friends,

Please help and adv suggestions.

Firstly the pesty number 1
- I-WORM/FB.FZ refuses to leave my HD.

It is multiplying in all folders and files with .exe. My AVG detects it and heals it but it comes back again and again. The problem has somewhat slowed down since I used Vundo but it is still there.

I have also used Super Ant Spy ware but no effect. I use Firefox 2 0 0 11 mostly.

Secondly pesty number 2 which automatically starts my IE 7 with the nasties from

This happens ever so often and it chokes my CPU.Seems my browser is hijacked ?? and I have blocked this site umpteen times under OPTIONS>TOLLS>PRIVACY
but god knows how it bypasses the filtering.

Please see attachment for AVG results.

Kindly suggest some remedies. Tanks a lot folks. Cheers

Preferred Solution: Solved: Internet worm I-WORM/VB.FZ and other pesties

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Solved: Internet worm I-WORM/VB.FZ and other pesties

Read other 16 answers

This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).MS04-011: Plexus.A worm (email and Internet worm)http://secunia.com/virus_information/9831/plexus/http://www.symantec.com/avcenter/venc/[email protected]://vil.nai.com/vil/content/v_126116.htmhttp://www.trendmicro.com/vinfo/virusencyc...e=WORM_PLEXUS.AArticle: Worm Exploits Multiple Windows Vulnerabilitieshttp://www.techweb.com/wire/story/TWB20040603S0007Plexus.A worm - Characteristics Subject of email: RE: order For you Hi, Mike Good offer. RE: Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe Size of attachment: 16,208 Time stamp of attachment: n/a Ports: TCP 1250, a random TCP port Shared drives: Copies itself to network shares Target of infection: Copies itself to KaZaA shared folder Methods of Infection - Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y. * Uses its own SMTP engine to send itself to the email addresses it finds. * Spreads through network shares and the Kazaa file-sharing network. * Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)* DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445. * Listens on TCP port 1250 and a random TC... Read more

Read other answers

I just found this result from my virus scan (Inoculate PE):
c:\unzipped\shareing\kazaa lite\my shared folder\muppetpt.zip>funny muppet.exe - Win32.Choke.45056 worm.

I have no idea what to do with it

I'd love some please

A:[Resolved] Help with worm virus (win32.choke.45056.worm)

Read other 7 answers

My operating system is now Windows XP SP3 - updated recently.

Infection problem. Background: yesterday I did a Secunia scan and found 2 programs that were listed as insecure. Adobe was one - I removed the old program and updated to Adobe 9. It also said that an older version of Java was insecure - I already had the newest version, so I removed the older one. I then did another Secunia scan and everything came out as OK.

When I turned my computer on this a.m. and tried to access internet via IE 7, nothing would happen. I was able to go on line via AT&T Yahoo. I went to the "add or remove programs" to see about uninstalling IE 7 and reinstalling from microsoft's website. IE 7 shows in the populated list, but there is no tab that allows removal. So, I went to mircrosoft's site and downloaded IE 7 again. When I try to open IE 7, I'll get the "welcome" screen but when I try to proceed, I get the message from AVG saying I'm infected and when I say "OK" to quarantine, IE 7 closes and it asks me to restart my computer. When I do, the same thing happens all over again. I have saved pics of the screens. I have done a HJT scan and done a AVG scan. I am posting the pics of the report section of AVG, the HJT scan, and the pics I got when trying to open IE 7.

A:Worm.Lover.a; Worm.Brontok.cu; Tracking Cookies.Webtrends

Read other 16 answers

I have just removed the blackmal worm from my Vaio laptop using Symantec's worm removal tool but can't reinstall / repair Norton AntiVirus as it came with my Vaio system software and I would have to do a complete wipe-and-reinstall of my hard drive to get it back on again. So I downloaded Anti-Vir which verifies that my system is now virus free but it is still running so SLOWLY that I can't do anything. Menus, taskbar, explorer, loading programs, everything takes 5-10 minutes just to pop up or start. Can I undo this damage ostensibly done by the worm without doing a complete system reinstall ?
Only one other dumb thing I did was try to run the Norton Rescue disks using floppies made on another PC running Win 98 - when I booted with floppy 1 it warned that the disks were made for another PC and could do damage to my files but I ignored the message and continued as I was so desperate (rescue disks didn't work anyway as they didn't have currentvirus definitions).
Any suggestions?

A:blackmal worm cleanup (kama sumtra worm, killAV.GR)

Hi, Most systems that use the Recovery type of CD also have a way to reinstall individual programs....are you absolutely sure yours does not have a way to reinstall one selected program?

Post the exact model of the PC please and I will check on some things.

Using two active antivirus programs can cause slowness and other performance problems, can you turn off one of the programs from starting when the computer does?

With Norton programs, a reinstall may not take place if it sees another installed antivirus program> when and if a reinstall can take place, you will need to disable Antivir or, uninstall it, to allow the Norton install.

Personally, I think I would just remove Norton using their removal tool> I have seen some systems completely crash though in just about your same situation, and a full recovery was needed. (The kind where you lose all files, and are back to factory settings).
Are there any files you must keep....I'm not talking music, I mean documents or personal files that you cannot replace? If so, I would consider backing them up somehow before you proceed any further. Since you have a laptop, it would be difficult to take your hard drive to another computer and simply copy files....
If there is nothing important on the system, and you do have a way to do a full recovery, you could try the Norton removal tool that assists when the program is damaged, it removes everything from the Norton Internet Security suite or a standalone version....but we... Read more

Read other 3 answers

This is a worm written in VB with the following characteristics:1. The worm attempts to lure victims to follow a URL link, in so doing downloading a copy of it, and infecting themselves. It monitors Internet Explorer windows in order to detect when a new message is being created within MSN Hotmail. 2. The worm monitors browser window to detect when MSN hotmail is being used for sending new mail, and inserts text to such messages, which contains a URL from where the worm is downloaded if the recipient clicks on the link. 3. It deletes files on the root of C: and A:, and copies itself there in place of those files, appending a .EXE file extensionHotmatom Worm - New MSN Hotmail based worm deletes files http://secunia.com/virus_information/27456/hotmatom/http://vil.nai.com/vil/content/v_138829.htmhttp://www.sarc.com/avcenter/venc/data/w32.hotmatom.html

Read other answers

Hi. I've been getting frequent notifications from ESET NOD32 Antivirus 4, about some IP addresses being blocked by it. Because of this I scanned my PC with it. It detected some viruses but I still get the same notifications. To be more specific, I'll attach the scan logs.

ESET NOD32 Antivirus 4 scan logs

12/8/2011 2:43:15 PM HTTP filter file Win32/AutoRun.Delf.AI worm connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
12/8/2011 2:40:50 PM HTTP filter file Win32/AutoRun.Delf.AG worm connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
12/8/2011 2:30:44 PM HTTP filter file Win32/AutoRun.Delf.AI worm connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
12/8/2011 2:26:48 PM HTTP filter file Win32/Virut.NBP virus connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
12/8/2011 2:19:23 PM Real-time file system protection file C:\... Read more

A:Virut.NBP Virus, AutoRun.Delf.AI worm, AutoRun.Delf.AG worm, AutoRun.Agent.DO worm, Injector.LTG trojan

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431705 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 5 answers

I was tricked into clicking on a supposed Greeting Card weblink in an email which downloaded, I think, Greeting Card.exe which had already activated itself. The virus was hijacking the internet connection to do something - a fast broadband connection became slow. AVG Anti-Virus identified Downloader.Tibs, adirss.exe and various game.exe files, but deleting them from the vault only provided temporary respite because they would be re-created.I have followed your instructions to the letter : cleanmgr, CWShredder, AdAware and Spybot in safe mode, Panda Antivirus, McAfee AVERT. In between the last two I also did a full scan with my now-upgraded AVG Internet Security.AdAware found 16 objects which I deleted. Some 10 of these were cookies, but a couple were hacker tools of some sort. Spybot got nothing. The Panda scan produced a report but wanted more money from my to disinfect which I wasn't prepared to spend. The following is the report and in brackets I have described what i did with each item :Potentially unwanted tool:application/altnet Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Altnet(There was no content (hidden or otherwise) in the Altnet folder. I deleted it.) Adware:adware/aureate-radiate Not disinfected c:\program files�... Read more

A:I-worm/stration, I-worm/nuwar, Downloader Infection

Hi Dick Wolff, I am SifuMike and I will be helping you. How is your computer acting now that you have done some scans? Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.**************** Download ATF (Atribune Temp File) Cleaner? by Atribune DO NOT run it yet. Download and install AVG Anti-Spyware 7.5 (formerly Ewido) This is a 30 day trial of the program1. After download, double click on the file to launch the install process. 2. Choose a language, click "OK" and then click "Next". 3. Read the "License Agreement" and click "I Agree". 4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install". 5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desk... Read more

Read other 4 answers

Hello, I'm currently working with my girlfriend to resolve a computer issue. She recently had her e-mail account and photobucket account compromised, and as a result - I wanted to help her clean out her computer and make sure everything is clean. In doing so, I've run across a worm that I'm unable to guide her through removing myself. I'm not computer illiterate, but no genius either, which brings me here asking for your help.

I've had her run Spybot S&D, which turned no results other than cookies and such. I had her run Ad-Aware, which turned up Win32.P2P-Worm.Alcan.a. This is where I've began having issues. I've googled it, tried a few of the fixes that people have posted to no avail. I had her run hijack this and retrieve the logfile for me. I'll post it below.

If anyone could provide some help cleaning this worm out of her system, it would be much appreciated, as I'm clueless to what to do next.

Logfile of HijackThis v1.99.1
Scan saved at 9:39:52 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\Ati2evxx.ex... Read more

A:Virus/Worm Issue - Win32.P2P-Worm.Alcan.a

Read other 7 answers

my computer has that worm and doesnt allow access to anti virus programs or websites, system restore has dissapeared in the properties window of my computer-- strange? i cant download the removal too on a website.
heres the log
i have also saw somethingon the web involving these suspicious processes
-O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\system32\serbw.exe
O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\system32\formatsys.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\system32\serbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\system32\formatsys.exe
thanks for reading and considering my problem, i am a little educated on this worm but i am having diff probs then what i have seen fixed when other people had the same thing fixed

Logfile of HijackThis v1.99.1
Scan saved at 3:46:30 PM, on 4/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\... Read more

A:FATSO worm aka W32.serflog.A worm--> need to disinfect comp

Hello, and welcome to TSF!

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is... Read more

Read other 1 answers

Hi Sd Picked Up The Above Worms Can Anyone Assist Thanks

A:Black Worm/vicking Worm [moved from security]

Please follow the instructions here and then post the requested logs in a new thread here for the security analysts to look at.

Read other 19 answers

USB based worm attacks are growing extensively in popularity They work in a similar to the floppy worms years ago in automatically spreading. As a best practice, users should lock down CD, DVD, and USB devices so that they don't automatically run content where applicable. Keeping AV protection up-to-date is also needed based on the increased levels of malware attacks which are surfacing. Harry Potter worm - New USB based Worm spreading http://www.theregister.co.uk/2007/07/02/harry_potter_worm/ QUOTE: Hackers are attempting to exploit Potter-mania with the release of a worm that attempts to infect USB memory drives. The Hairy-A worm poses as a file containing a copy of Harry Potter and the Deathly Hallows, the eagerly-anticipated final novel in the Harry Potter series, due out on 21 July. The infected file normally comes on infected USB drives. If users plug these drives into their Windows PCs they are liable to infect their machines, especially if they have allowed USB drives to "auto-run".Hairy.A Worm - Sophos Press Release and Virus Info http://www.sophos.com/pressoffice/news/art...7/06/hairy.html http://www.sophos.com/virusinfo/analyses/w32hairya.html QUOTE: With just weeks remaining until the release of the last ever Harry Potter novel, and the imminent premiere of the fifth movie in the franchise, Sophos has warned of a new computer worm exploiting Potter-mania around the world. The W32/Hairy-A worm can automatically infect a PC when users plug-in US... Read more

Read other answers

Processor:  AMD A4-6210 APU with Radeon R3 Graphics 1.80 GHz
Installed RAM  4.00 GB (3.46 GB usable)
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display
Edition:  Windows 8.1
Manufacturer   Acer    Aspire E5-721
Canon MX452 all in one printer
Emsisoft is my main anti malware program.
Infected with W32/Mytob-EW worm and W32/Sdbot-BN backdoor worm
Bleeping brought this to my attention  while I was researching strange behaviour on my pc.  Several drive wipes with a factory install performed over the last four weeks.  Four wipes.  One done by my college computer technician.  Frustration over what was going on triggered the slow one by one process analysis using Task Manager.  When I selected the end task on these (so called worm in disguise) processes, they immediately started up again.  Using the right-click feature on the entries, to search online what they were, brought me directly to the Bleeping Computer description.  Upon further investigation it was unanimous that Bleepings information was correct.
My emsisoft was consistently detecting and quarantining two registry keys, over and over even after I deleted them.  I am no different than anyone else and have saved logs of other scans from JRT, adware, rogue killer, rkill, etc etc.  They usually don't help that much, but if you are curious I have ... Read more

A:Infected: W32/Mytob-EW worm & W32/Sdbot-BN backdoor worm

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2015
Ran by Cindy (administrator) on PERFECTPC on 26-04-2015 18:46:01
Running from C:\Users\Cindy\Desktop
Loaded Profiles: Cindy (Available profiles: Cindy & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QASvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAEvent.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Micro... Read more

Read other 84 answers

ok well i was JUST infected with this worm? i guess, and it gives me the same pop-up over and over "spyware alert" and some other ones
it tells me 2 download some software
but i haven't nor will i
so some one please help me !

A:HELP ASAP Worm.Win32.netsky i have that worm please help me remove it

Read other 16 answers

Yesterday I noticed that one of my three computers on my home lan was scanning ICMP'sand posted here. Thanks everyone for helping get me on the right track. I found the sorce using www.sysinternals.com tcpview.exe which enabled me to see every process and terminate them one at a time untill the scanning stopped. Then searching for DLLHOST.EXE the search turned up a post that referanced WinXP ......so it applies to 2000 pro also
It was due to the worm w32.welchia.worm
To cure it I had to delete DLLHOST.EXE from the system32/wins folder. The dllhost.exe nessessary windows functions normaly resides in the system32 folder NOT in the wins folder, so it is safe to delete the one in wins.
You will have to go into safe mode, dos mode and rename it. Then reboot windows and open the wins folder and delete the renamed file. It will not let you delete it in dos or windows until it is renamed and a reboot is performed.

Virus programs cant delete it eather.
Problem solved

Read other answers

I have restored and restored can someone please help! I cant update my Avira!Avira AntiVir Personal - Free Antivirus Updater Complete product updateCreation time: Fri Jul 02 16:39:53 2010Operating system:Windows Vista () [6.0.6000] 32 bitProduct information:Product version: C:\Program Files\Avira\AntiVir Desktop\update.exe resource: C:\Program Files\Avira\AntiVir Desktop\updaterc.dll C:\Program Files\Avira\AntiVir Desktop\update.dll C:\Program Files\Avira\AntiVir Desktop\updext.dll C:\Program Files\Avira\AntiVir Desktop\updgui.dll Directory: C:\ProgramData\Avira\AntiVir Desktop\TEMP\UPDATE\Backup folder: C:\ProgramData\Avira\AntiVir Desktop\BACKUP\Installation Directory: C:\Program Files\Avira\AntiVir Desktop\Updater folder: C:\Program Files\Avira\AntiVir Desktop\AppData folder: C:\ProgramData\Avira\AntiVir Desktop\Proxy settings:System settings used16:39:57 [UPD] [INFO] Checking whether newer files are available.16:39:57 [UPD] [INFO] Select update server ''.16:39:57 [UPD] [INFO] Downloading of '' to 'C:\ProgramData\Avira\AntiVir Desktop�... Read more

A:worm/im.sohanat.b (worm)and tr/crypt.xpack.gen (trojan)

DDS (Ver_10-03-17.01) - NTFSx86 Run by Grow Up at 16:50:09.74 on Fri 07/02/2010Internet Explorer: 7.0.6000.16982Microsoft? Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.1918.942 [GMT -7:00]AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: avast! Internet Security *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\RtHDVCpl.exeC:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exesvchost.exesvchost.exesvchost.exeC:\Windows\system32\taskeng.exeC:\Windows\System32\mobsync.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exeC:\Users\Grow Up\... Read more

Read other 2 answers

I have included my HijackThis Log, Panda Activescan Log, DSS main.txt log, DSS extra.txt attached and had installed IE-SPYAds and Spyware Blaster and ran them.

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:54, on 2007-10-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\sv... Read more

A:W32/Gaobot.MWK.worm & W32/AHKHeap.A.worm and lots other spyware

Is this pc networked to the other ?
Please do not share usb stick's o rremovable drives between your pc's

Disable Ad-Watch2007

Start Hijackthis Scan and place a check next to these items If there.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {96CC3995-2390-4436-B697-8E1C7548167E} - (no file)
O4 - HKLM\..\RunServices: [Windows Update 32] svhcp.exe
O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\user\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\"
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-18\..\RunOnce: [Windows Update 32] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Windows mplayercodex Services] MSPF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows mplayercodex Services] MSPF.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Windows Update 32] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows mplayercodex Services] MSPF.EXE (User 'Default user')
O20 - Winlogon Notify: gebyw - gebyw.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\guard.tmp (file missing)

==================... Read more

Read other 19 answers


A:Black Worm/ Viking Worm/ Cws Search Asistant

Hi samual, Our apologies for the delay. If you still require help, please post a HijackThis log and a recent comboscan log if you like. Preparation Guide For Use Before Posting A Hijackthis LogAlso, unless you have severe visual problems, please lay off the Caps Lock.

Read other 1 answers

Although I "PERMIT"this program to run, etc it returns over and over again, ; I OK it and still it comes back. HAve logged it on to NAV permit list, etc - and stil I get the Security Alert.

Any ideas ????

A:Solved: Norton Internet Worm Protection for Skype

solved my own problem guys; just in case you're curious: I added skype to general rules and the codes fot TCP and what not's - a lot of guess work but did the trick!
hope I don't call on you to "fix"this!

Read other 1 answers

I don't know how I was infected, but I clearly remember my laptop was making some noises, as if it was transmitting something/communicating something with an outside source.

NOD32 caught the virus from causing further damage, but my system had been compromised. After restart, I was delivered with a glassy blue desktop, and my Documents folder was on top of it.

I started Task Manager (Ctrl+Alt+Del), and manually opened Windows Explorer. Task Manager would open with only a few processes, and I noticed one of them was "crss.exe." I googled looking for a solution, and Malwarebytes' Antimalware was highly recommended. After a series of scans, with Malwarebytes', NOD32, Spybot S&D, etc., most of the Trojan virus was quarantined and contained.

What remains is an ugly blue desktop after every restart, with my Documents folder on top of it. The only thing that changed after scanning and isolating the Trojan, the glassy blue turned more opaque. I have to do the same operation every time I restart, opening Task Manager, etc.

Another thing that I noticed was that I couldn't, and still can't, go into Safe Mode using the usual F8 route when restarting. To go into Safe Mode, I have to open MsConfig, click on Safe Boot, restart, and then click on Last Known Good Configuration. To get out of Safe Mode, I have to do it via MsConfig too.

One last abnormal thing: every time I open a new tab on Internet Explorer (7, and most recently, 8 beta), it opens to "... Read more

Read other answers

my computer problem and solution center detects that i have a virus W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm. I tried downloading spyhunter to remove it but it keeps crashing. I have spy doctor but when i run it says i have no viruses. my computer has began to freeze up and my firefox en windows live does not respond at all. below is my dds report
DDS (Ver_09-09-29.01) - NTFSx86
Run by Chris at 14:28:45.70 on Mon 09/28/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.1013.164 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.... Read more

A:W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers

Symantec has also classified this first MS04-011 variant as W32.Gaobot.AFJ. The "good news" is that it is not an active threat as the dependant IRC server has been shutdown, however the "bad news" is that it provides a model for more crafting work on MS04-011 exploitable worms.First MS04-011 Worm emerges: W32/Gaobot.worm.alihttp://vil.nai.com/vil/content/v_125006.htmhttp://www.incidents.org/diary.php?date=2004-04-28http://www.incidents.org/diary.php?date=2004-04-27At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week. W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)). This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.For maximum protection against the Gaobot family, users are recommended to: * use the latest engine/DATs combination * ensure the scanning of compressed files is enabled * keep Windows systems patched by using Windows Update * ensure weak username/passwords are not used * run a personal desktop firewall application The virus contains lots of re... Read more

A:First MS04-011 Worm emerges: W32/Gaobot.worm.ali

Symantec information - plus two new MS04-011 based Agobot threats emerged overnight. W32.Gaobot.AFJhttp://www.sarc.com/avcenter/venc/data/w32.gaobot.afj.htmlW32.Gaobot.AFJ is a worm that spreads through open network shares, backdoors installed by the Beagle and Mydoom worms, and several Windows vulnerabilities including: * DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. * Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049. * Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).W32.Gaobot.AFChttp://www.sarc.com/avcenter/venc/data/w32.gaobot.afc.htmlW32.Gaobot.AFC is a worm that spreads through open network shares and several Windows vulnerabilities including: * The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. * The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. * The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03... Read more

Read other 1 answers

I need some help with this message, made me kind of worried.
Today this message popped up from the action center, then it got archived automatically, so i have no idea if the virus is still around.
I got Eset nod32 antivirus 5 running and usually it detects stuff but this time no message at all.
Ran an in-depth scan with eset and it didnt show any threats.
Also tried microsoft malicious software removal tool and it shows 4 infected files but then when it finished it said no malicious files found?
Appreciate any help i can get.

A:"W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm"

Hello forma and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the rem... Read more

Read other 25 answers

AVG found the above worms (today's scan) PLUS possible Trojan Fake.Alert.UH (prior scan - didn't show on today's scan) on my destop running V7 home.
Also, Spybot found the Mantera Toolbar (removed).
Thanks for any help with removal.

A:AVG found I-Worm/MyTob.AN and I-Worm/MyDoom.N

Hello kip

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer.
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Download TDSSKiller and save it to your desktop.
Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
ADW Cleaner

Please download AdwCleaner by Xplode and save t... Read more

Read other 11 answers

Today my laptop became infected with a worm. I followed advice on this fourm and used smitfraudfix, atf cleaner, and superantispyware to remove the problem. I also have run a malwarebytes scan but my laptop remains VERY VERY VERY slow. It takes about 4 minutes just to log onto the internet and it freezes alot. Also, my ctrl alt delete (which until today worked fine) refuse to function. I cannot very well give you a hijackthis diagnostic report because I cannot get online to post the results due to the slowness of my computer.

Please help! I can get on long enough to probably be able to download something but that would be it.

A:Worm.win32.netbooster Got Rid Of Worm But Need Help With Followup

See if you can update MBAM and SAS, after that disconnect from the internet, you might need to pull the power to your router/modem if you use wirelessRun MBAM from normal mode, let it cure anything, then boot into safe mode and run atf cleaner and then SAShttp://www.bleepingcomputer.com/forums/ind...mp;#entry839950Follow these directions pleaseIf you are using Vista please advise as ATF Cleaner does not work quite right

Read other 3 answers

...ok, i don't remember having this, but...under windows "problem reports and solutions", under "information about other problems", there is 1 called "virus alerts".It says:"Remove the W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm from your computerThis problem [i don't know what problem they're referring to] was caused by W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm, a known computer virus"this probably happened in the past. so...1) how do i 100% make sure it's off my computer?2) so far, i don't THINK (think, still unsure) that it's still in my computer. but if it isn't then why do i have that "virus alert" thing under "information about other problems" under "problem reports and solutions"?

A:W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm

What program is alerting you to the infection? Can you create a screenshot,, upload it to an image site such as Photobucket, Media Fire, TinyPic or ImageShack and provide a link to the url address back here?To capture a screenshot, refer to:Windows XP: Take a screen shotHow to Take a Screenshot in Windows XP or VistaHow to take and share a screen shot in Windows <- also includes instructions for uploading

Read other 1 answers

I was downloading a firewall and at the end of the installation it asked me to restart my computer. From that point forward, the computer started to automatically restart continuously before my desktop and settings load, so I'm unable to get on to the desktop normally. I'm suspecting its a worm (given in the title) and the most I've done so far is been able to start the computer in safe mode, but nothing past that. Can anyone help me from this point on?

A:Disinfecting A Worm (supposedly A W32.blaster.worm)

Windows malicious software removal tool will remove the malware. I suspect though you don't have that. http://www.microsoft.com/security/malwareremove/default.mspxDid you just reinstall Windows?Symantec has a removal tool. Whether it is up to date or if it still works I don't know.http://www.download.com/W32-Blaster-Worm-R...4-10219754.html

Read other 3 answers

When my dad ran Ad-aware it found the win32.worm.kido file on this Windows Vista computer. Upon reboot the computer deleted the file. I than ran malware bytes and I believe it removed some files, I will post the log because i'm not sure how to read it. I ran Superanitspyware and it found some tracking cookies and I deleted them, no other abnormal files found. I than ran McAfee and it did not find any viruses. I wanted to make sure the system was clean so I ran a Panda online scan and it found the conficker C worm on the computer. I believe he has windows auto update turned on so Vista should be up to date. I will post the ad-aware log, malware bytes, and panda scan logs. I have followed all the preperation guidelines except the rootrepeal acted as such when scanning the files section: first attempt crashed rootrepeal program, second attempt made computer restart, third attemp windows explorer crashed and restarted and rootrepeal was frozen. I ran rootrepeal with everything except the files section checked and I will post that log. With this conficker infection should we change the windows logon password, and various service passwords (facebook, myspace, online banking)? Also, two camera memory cards were plugged into the laptop and two usb drives how do I go about scanning those, I told them to not put them in any other computers for now.Here are the logs:AdawareLogfile created: 12/2/2009 05:19:48Lavasoft Ad-Aware version: 8.1.2User performing scan: Michael**********... Read more

A:Win32.Worm.Kido and W32/Conficker.C.worm

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 11 answers

Hi, and thanks in advance for any help.

COMPAQ Presario laptop
Windows XP SP2

I primarily use FireFox to browse. Last night I downloaded a nasty piece of work inadvertently trying to watch a video. Now I am getting popups

My symptoms seem identical to this gentleman's
The first occurence was the following in a popup, marked Spyware Alert. I clicked yes a few times thinking it was my McAffee virus checker.

Worm.Win32.NetSky detected on your machine. This virus is distributed via the internet through e mail & Active-X objects. The worm has its own SMTP engine which means it gathers e mails from your local computer & re-distributes them itself. In worse cases this worm can allow attackers to access your computer stealing passwords & personal data. This process should be removed from your system
Type Virus
Systems Affected Windows 2000,NT,ME.XP,Vista
Security Risk (0-5) 5
Recommendations. Click yes to remove it from your computer.

I cannot close it. The Alert is still sitting on the desktop.

I ran Windows Malicious software removal tool (Jan 2008) overnight. While it was running 26 instances of Internet Explorer opened. I had told IE to work offline, after I realized that it was malware, so none opened to the fake software sales.

the Malicious Software tool is about 75% complete after about 9 hours run-time on a full scan. It is reporting 6 infections at the moment. It was running along with firefox while I ran HijackThis (log attached)

Logfile o... Read more

A:Solved: Worm.Win32.NetSky popups and Internet Explorer opening unexpectedly

Read other 14 answers

We get a message from a program entitled Rapid Anti-Virus 2.7 saying that it has found software that may harm our computer or compromise our security. It also highly recommends to remove the unkown software. There are buttons in the window for things such as system scan, security, privacy, update, firewall, settings, and enter activation. None of the buttons will highlight when you move the mouse over them (you can't click any of the buttons). There is a smaller window that opens up that states the same thing and has buttons for remove all viruses or continue unprotected which do highlight when you move the mouse over them. My wife clicked the remove all viruses button and the computer seemed to restart, but then it went right back to the same screen she had before.Logfile of random's system information tool 1.04 (written by random/random)Run by MarieCarmel at 2008-11-26 21:07:48Microsoft Windows XP Home Edition Service Pack 3System drive C: has 27 GB (51%) free of 52 GBTotal RAM: 1014 MB (44% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:08:10 PM, on 11/26/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:�... Read more

A:JS.Qspace worm, [email protected] worm

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 2 answers

my grisoft avg antivirus tells me i have a worm called 'I-Worm/Bofra', installed in file
'C:\Documents and Settings\User New\Local Settings\Temporary Internet Files\Content.IE5\41URKLAJ\cnt1[1].htm'

well, i need urgent help, and you are the specialists in virus, so please be kind enough to help me remove this garbage

thank you very much

below you find the log from hijackthis 1.99 beta version:

Logfile of HijackThis v1.99.0
Scan saved at 18:13:06, on 21/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mouse\A... Read more

A:i have the 'I-Worm/Bofra' virus/worm

hi guys, it was solved, i killed the virus and spyware
thanks everybody anyway
no more need to do nothing else
merry xmas!

Read other 1 answers

referred from here: http://www.bleepingcomputer.com/forums/t/309084/cant-open-all-applications-in-my-netbook/ ~ OBDDS (Ver_10-03-17.01) - NTFSx86 Run by kiko at 9:24:15.40 on Fri 04/16/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1012.422 [GMT 8:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\System32\svchost.exe -k AkamaiC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost... Read more

A:The [email protected] worm virus

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

Read other 12 answers

I cannot get rid of these here If i could get some help i would greatly appreciate it I have already run spybot and adaware here is my HiJack this LOg

Logfile of HijackThis v1.97.7
Scan saved at 8:36:41 AM, on 4/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Candace\My Documents\SatcomTechCD\merijn\HijackThi... Read more

A:Nachi.b worm and welchia worm

Read other 6 answers

Hi ,I seem to have a virus, worm and/or Trojan horse. I think I got it off of Limewire. I accidentally downloaded a .exe program (which I never do ? except this time ? idiot!) and I believe that?s when I got it/them.Per the prep guide, I have cleaned out my temporary internet files, temp files and recycling bin.I have updated versions of Ad-Aware SE and Spybot and have run them both, restarted my computer and then run them again.I have run Housecall Anti Virus and Bit Defender (twice each), but couldn?t get Panda Anti Virus to work. I have also run McAfee VirusScan (build 9.1.08 engine 4.4.00 DAT version 4.0.4585) and Bazooka Scanner v1.13.03 (?nothing detected?).I have loaded and run McAfee AVERT Stinger.I have McAfee Personal Firewall Plus (6.1.6144) running and is up-to-date. It is blocking specifically winlog.exe and svchost.exe. My firewall detected winlog.exe trying to connect to the internet immediately when I accidentally (and stupidly) downloaded that .exe file. I blocked all access to the internet for it. I believe the svchost.exe was blocked previously, but I don?t remember. Setup.exe (outlook.exe) is also blocked for some reason (I tend to block any connection that I?m not sure about). Run a DLL as an app (rundll32.exe) is also blocked. Most other stuff I recognize. Except for ping.exe (ping.exe). That?s, for some reason, at ?allow full access?. Is this okay?I am running Windows XP SP2 that is up-to-date. My browsers are IE (v 6.0.2900.2180.xpsp_... Read more

A:New Malware!bot, Win32.worm.vb.ymeak.a, Win32.worm.vb.dw And Backdoor.rbot.cmn

Hi KevinF2020 and Welcome to the Bleeping Computer!1. Please download Ewido Anti-MalwareInstall ewido anti-malwareLaunch ewido, there should be an icon on your desktop, double-click it.The program will now open to the main screen.When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")Exit Ewido, do not run the scan yet!If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates2. Please download Brute Force Uninstaller to your desktop.Right click the BFU folder on your desktop, and choose Extract AllClick "Next"In the box to choose where to extract the files to,Click "Browse"Click on the + sign next to "My Computer"Click on "Local Disk (C:) or whatever your primary drive isClick "Make New Folder"Type in BFUClick "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.Save it in the same folder you made earlier (... Read more

Read other 19 answers

By Brian Krebs
Special to The Washington Post
Tuesday, January 20, 2004; Page E05
A new Internet worm that spread by e-mail through Asia, Australia and Europe began appearing in U.S. in-boxes yesterday, and experts warned it could spread as people go back to work after the Martin Luther King Jr. holiday.

The "Bagle" or "Beagle" worm arrives as an attachment to an e-mail with the subject line "Hi" and "test : )" in the body text. The worm is activated when a user clicks on the attached file.

Once the attachment is opened, the worm tries to send copies of itself to all of the e-mail addresses that it finds on the victim's computer, faking the return address with one randomly generated from those on the infected PC. It also installs a program that lets attackers connect to infected machines, install malicious software or steal files.

The worm could be the precursor to more evolved versions that could wreak havoc with small businesses and home Internet users, computer security experts said.

Carey Nachenberg, chief architect of Symantec Research Labs in Cupertino, Calif., said he expects the worm to continue its rapid spread as more Americans begin sorting through the e-mail that piled up in their in-boxes over the three-day weekend.

"This is coming on hard and fast, and that's usually a bad sign going into a shortened work week," Nachenberg said.

Bagle has spread to computers in more than 100 countries, accordin... Read more

A:A new Internet worm

thx for the info...i never click on attatchments so i should be fine

Read other 2 answers

this is like the nth time i've tried posting this. ie keeps crashing just before i hit the post button.anyway, i'll keep this short lest i die of frustration once my ie crashes again.pleasepleaseplease help me get rid of the trojans/worms infecting my pc. right after i noticed my exe files going wonky (double clicking only yielded a black windows script/run box instead of opening the program), i scanned my pc using trendmicro, which zapped a couple of problems. when i commenced scanning using panda, my pc crashed and kept restarting. so i ran it in safe mode, scanned using bitdefender which deleted most of my exe files (since i didn't realize my preferences were set at disinfect/delete.)according to the scan results, my pc was infected with a couple of strains of the PWS Trojan : PWS.OnlineGames., Generic.PWStealer., Generic.Onlinegames., Trojan.Dropper.OnLineGames.A, DeepScan:Generic.Malware., Trojan.PWS.Nilageand Win32.Worm.Delf.NDQandWin32.Worm.Vikingamong others.after the online scans, here are the things i've done so far:1. installed ad-aware and scanned in safe mode 2. installed spybot and scanned in safe mode3. spybot ran diagnostic scan after restart. was able to run windows in normal mode4. scanned using avg, disinfected5. scanned using ad-aware. 6. scanned using spybot. went on with my life for a couple of days.7. scanned using spybot. found a couple of threats... disinfected and clicked immunize. no more threats found after8. scanned using ad-aware. no results oth... Read more

A:Win32.worm.delf, Win32.worm.viking, Pws.onlinegames, Among Others

Welcome to the BleepingComputer HijackThis Logs and Analysis forum pill My name is Richie and i'll be helping you to fix your problems.Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.You should copy/print the following because you need to be in Safe Mode from here on.Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".Scan with DrWeb-CureIt as follows:* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings* Choose the "Scan tab" and UNcheck "Heuristic analysis"* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.* When done, a message will be displayed at the bottom advising if ... Read more

Read other 6 answers

My computer is slow as well as the internet. some sites dont work where they work from another computer.

norton internet securities wont work, norton antivirus wont work.

hijack this posted

Logfile of HijackThis v1.99.1
Scan saved at 8:45:25 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\... Read more

A:Solved: Comp slow-internet slow-worm?

Read other 11 answers

I've Posted This Topic At The General Security Coz I Dont Have The Thing HiJack But I Would Like To Post It Here coz I Can See Many Post Regarding Viruses here...So Please Help Me About This..
My Internet Always Stops But Comes Back Again...I've Been Adviced By Our Internet Representatives To Do The Run/Cmd/Ipconfig/Ping "IP" /t This Is How I Identified The Problem Because I Can See Some "Request Timed Out" Lines In The Words That Are Appearing...If The "Request Times Out" Appears My Internet Stops But When It Comes Back It Will Say "Reply From "IP" : bytes=32 time=40 TTL=255" Thats How I Identify That My Internet Stops And Comes Back Over and Over again..It Only Stops For Seconds But It is Very Often...Sometimes It Can Do 6 Straight "Request Timed Out"..

I Have Downloaded The ESET Smart Security Which Is An Anti-Virus But It Didn't Detect Anything..and Next I downloaded The Malwarebytes Anti-Malware And It Detected A Worm At My Drive:C Then I Deleted The Worm Hoping My Internet Will Be Stabled But Still It Is Stopping and Coming Back Over And Over...Now Lastly I Downloaded The Avast Anti-Virus And Run it In Scanning But No Viruses Detected!!...

I've Reformatted My Computer Because I Think My Computer Is The Problem...My Computer Was Windows XP and I Turned It To Windows Vista...But Still The Problem Is On Going..!...Some Technical Supporters Came At Our House and They Brought A Laptop To Test... Read more

Read other answers

MS04-011: Sasser Internet Wormhttp://vil.nai.com/vil/content/v_125007.htmhttp://www.symantec.com/avcenter/venc/data...asser.worm.htmlhttp://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.Ahttp://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012http://www.sophos.com/virusinfo/analyses/w32sassera.htmlSasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability. This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are: * Running Windows XP or Windows 2000 * Haven't been patched against this vulnerability * Are connected to the Internet without a firewall W32.Sasser is a worm that attempts to send code that exploits the MS04-011 vulnerability. This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host is accepts this FTP traffic on TCP port 5554. The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445One sign of infection is this message:Infected systems should inst... Read more

A:MS04-011: Sasser Internet Worm

McAfee, Trend, and F-Secure have all just declared MEDIUM RISK as this new worm is starting to spread.Microsoft has posted information (including removal information)http://www.microsoft.com/security/incident/sasser.aspMcAfee has just updated their free cleaning tool to handle the new Sasser Internet worm. McAfee STINGER standalone CLEANING TOOLhttp://vil.nai.com/vil/stinger/

Read other 4 answers

Hi there,

I was attacked by A trojan or worm maybe both. Well the only way i can get on the internet is in safe mode. I did do a retore to a later date but i still have the problem. When im not in Safe mode my internet explorer takes a long time to load but it ends up loading a cannot connect error page. But i can play world of warcraft just fine. Im running vista and heres my scan. INTERNET ONLY WORKS IN SAFE MODE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:11 PM, on 7/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellT... Read more

A:Trojan or worm preventing Internet. HJT log

Read other 16 answers

Hey, I currently run a home network with three separate computers.
Although it is configured properly, file sharing completely ceases to work when Norton Internet Worm Protection is switched on.

This leads to either switching it off when i need something or leaving it off altogether. So my question is : Is there anyway around this bug in Norton?

I also run Zone Alarm but I think thats irrelevant.

A:Norton Internet Worm Protection

Read other 6 answers

Hey, will im trying to use torrents, norton internet worn protection is always poping up saying if i should block or permit it from using a port. Is there a way to just permit this port for this program?

A:Norton Internet worm problem

We do not provide assistance with P2P programs here. Closing thread.

Category I Offenses

P2P Instructions - The purpose of P2P is to illegally trade copyrighted material. We do not support the use of P2P networks and any threads requesting help for them will be closed. This includes Kazaa, Bearshare, WinMX, and the like. If you're interested in the topic, you are free to discuss it on our site (and please visit StealingIsIllegal.com), but information on how to use them will not be provided.

Read other 1 answers

New MySQL Internet Worm - Spoolcll.exehttp://isc.sans.org//diary.php?date=2005-01-26http://forums.whirlpool.net.au/forum-repli...fm?t=291921&p=3 We have reports about a possible MySQL worm. Right now, it appears to be hunting for Windows systems running MySQL. We have no deteails so far, and would creatly appreciate input (in particular code samples). We do observe a significant rise in port 3306 scanning, which is likely caused by infected systems. The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'. You should not expose any MySQL servers to unsolicitated connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.

A:New MySQL Internet Worm - Spoolcll.exe

Follow-up InformationMySQL worm haltedPublished: January 28, 2005, 1:40 PM PSTBy Robert LemosStaff Writer, CNET News.com A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines.Read complete article here

Read other 1 answers

Every time I shut down my computer, Spybot shows a malware key called Netster. I delete it every time and it comes back upon reboot. I had disabled my Fax because Norton always told me that fxsclnt.exe was an internet worm and blocked it. I have to be able to use my WinXP fax. What can I do? Should I send a HiJack This log before I delete the key it describes at Netster? I went to the Microsoft site, and put this in Google and can find no help for this problem. Thanks. Sally

A:fxsclnt.exe keeps showing up as internet worm

You can check the MD5 Hash of the file with a program like HashCalc.

The file fxsclnt.exe should be located in the following directory on XP...


Now, if I wanted to check and see if this file was a legit Windows file, I would find the file, rightclick and select Properties. Go to the Version tab, and it should tell you the version number. On the computer that I have, the version is 5.2.2600.2180

Now that I know the version, I search for the file on the following site. I look for the file that matches the correct version in the "All Versions" list, and I click on it. I click the tab that says TECH INFO, and it tells me that the MD5 file hash should be...


So now I open HashCalc. I make sure Data Format is set to File, and in the space for Data I enter the location of the file, which is...


I press Calculate, and it will calculate the MD5 hash value. I compare the hash from the website with the one from the HashCalc program and they match. This tells me the file is legit Windows program.

Read other 3 answers


First off, thanks for taking the time to assist in my situation. I'm decently tech savvy, but don't know if I trust myself to evaluate my own HJT logs as I don't have much experience in this area. So to get to things, here's the scenario: Randomly it seems the Internet "crashes". I still have connectivity as my chat messengers work, and a few limited websites work. However, a majority fail (time out), and very few pages will stream (if applicable). I don't really have a problem with popups. Restarting the pc and/or modem would help for a random bit of time - sometimes it would be fine for the rest of the night, sometimes it would be a problem again in a matter of minutes. Lately, this doesn't seem to be working, the issue just comes and goes as it pleases. Multiple pcs on my home network are effected by this, but mine more so than the other. I believe this is worm activity. I called the ISP and they did several line tests that all came back fine. The tech did say that the packet figures were really odd: 37m upload, only 1.7 download. I'm not hosting any FTP servers or anything like that, so something is sucking my bandwith causing the lapse in connectivity - or that's my deduction. I've been using avast!, Antivir, Spybot S&D, and Ad-aware, with ZoneAlarm for a bit of firewall security to try to troubleshoot this issue the past week. The connectivity problems have been going on since mid-summer at least. Enclosed will be the main and extra txt logs ... Read more

A:Internet issues - possible unknown worm

Bumped after 71 hours... going to bed, will check back when I wake up :D

Read other 15 answers

I have a newer (less than a year old) Compaq with Windows XP, I use Norton for "Protection" and for more than a week now, when I try to log into my yahoo email or even just the yahoo page, which used to be my home page, I get an alert message. I have given up on that email address now because it just won't open! HELP! This is the message I get:

Intrusion: BD Blade Runner
Intruder: Local Host (5400)
Risk Level: High
Protocal: TCP
Attacked IP: Local Host
Attacked Port: 1173

Somebody PLEASE tell me what the heck this means! And of course how the heck I get rid of it. This is not something I want to keep...right? I have run my full system scan many times. Tonight I downloaded Spybot to see if that would help. It didn't. I don't do alot of "searching" on the internet at all. I am mostly an email person. Occassionally I visit quilting pages and my husband plays poker. THAT'S IT!

Read other answers