Over 1 million tech questions and answers.

Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

Q: Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

I have been clearing a computer from numerous infections. I uninstalled the outdated (since 2006) McAfee AV. I have installed Microsoft Security Essentials, MBAM, and SuperAntiSpyware. I used this combination as well as several online scanners to remove over 150 infections. Every time I run a scan with SAS, the log comes back with the following infections:Trojan.Dropper/SVCHost-FakeC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXETrojan.Agent/Gen-FakeAlertC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEMicrosoft Security Essentials pops up during the scan with the following infection:Trojan Downloader: Win32/Unruy.D C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXE I created a new restore point and deleted all previous points, yet these infections still remain. I was receiving help from another moderator who had me try several things before directing me here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/318510/cannot-remove-trojan/ ~ OB I am posting the DDS log, GMER log, and attaching the attach.txt file. Thank you in advance for any and all help you can provide. DDS (Ver_10-03-17.01) - NTFSx86 Run by Phillips at 14:21:21.10 on Tue 05/25/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.796 [GMT -4:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============Executable.exe 4C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Microsoft Security Essentials\msseces.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\IncrediMail\bin\IMApp.exeC:\Documents and Settings\Phillips.DDGKJJ91\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}uInternet Settings,ProxyServer = http=127.0.0.1:5555uInternet Settings,ProxyOverride = uSearchURL,(Default) = hxxp://www.google.com/search/?q=%sBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: {BA52B914-B692-46c4-B683-905236F6F655} - No FileEB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLLuRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /cuRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exemRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkeymRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tdRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683}IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLLDPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxps://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL============= SERVICES / DRIVERS ===============R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]S0 rtsae;rtsae; [x]S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]S1 MpKsl3ee967d9;MpKsl3ee967d9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c306d5f2-23dd-4139-ab62-d7110c219bef}\mpksl3ee967d9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c306d5f2-23dd-4139-ab62-d7110c219bef}\MpKsl3ee967d9.sys [?]S1 MpKsl81d3e1b3;MpKsl81d3e1b3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4033fb5-c98e-48e7-940f-6ca9770502c4}\mpksl81d3e1b3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4033fb5-c98e-48e7-940f-6ca9770502c4}\MpKsl81d3e1b3.sys [?]S2 iovx6yov;Ati External Event Utility;c:\windows\system32\hoonnosifa.exe --> c:\windows\system32\hoonnosifa.exe [?]S2 kobos;\??\C;\??\c:\docume~1\philli~1.ddg\locals~1\temp\oyqhjlswi.sys --> c:\docume~1\philli~1.ddg\locals~1\temp\oyqhjlswi.sys [?]S2 xlhxwtgxvuvov;\??\c:\docume;\??\c:\docume~1\philli~1.ddg\locals~1\temp\hpchmhrpdvog.sys --> c:\docume~1\philli~1.ddg\locals~1\temp\hpchmhrpdvog.sys [?]S2 yryaepeew1b3;PowerUtility TV Recording Reservation;c:\windows\system32\foulouwizuqu.exe --> c:\windows\system32\foulouwizuqu.exe [?]S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]=============== Created Last 30 ================2010-05-25 18:19:34 0 ----a-w- c:\documents and settings\phillips.ddgkjj91\defogger_reenable2010-05-24 23:25:43 0 d-----w- c:\program files\EsetOnlineScanner2010-05-22 21:40:02 161792 ----a-w- c:\windows\SWREG.exe2010-05-20 21:36:55 0 d-----w- c:\documents and settings\phillips.ddgkjj91\DoctorWeb2010-05-18 22:57:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2010-05-18 22:55:14 0 d-----w- c:\program files\SUPERAntiSpyware2010-05-18 22:55:13 0 d-----w- c:\docume~1\philli~1.ddg\applic~1\SUPERAntiSpyware.com2010-05-18 22:45:39 0 d-----w- c:\program files\Trend Micro2010-05-18 00:28:41 0 d-----w- c:\program files\ESET2010-05-18 00:12:54 0 d-----w- c:\windows\SxsCaPendDel2010-05-17 18:40:10 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure2010-05-17 18:17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-05-17 18:17:29 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-05-17 13:42:08 0 d-sh--w- c:\documents and settings\phillips.ddgkjj91\IECompatCache2010-05-16 21:58:47 0 d-----w- c:\program files\Unlocker2010-05-16 02:45:12 221568 ------w- c:\windows\system32\MpSigStub.exe2010-05-15 23:05:48 0 d-----w- c:\program files\SpywareBlaster2010-05-15 03:39:10 274288 ----a-w- c:\windows\system32\mucltui.dll2010-05-15 03:39:10 215920 ----a-w- c:\windows\system32\muweb.dll2010-05-15 03:39:10 16736 ----a-w- c:\windows\system32\mucltui.dll.mui2010-05-15 00:09:47 3328 ----a-w- c:\windows\system32\drivers\PCIIDE.SYS2010-05-14 23:09:05 0 d-----w- c:\program files\Microsoft Security Essentials2010-05-14 16:57:19 39424 ----a-w- c:\windows\system32\grpconv.exe2010-05-14 16:57:19 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe2010-05-14 16:25:59 0 d-sha-r- C:\cmdcons2010-05-14 16:18:30 77312 ----a-w- c:\windows\MBR.exe2010-05-14 16:18:29 256512 ----a-w- c:\windows\PEV.exe2010-05-14 16:18:28 98816 ----a-w- c:\windows\sed.exe2010-05-14 15:40:44 0 d-----w- c:\windows\system32\NtmsData2010-05-14 14:54:32 53248 ----a-w- c:\windows\system32\cyhyv.exe2010-05-14 09:47:09 53 ----a-w- C:\CSCSettings.ini2010-05-14 09:17:24 0 d-----w- c:\windows\Cookies2010-05-14 09:16:49 0 d-----w- c:\windows\Recent2010-05-13 12:25:48 43 ----a-w- c:\documents and settings\phillips.ddgkjj91\chdata.xml2010-05-12 19:59:19 0 d-----w- c:\windows\system32\MpEngineStore2010-05-12 19:28:59 252 ----a-w- c:\windows\system32\MRT.INI2010-04-28 18:57:08 0 d-----w- c:\program files\Usability Sciences2010-04-28 18:45:23 0 d-----w- c:\program files\ATT-RC==================== Find3M ====================2010-05-21 11:44:11 77568 ----a-w- c:\windows\system32\drivers\WudfPf.sys2010-05-07 17:38:24 4288 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-05-06 20:10:45 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe2010-05-06 20:10:45 1033728 ----a-w- c:\windows\explorer.exe2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-11 12:38:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll2010-03-10 13:18:21 13824 ----a-w- c:\windows\system32\dllcache\ieudinit.exe2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll============= FINISH: 14:23:08.29 ===============GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-05-25 17:16:28Windows 5.1.2600 Service Pack 3Running: qo8h82n4.exe; Driver: C:\DOCUME~1\PHILLI~1.DDG\LOCALS~1\Temp\pxtdipow.sys---- System - GMER 1.0.15 ----SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAEA9E950]---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!_abnormal_termination + 450 804E2ABC 4 Bytes JMP 3ABDD96A init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77BA760]init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB94A6F80]---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\Explorer.EXE[2536] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)---- EOF - GMER 1.0.15 ----

RELEVANCY SCORE 200
Preferred Solution: Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HEREPlease download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode.

Read other 19 answers
RELEVANCY SCORE 192

Hello,my situation:Dell 8100 desktop is infected by Trojan.Dropper/SVCHost-Fake, Trojan.Agent/Gen-FakeAlert as reported by SuperAntiSpyware. SAS scan exits after finding these two. Malwarebytes scan also exits shortly after start.DDS: DDS.txt - see below. Attach.txt was not produced for some reason.GMER started but exited right after clicking "Scan", so no report to show, unfortunately.Thank you!Lev.DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Run by Lev at 17:41:20 on 2011-05-25.============== Running Processes ===============..============== Pseudo HJT Report ===============.uStart Page = hxxp://www.yahoo.com/uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.comuDefault_Page_URL = hxxp://www.dell4me.com/mywayuSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comuURLSearchHooks: H - No FileuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn6\yt.dllmWinlogon: Userinit=c:\windows\system32\userinit... Read more

A:Trojan.Dropper/SVCHost-Fake, Trojan.Agent/Gen-FakeAlert

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you hav... Read more

Read other 40 answers
RELEVANCY SCORE 163.6

Hello Folks,
My fiancée is running Win 8.1 and SuperAntiSpyware has reported these two infections.  After deletion and reboot, svchost and lsaas both show up again in Windows\Temp and run themselves.  They use up all her system resources.  Malwarebytes Antimalware is unsuccessful at removing these threats as well.  Thanks in advance for reading over my logs.  I have read the posting instructions but I had to upload FRST and post Addition.txt in the message because FRST.txt was too big.  My apologies if this messes anyone up.
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-04-2015
Ran by Beth at 2015-04-12 11:23:06
Running from C:\Users\Beth\Desktop\Virus Removal Tools
Boot Mode: Normal
==========================================================

==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Versio... Read more

A:trojan agent mnr & trojan.dropper/svchost-fake infections reported

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.start

CreateRestorePoint
CloseProcesses:

() C:\Program Files (x86)\ChocolateBar\ChocolateBar.exe
HKLM-x32\...\Run: [YourFile DownloaderInstaller Starter] => "C:\Users\Beth\AppData\Local\Temp\install24851296.exe" -startup <===== ATTENTION
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3018066717-3207517667-314346134-1001\...\Run: [ChocolateBar Sidebar] => C:\Program Files (x86)\ChocolateBar\ChocolateBar.exe [484416 2014-10-09] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO-x32: ChocolateBar -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Users\Beth\Appdata\LocalLow\wecarebooster\ChocolateBar.dll [2014-10-09] ()
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com/?cid={84E58910-2FB7-4670-9DFF-D21385E65C35}&mid=8a24c568cc1c47d39dc4d1c5bca1cddb-df96efad2756bfe5ec8f73766de01450c0ab829d&... Read more

Read other 2 answers
RELEVANCY SCORE 162.8

I am fairly new to this process, so I hope I do this correctly. I have Spybot S&D and just downloaded Malbytes. They both seem to help somewhat but cannot remove reader_s.exe or services.exe. I am experiencing internet popups and redirects, the Windows firewall is disabled, as is my Symantec antivirus. There is a login screen when I start Windows XP that did not used to be there. I am getting number of random error messages, and Malbytes is sometimes deleted and I have to reinstall it. Also, random .tmp files seem to popup. Thanks in advance for any help you can provide.
DDS (Ver_09-02-01.01) - NTFSx86
Run by Jordan at 1:53:18.65 on Thu 02/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1437 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: ActiveArmor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program File... Read more

A:Infected with Trojan.FakeAlert.H, Trojan.Agent, Trojan.Downloader?

Please download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.NEXTPlease download RSIT by random/random and save it to your Desktop.Double click on RSIT.exe to run RSITBefore you click "Continue", make sure you change the List files/folders created or modified in the last 3 monthsClick Continue at the disclaimer screen.Once it has finished, two lo... Read more

Read other 3 answers
RELEVANCY SCORE 162.4

I am running Microsoft Security Essentials, Malwarebytes' Anti-Malware, Superantispyware Professional. I was running McAfee Security Suite when I got infected. None of the programs find the infections except for Superantispyware. It quarantines and deletes the infections. I restart the computer and then when I run the scan again they are still there.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by akparker at 19:54:02 on 2011-11-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2046.1066 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.e... Read more

A:Infected with Trojan.Agent/Gen-IExplorer[Fake], Trojan.Agent/Gen-PEC, and Trojan.Downloader-Winlogon/FAS

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 18 answers
RELEVANCY SCORE 156

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 154.8

Hi this is my first post. As stated in the title i have Trojan-Downloader.Win32.Agent.aoyb and it has infected my svchost.exe host file. Another is csrssc.exe infected with Trojan-Downloader.Win32.Suurch.eo It was scanned with kaspersky online scanner. The symptoms that i have noticed are:

Error - "Host Process for windows services has stopped working," this window wont close when "close program" is selected. Just re-appears.

Firefox has random windows pop up when a search is done. Sometimes anti virus scanning sites, and other times random adds.

The file i got from kaspersky online scanner stated as follows, however i was able to delete most of this in safe mode and using unlockers other then the above:


Code:
C:\Windows\system32\egaadg.dll/C:\Windows\system32\egaadg.dll

Infected: Trojan-Downloader.Win32.Zlob.acft

C:\Windows\System32\egaadg.dll/C:\Windows\System32\egaadg.dll

Infected: Trojan-Downloader.Win32.Zlob.acft

svchost.exe\svchost.exe/svchost.exe\svchost.exe

Infected: Trojan-Downloader.Win32.Agent.aoyb

csrssc.exe\csrssc.exe/csrssc.exe\csrssc.exe

Infected: Trojan-Downloader.Win32.Suurch.eo

C:\Users\Cameron\AppData\Local\Temp\csrssc.exe/C:\Users\Cameron\AppData\Local\Temp\csrssc.exe

Infected: Trojan-Downloader.Win32.Suurch.gq

C:\swsetup\SP37923\AVerMedia.exe

Infected: not-a-virus:AdWare.Win32.BetterInternet.hu

C:\Users\Cameron\AppData\Local\Temp\csrssc.exe

Infected: Trojan-Down... Read more

A:Trojan-Downloader.Win32.Agent.aoyb has infected my svchost.exe

Hi Jimmy. . .


I would highly suggest that you proceed to to our Security Center, HiJackThis Log Help Forum, to have your HJT logs reviewed by a Security Analyst. You will run new ones there. Be sure to follow THESE STEPS carefully before posting your logs in the HJT Log Help Forum.

Please be patient as the Security Analysts are very busy and one will get to you as soon as possible.

If you have any lingering Vista issues subsequent to a security analyst declaring your system clean, feel free to return to this forum.

Regards. . .

jcgriff2

.

Read other 3 answers
RELEVANCY SCORE 154.8

As stated in the title i think Trojan-Downloader.Win32.Agent.aoyb has infected my svchost.exe host file. Another is csrssc.exe infected with Trojan-Downloader.Win32.Suurch.eo It was scanned with kaspersky online scanner. The symptoms that i have noticed are:

Error - "Host Process for windows services has stopped working," this window wont close when "close program" is selected. Just re-appears.

Firefox has random windows pop up when a search is done. Sometimes anti virus scanning sites, and other times random adds.

I have included the scans log. Hope it helps.

C:\Windows\system32\egaadg.dll/C:\Windows\system32\egaadg.dll

Infected: Trojan-Downloader.Win32.Zlob.acft

C:\Windows\System32\egaadg.dll/C:\Windows\System32\egaadg.dll

Infected: Trojan-Downloader.Win32.Zlob.acft

svchost.exe\svchost.exe/svchost.exe\svchost.exe

Infected: Trojan-Downloader.Win32.Agent.aoyb

csrssc.exe\csrssc.exe/csrssc.exe\csrssc.exe

Infected: Trojan-Downloader.Win32.Suurch.eo

C:\Users\Cameron\AppData\Local\Temp\csrssc.exe/C:\Users\Cameron\AppData\Local\Temp\csrssc.exe

Infected: Trojan-Downloader.Win32.Suurch.gq

C:\swsetup\SP37923\AVerMedia.exe

Infected: not-a-virus:AdWare.Win32.BetterInternet.hu

C:\Users\Cameron\AppData\Local\Temp\csrssc.exe

Infected: Trojan-Downloader.Win32.Suurch.gq

C:\Windows\System32\egaadg.dll

Infected: Trojan-Downloader.Win32.Zlob.acft

C:\Windows\System32\flabpcwo.dll

Infected: Trojan-Download... Read more

A:Trojan-Downloader.Win32.Agent.aoyb has infected my svchost.exe

I have recently been looking at my anti-virus history and found that a specific person/organization has been trying to access my hard drive. My anti-virus blocked it, however this could have been really...really bad.

IP: 62.4.83.205
Country: NETHERLANDS

Shows the importance of a good anti-virus program.

Read other 2 answers
RELEVANCY SCORE 152

HelloMy son has managed to get Trojan(s) on his laptop... Windows XP Pro SP2I deleted temporary files, cleared cookies, turned off system restore and ran Norton, A-Squared free, SpyBot 1.6 and Ad-aware SE Personal 2008Norton claims to have dealt with trojan.zlob and A-Squared found and cleared the trojan-dropperIs there anything else I need to worry about please? If so please can you help me to remove it? I have reached my level of understanding and am not technical enough to understand the Hijackthis log.Many thanksLin=================The Hijackthis log follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:52:45, on 15/08/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1... Read more

A:Infected With Trojan.zlob - Trojan-dropper.win32.agent.rvv

Hi elsiegee40Please make sure you have system restore turned on again ... actually you should NOT have turned it off, you now have NO restore points to fall back upon. despite what Norton & others may say, you should not turn restore off (purge system restore) until your computer is clean ... even an infected restore point is better than none at all.Your hijackthis log is clean, but that doesn't mean your computer is, from experience I doubt Norton has removed all the malware ...Download Deckard's System Scanner (formerly Comboscan) to your Desktop.Note: You must be logged onto an account with administrator privileges.1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.5. Then do the same with extra.txtNote: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txtPlease remember to post both txt files ...Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.THEN ..Please Download Malwarebytes' Anti-Malware from Here :-http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlor here :-http://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the appl... Read more

Read other 6 answers
RELEVANCY SCORE 147.6

I had Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader. After Global Moderator "boopme" in Forum "Am I infected,What do I do" kindly reassured me that neither of these would result in identity theft, he/she then walked me through removing the files and cleaning up the junk. I ran SuperAntiSpyware, Malwarebytes, TDSSKiller, aswMBR, TrendMicro Rootkit Buster, SpywareBlaster, and I removed old restore points.After cleanup, Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader no longer were there, but now I saw I had an unknown program in my Programs list, named "WinPcap 4.1.1". I uninstalled it, and ran new scans.This time, Trend Micro RootkitBuster found several items which it marked as "unable to fix", and TDSSKiller found cercsr6, NetSvc and rmdnhfjovqbv (all of which I do not recognize.) I do not know whether or not I still am infected, and whether I must remove any of these unrecognized items. So boopme recommended I post DDS & GMER reports in this forum. I'm hoping you can help, please.I really appreciate the efforts all of you are expending so generously on my behalf!Original post in "Am I infected" forum: http://www.bleepingcomputer.com/forums/topic463339.html/page__p__2788021__fromsearch__1#entry2788021ATTACH.TXT (from DDS) and ARK.TXT (from GMER) are attached.DDS.TXT follows:.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31Run by L... Read more

A:Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
Do not install any other programs until this if fixed.[/b]
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass... Read more

Read other 13 answers
RELEVANCY SCORE 147.2

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

Read other 12 answers
RELEVANCY SCORE 147.2

DDS (Ver_10-03-17.01) - NTFSx86 Run by XXXXXX at 14:07:30.08 on Mon 04/12/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1944.966 [GMT -5:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\DTS.exeC:\Windows\system32\ibmpmsvc.exeC:\Windows\system32\AtService.exeC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\WLANExt.exeC:\Windows\system32\conhost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\LENOVO\HOTKEY\TPHKSVC.exeC:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC: ... Read more

A:Trojan/Trojan.Agent/Trojan.FakeAlert/Trojan.downloader

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 2 answers
RELEVANCY SCORE 146.4

Hi,It seems that I have trojan activity on my home pc.I am running Vista and when I log in to my user profile I get a blue desktop with a box saying 'Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer'I have tried a few malware removal programs, Malwarebytes, CCleaner, Adaware and ran virus scans in an attemp to try and remove it myself without bothering you guys but I just can't shift it, so I'm hoping you may have the time to help?What I have noticed is that I only get these warnings when I am logged into my user profile, not as administrator or as another user on the pc. I also get no warnings when running in safe mode.I run Avast and that brings up a warning soon after the blue desktop comes up that points to infection with C:\Users\Guy\AppsData\Local\Temp\tt991.tmp.vbs. The numbers/letters after the tt (in this case 991) change each time I log in. It also states Malware Name: VBS:Malware-gen, Malware Type: Virus/Worm, VBS verison 080805-0,08/05/08 which I try and delete from the warning box.I then am greeted with a windows script host message box that will say the above file (tt991.tmp.vbs) failed (Access Denied).I also regularly get Windows security alert message boxes come up on the screen saying that Windows Firewall has detected activity of harmfull software with mention of one of many trojans. These have been:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan... Read more

A:Vbs:malware-gen - Trojan-clicker.win32.tiny.h, Trojan-downloader.win32.agent.bq, Trojan-spy.win32.keylogger.aa

Hi,I am hoping you can help me.My computer keeps telling me it is infected with spyware/malware. I get a blue desktop on startup with regular warnings saying the computer is infected with:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan-Spy.Win32.KeyLogger.aaTrojan-Spy.Win32.GreenScreenTrojan-Spy.HTML.Bankfraud.dqStrange thing is that these only show up when I log in to my user account. If I log in as administrator, another user or as any user in safe mode I get no warnings and nothing shows up on scans.The pop up warings direct me to this site: www.antispyware-review.info/?wmid=46638&pwebmid=uWfLn0pimL&a= which is Smartsoft reviews to buy PC Antispy or PC Clean pro.Malwarebytes scan picks up Fake.Dropped.Malware, Malware.Trace, Trojan.FakeAlert and Hijack.Wallpaper and even if I remove these and restart the PC they come back.A spybot scan pointed to 2 entries of VirtumondeI'll attach the latest HJT log, Malwarebytes log and Spybot logs in case you need them. Please help me with this, I cant seem to shift it Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:54:34 AM, on 8/7/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Ado... Read more

Read other 5 answers
RELEVANCY SCORE 146

The last two days my computer has frozen up while trying to surf around online. This seemed weird so I ran a full system scan with symantec endpoint both days. Both times the logs came back with no risks detected. Today I started getting internet explorer pops directing me to sites. I knew at this point I had an infection that endpoint was not picking up. I disabled my network card and used another computer to download some of the suggest programs I've seen on this site. I has hoping to at least get the problem quarantined so that I would feel safe enough to enable the network card again. After running the utilities, I am not freezing when surfing web pages and have resumed using the computer. I would like help making sure that my computer is clean since endpoint obviously isn't catching this problem. Below are the logs for Kaspersky Online Scan & DSS.Deckard's System Scanner v20071014.68Run by bgedeon on 2008-07-29 14:40:22Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as bgedeon.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:40, on 2008-07-29Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\s... Read more

A:Infected With Trojan.win32.monder.bcb & Trojan-downloader.win32.agent.xxa

I continued to investigate on my own. Combofix quaratined some files, but did not delete them. A scheduled full system scan with endpoint finally picked up some infections with the newest updates loaded. Symantec scan labels the infections as Trojan.Vundo and Trojan.Metajuan. Metajuan was removed automatically, but Vundo proved to be a little more pesky. Symantec offers a removal tool for Vundo on there website. I opted to try out Malwarebytes' Anti-Malware (mbam). It was able to located the files that were in quaratine and some infected files that were in system restore. I disable system restore to avoid any problems and mbam was able to delete all the files. After a system restart, I scanned with Symantec Vundo tool and found no further signs of infection. Mbam did a good job Re-enabled system restore and recreated a fresh restore point. I'm hoping that this will be in the end of this problem, but would still be interested in someone combing through some of my logs to see if anything was missed. I'm still a little miffed that endpoint had not picked these infections up when they are not exactly new threats and I had the most current definitions when I ran my previous scans.

Read other 10 answers
RELEVANCY SCORE 144.8

My eset Smart Security found "Win32/Olmarik trojan" but is unable to remove it. I have noticed that my google searches are often re-directed. Superantispyware reports this trojan: trojan.dropper/svchost-fake (C:\\Windows\Temp\CPLJ.Temp\SVCHOST.exe). I have tried using adaware, spybot search and destroy,Superantispyware, a-squared, malaware, activescan, and eset smart security. None of them have worked. DDS (Ver_10-03-17.01) - NTFSx86 Run by Jonathan at 14:55:11.60 on Tue 03/23/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3582.1972 [GMT -4:00]SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\rundll32.exeC:\Windows\system32\WUDFHost.... Read more

A:win32/olmarik - trojan.dropper/svchost-fake

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

Read other 10 answers
RELEVANCY SCORE 142.8

I believe that I have been infected by the following Virus: Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR. They were all removed by either Zone Alarm Anti-Spyware and SuperAntiSpyware. However, I continue to have the symptoms: sporadic hijack of my keyboard so keystrokes are exected in what appears to be a random fashion. I say it's random because most of the time what's typed by the virus doesn't make any sese.I was working with FAX in the ZoneAlarm user forum who recomended the malware removal tools and suggested I post my Hijackthis log if all else failed. All else has failed. Following is the log. Thanks for your help.
 hijackthis.log   16.26KB
  17 downloadsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:13:46 PM, on 6/28/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files (x86)\WinZip\WZQKPICK.EXEC:\Program Files (x86)\WordWeb\wweb32.exeC:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exeC:\Program Files (x86)\HPQ\HP Connection Manager 2�... Read more

A:Infection by Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a... Read more

Read other 26 answers
RELEVANCY SCORE 141.2

I believe I was infected last night when a website somehow redirected me to liteautogreatest{dot}cn.I'm running XP Home SP3 and the ZoneAlarm Internet Security Suite (just updated earlier today).ZoneAlarm continually finds a couple of problems and hibernates them but they do not go completely away after a reboot.The ZoneAlarm active monitor scan shows the following...Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNB.tmp on 4/20/2009 13:29:22Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNA.tmp on 4/20/2009 13:23:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN9.tmp on 4/20/2009 13:17:40Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN8.tmp on 4/20/2009 13:14:30Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN7.tmp on 4/20/2009 13:07:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN6.tmp on 4/20/2009 13:02:40Rootkit.Win32.Agent.ikz was found in C:\WINDOWS\system32\drivers\systemntmi.sys on 4/20/2009 12:57:48Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\T... Read more

A:Infected with Rootkit.Win32.Agent.ikz, Trojan-Dropper.Win32.Agent.amzh, Trojans? Malware?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.alternate download linkThen download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, re... Read more

Read other 3 answers
RELEVANCY SCORE 140.4

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 140.4

Hi Boopme
Are you here?
Do I need to post everything that I have already posted to you here?: http://www.bleepingcomputer.com/forums/forum103.html
or is someone else going to help me? if so please let me know and I will give details to them.
By the way - this morning before work - I deleted my quarentine folders from SuperAntiSpyware and the logs from my desktop and ran a scan and it didn't pick anything up! But my Malwarbytes will not load again from the task bar when I click on it - it would not let me stop it by right clicking either so hoping it wasn't running a script for the DDS scan? - so I'm afraid my trojans might be back! I was going to run the Rkill one more time - but I didn't
I couldn't run GMER - I have Windows 7 64 bit and it would run but it didn't give me any options to check mark. I was using the 34 bit explorer (does that matter?)
Also the defogger - I'm not sure it worked as it didn't come up for me to click the finish button - it just went back to the little box that says disable? But I did get the DDS logs.
Here is my DDS Log:

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by tamhbrih at 18:15:58.57 on Mon 02/14/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1788.802 [GMT -7:00]

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/... Read more

A:Infected with Trojan.Agent/Gen-IEFake, Trojan.Agent/Gen-IExplorer[Fake] &Trojan.Agent/Gen-PEC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

Read other 23 answers
RELEVANCY SCORE 139.2

Hello,

I am unable to remove some very stubborn malware. Please help me, I am at my wit's end! I greatly appreciate the kind volunteers who help with this sort of problem. It's a noble thing to do!

The attack began on Wednesday July 27, 2011. I was reading an article on a major news website, and all manner of stuff (ads, fake anti-virus programs) began to pop up on my screen. Unfortunately, I wasn't able to stop it soon enough, even though I killed the power strip immediately. I turned the modem off, rebooted, and ran consecutive scans using the following anti-virus software: Malwarebytes, Spybot, SuperAntiSpyware, and a version of Kapersky that I have through Earthlink called Earthlink Protection Control Center. I performed complete scans with all 4 programs on all drives. All 4 programs found malware. Each found different malware, but they all seemed to sucessfully remove it. By Thursday morning, I thought the computer was clean, so I rebooted it in order to complete the malware removal process.

When the computer rebooted, everything seemed to work okay at first, except that none of the anti-malware programs were accessible anymore. When I tried to open any of them I got a pop-up window that said "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." The computer also runs more slowly now.

I performed searches for my anti-malware programs, and was able to... Read more

A:infected with Trojan.Dropper/SVCHost-Fake and Firefox keeps redirector

to BleepingComputer!Let's see if we can sort this out for you.We'll start with a couple of other scans and go on from there.Step 1.aswMBR:Download aswMBR.exe ( 511KB ) to your desktop.Double click the aswMBR.exe to run itClick the "Scan" button to start scanOn completion of the scan click save log, save it to your desktop and post in your next replyStep 2.RKU:Please Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Save Report.Save the report somewhere where you can find it. Click Close.Copy the entire contents of the report and paste it in a reply here.Note** you may get the following warning, just click OK and continue."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Step 3.Things I would like to see in your reply:The content of the log from aswMBR in step 1.The content of the log from RKU in step 2.

Read other 39 answers
RELEVANCY SCORE 138.8

Hi Mike !

Don't know what happend !! My windows starts normally, after selecting the user, it dispalys ' loading personal settings'.. After that getting an error ' userint.exe application error' . Reference memory problem. Then it shows my desktop without any Task bar/Status bar and all the icons on my desktop are not displayed. i am accessing the explorer through Task manager using Ctrl+Alt+Del ..

Let me know whether this is an virus infection or some problem with windows registry.
thanks
clement

A:Infected with Trojan.Virtumonde/Trojan-Downloader.Agent.OGP, Help me in removing the trojan

Welcome to BCThe process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all obj... Read more

Read other 4 answers
RELEVANCY SCORE 138.4

I have been infected with some serious trojansMBAM Scan results identified these 6 viruses/trojans:Trojan.BHO - file Adware.Vomba - Registry KeyTrojan.Fakealert - Registry KeyFake.SystemTool - Registry ValueFake.SystemTool - FileFake.SystemTool - Registry Value- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Here's what I am getting:- A fake program "Antivirus System Pro" runs on startup now- gives repeated popups anytime I try to run a program (even Task Manager & svchost.exe) "Security Warning..."- popup alert in bottom right corner that says"Antivirus System Pro alertINFILTRATION ALERTYour computer is being attacked by an internet Virus. It could be a password-stealing attack, a trojan- dropper or similar.DETAILSattack from: 166.15.38.109, port 65207...."here's my malwarebytes log:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 210/15/2009 9:30:35 PMmbam-log-2009-10-15 (21-30-28).txtScan type: Quick ScanObjects scanned: 118038Time elapsed: 10 minute(s), 13 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\advantage (Adwar... Read more

A:Infected with trojans: Trojan.BHO, Adware.Vomba, Trojan.Fakealert, Fake.SystemTool

never mind. problem solved now. MalwareBytes Anti-Malware successfully quarantined the trojans.

[CLOSE TOPIC.]

Read other 2 answers
RELEVANCY SCORE 138

Just within the last day and a half Ive come to realize that I am infected with one of the hardest viruses to get rid of... google redirect virus. I've run a number of programs to try and get rid of it, but nothing has been successful. I have run Malwarebytes, which did not pick anything up. I ran MSE and didn't catch anything. I ran SAS and it was the only program that gave me the detected threat. I know that it is not an extreme virus, but it is extremely annoying. Any help would be great!Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

A:Infected with Trojan.Dropper/SVCHost-Fake and Firefox browser redirecting

Hello, did you run RKill before SAS and MBAM?RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
If nothing happens or if the tool does not run, please let me know in your next replyDo not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.Immediately run.Please download TDSSKiller.zip and and extract it.Run TDSSKiller.exe. Click Start scan.When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click ContinueLet reboot if needed and tell me if the tool needed a reboot.Click on Report and post the contents of the text file that will open.

Note: ... Read more

Read other 9 answers
RELEVANCY SCORE 137.2

Hi,I had a previous Max++ infection and worked with Random Random to get resolved [see embedded link: http://www.bleepingcomputer.com/forums/topic253441-60.html ] Then on January 2010 I had a similar re-occurrence on 1-22. Luckily mbam.exe was able to remove 4 Trojans in safe mode, however all my icons for all Word files/and documents, as well the Adobe icons have been stripped from all my documents and I have not been able to get them back. Now my Java Auto Updater will not update . Last successful update was 1/17/2010. When the update tries to update i get "Error 1714 Older version of Java 6 update 20 cannot be removed contact tech support. - when I go to the Add/Remove programs in Control panel and try to remove Jave 6 update 18 - error message is "file is corrupt". Then I try to remove Java 5 update 6 and I receive a message "please Uninstall thru Add/Remove program Utility 5.0 Update 6 Add/Remove Fatal Error"- I then ran 'regedit' and removed ?jre1.6.0_11-c.msi? tried to re-install Java but no luck. Please help me - since apparently the last rootkit infection came thru backdoor left open from outdated Java security.ThanksEDIT: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BPTitle was: GMER & DDS Logs will not Upload Trojan.Dropper and Trojan.FakeAlert.N, Trojan possible re-infection from Rootkit affecting Java Updater, Do Not Know How to Remove - Upload failed. The file was larger than t ~ OBHi, GMER & DDS Logs wil... Read more

A:Re-Infected w/Trojan.Dropper and Trojan.FakeAlert.N

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 82 answers
RELEVANCY SCORE 136.8

Hello Bleeping!
A few days ago I removed Norton AV and installed MSSE. MSSE detected Trojan Dropper: Win32/Sirefef.B and Rogue:Win32/FakeRean. For the past two full system scans MSSE has detected and removed the dropper, and the last scan (last night) detected the Fake Rean. The MSSE removals don't appear to be effective against the dropper. Another peculiar thing, when I installed MSSE a few days ago, it told me my firewall was not up, but when I go into MS Security Center it says that the firewall is "ON". Not sure if perhaps the Norton AV removal maybe wasn't complete and that I am getting "false positives", or if something is really there. My logs are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by Eric at 16:37:09 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2216 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\syste... Read more

A:Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 18 answers
RELEVANCY SCORE 136.4

From: Eric

I received a computer running XP Media Center Edition from a friend. Its desktop was being hidden automatically unless I told it to "show desktop". I ran SuperAntiSpyware and MBAM on it. They seemed to have removed the viruses. In preparation of this topic I ran GMER, which would not run so I ran TDSSkiller. TDSSkiller got rid of a rookit virus. What I need now is to make sure that the computer is completely clean. Here are the DDS and GMER reports.

Thank you

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sherri cordry at 20:08:08 on 2011-11-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1770 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device S... Read more

A:Comp was infected with Trojan.Agent/Gen-Fake AV, Trojan.Agent/Gen-Hullo[short], Rootkit virus

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426646 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 26 answers
RELEVANCY SCORE 135.6

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 134.8

I have an F-Secure internet security software suite on this computer, and it is up-to-date and functioning. I also have MalwareBytes (free) installed and have been running it regularly, and I use the ESET Online Scanner as well. The OS is Windows XP, and it is up-to-date.About three weeks ago I cleaned around three trojans from this computer using MBAM and the online scanner. A few days ago, Adware.Win32.WebHancer.x was found by F-Secure, and is currently quarantined. Today, several instances of the two Trojan-Spy programs were found and quarantined by F-Secure; they infect system files and system restore files. I already looked up information on cleaning the system restore files by stopping and restarting system restore (and scanning inbetween). I deleted the quarantined files.All of the Spy-Trojan's found are infecting in C:\hp\recovery\wizard\fscommand\. The file names are:AppRecoveryLink_ret.exeCDLogic_ret.exeCreatorLink_ret.exeRestoreLink_ret.exeRTCDLink_ret.exeRunLink_ret.exeSysRecoveryLink_ret.exeWizardLink_ret.exeThe Adware infected a .dll file, and I was advised not to delete it.CDLogic_ret.exe is Agent.bdzz; the rest are Agent.beafI have run my antivirus, MBAM, and the online scanner again and they picked up nothing. Also, the Adware and Trojan-Spy's were all found during MBAM scans, but F-Secure picked them up.I have attached a HiJackThis log and a DDS log; GMER froze my computer partway through the scan when I used it. I have ran a... Read more

A:Infected with Trojan-Spy.Win32.Agent.bdzz, Trojan-Spy.Win32.Agent.beaf, and Adware.Win32.WebHancer.x

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 134.8

As instructed I have started this in a new post, see original post below
 
In the interim I had already strated running malwarebytes and have pasted the log below following the dds log, also I have attached the attach.txt as instructed.
 
As I thought more aabout it here is what happened this AM. I wanted to change the default order of my ubuntu grub boot to defalut windows so I clicked on wordpad that I had previoulsy put on my taskbar. Pasted some instuctions on how to instal grub editing tool. When I booted in ubuntu I could not find the document I had just saved in shared files on my storage drive. After making changes in ubuntu when I was in windows again the desktop shortcuts I added withing the last month or two had disappeared as well as things I had added to the taskbar. A bunch of other things are gone also I had recently gone through the process of switching to thunderbird, initially I had added one email address, then later added all my other addresses and had been using it for a few weeks. Now only the original email address is there all the rest of addresses and emails for several weeks are all gone
 
Original Post
Everything was fine yesterday, today things are not right. I first noticed that basically my data, profiles, email are mostly gone. Things have gone back to a prior point in time. some files are there but most are not. Tried to run goback to restore to a prior point in time. Did not work, got some error message catastrophoc failure 0x80... Read more

A:Infected with trojan.downloader torjan.email.fake aware.agent

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/538457 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 11 answers
RELEVANCY SCORE 134.4

Symptoms:Background replaced with spyware notification."Windows Security Alert" pops up periodically saying that a windows firewall has detected activity of harmful software"Enable protection link" to spyware removal program.Bit Defender (housecall had problems with download)McAfee StingerAlso known as Trojan-Spy.HTML.Bankfraud.dqI have run:AdawareSpybotCleaned temp filesLogfile of Trend Micro HijackThis v2.0.2Scan saved at 8:04:06 AM, on 8/24/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Java\jre1.6.0\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hp\QuickPlay\QPService.exeC:\Windows\System32\rundll32.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exeC:\Program Files\Windows M... Read more

A:Infected With Trojan-downloader.win32.agent.bq

Hello Blue97 and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed,... Read more

Read other 13 answers
RELEVANCY SCORE 134.4

I found out i am infected of Trojan-Downloader.Win32.Agent.zdo. Please help don't know how to remove from my laptop. My antivirus was Norton antivurs not able to detect it but Kapersky online scan did.

A:Infected With Trojan-downloader.win32.agent.zdo

I have already responded in your other thread here. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Thanks for your cooperation.This thread is closed. If you have any questions. Please PM me or another Moderator.

Read other 1 answers
RELEVANCY SCORE 134.4

Hello and thanks in advance for your help.I've been looking through the different forums to see if I can find any "fixes" on my own but then realized...it's probably best to leave it to the experts! So here are the details...1. The other day Avast informed me that a site I was visiting was infected with "JS:Downloader-JA[Trj]" and that it moved to the "Chest." I opened Avast and noticed that 2 others "viruses" were in there as well...JS:Agent-AV[Trj] and Win32:Trojan-gen{other}.2. After that I tried to run MBAM but it didn't work. I recieved 2 error messages... 1. VbAccelerator SGrid11 Control Run.time Error '0' 2. Run-time Error '440' Automation Error3. When MBAM didn't work I attempted to come to the BC site but IE said "No Connection" or it wouldn't load. So I shut down and restarted again.4. Since getting the notification of the first virus, when I close my Office Email and Calendar the icons still show in the "Notifications Area" and they are still active in the processes tab of the Task Mgr.5. I have used CCleaner in the past to clean up my computer and uninstall programs but have noticed recently each time I use it, and on the next reboot, my computer completely freezes where only the mouse works. Also, on the "blue ball" for Avast, there is a "red circle with a line through it." The only way to "unfreeze&quo... Read more

A:Infected with JS:Downloader-JA[Trj] and JS:Agent-AV[Trj] and Win32;Trojan-gen{other}???

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 25 answers
RELEVANCY SCORE 133.6

I'm at a complete loss as to how to rid my computer from these trojans. I've run Spyware Doctor several times, but they keep showing up in subsequent scans. I also get varied "Cannot Find File "WIN32\xxx.dll" messages at startup, and a recurring popup from the Windows Firewall saying "To help protect your computer, Windows Firewall has blocked some features of this program. Do you want to block this suspicious software? Name: Win32.Brontok..." But the boxes for "Keep Blocking" and "Unblock" are grayed-out. "Enable Protection" seems to result in my system freezing up.

Anyway, your help is greatly appreciated. I'm fairly competent with technology, so I'll try to follow instructions to the letter and hopefully we can get rid of this stuff. Thanks!

-Greg
DDS (Ver_09-05-14.01) - NTFSx86
Run by CA$H $LAVE CLIQUE at 19:18:46.10 on Mon 05/18/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.3518.2793 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -... Read more

A:Trojan.Virtumonde, Trojan-Downloader.Agent.OGP, WIN32.Brontok

Just to update, I downloaded Malwarebytes and Avast! 4.8 and did some additional scanning, tried a few other tools with some success. My latest problems were with just getting to this site without redirects.

I also had to repair windows in order to get rid of my blue screen, which means I'm now back to XP SP1. I'd like to run Windows Update, but it would appear that I've been locked out of using that service. Can't run the normal Update through IE because "One or all of the following services are disabled: Automatic Updates, BITS." And trying to enable those services through msconfig yields an "Access Is Denied" window.

Ugh.

Here are my latest logs, if anyone reads this and is interested in helping:
DDS (Ver_09-05-14.01) - NTFSx86
Run by CA$H $LAVE CLIQUE at 18:29:19.21 on Wed 05/20/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.3518.2932 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spool... Read more

Read other 3 answers
RELEVANCY SCORE 133.2

I'm posting this on behalf of a friend.Prior to this friend contacting me, she had a friend from school help her with her "computer issues". From what she tells me this friend Executed and MBAM scan as well as 2 ComboFix scans. The first CF scan crashed her computer apparently. (I told her that this was very risky, but the friend that did it didn't know any better). I did, however, confirm that the ComboFix.exe that was used was obtained from bleepingcomputer.comThe MBAM log shows that her computer was infected with a Trojan.FakeAlert (Sysvxd.exe) and a Trojan.Downloader found in C:\WINDOWS\system32\drivers\svchost.exe The ComboFix log also shows the following deletions:c:\documents and settings\Lins\Application Data\inst.exec:\windows\system32\lsprst7.dllc:\windows\system32\nsprs.dllc:\windows\system32\ssprs.dllc:\windows\unins000.datc:\windows\unins000.exeAttacht.txt and ark.txt have been attached to this post. IF you would like to see the MBAM log as well as the ComboFix log, please let me know and I will gladly post them.Below is the DDS log:DDS (Ver_09-12-01.01) - NTFSx86 Run by Lins at 14:09:55.57 on Sun 01/31/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.281 [GMT -5:00]AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C... Read more

A:Infected with Trojan.Downloader and Trojan.FakeAlert

Hello,My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Please download GMER from one of the following locations, and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zip MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs, as this process may crash your computer.Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.Double click on Gmer to run it.Allow the gmer.sys driver to load if asked.You may see a rootkit warning window, If you do, click No.Untick the following boxes on the right side of the Gmer sc... Read more

Read other 17 answers
RELEVANCY SCORE 133.2

Malwarebytes' Anti-Malware 1.34Database version: 1876Windows 5.1.2600 Service Pack 23/20/2009 4:06:56 PMmbam-log-2009-03-20 (16-06-56).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 119370Time elapsed: 21 minute(s), 29 second(s)Memory Processes Infected: 2Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 7Registry Data Items Infected: 3Folders Infected: 0Files Infected: 13Memory Processes Infected:C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msile (Backdoor.IRCBot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile (Backdoor.IRCBot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msile (Backdoor.IRCBot) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LO... Read more

A:Trojan.Agent,Trojan.NtRootkit.Agent,Backdoor.IRCBot,Trojan.FakeAlert.H

I have posted at Geekstogo to help you already.
Please do not post at multiple forums for help.

Read other 1 answers
RELEVANCY SCORE 132.8

Hello everybody,I've been infected by infected by Trojan-Downloader.Win32.agent variantCan you please help me to remove it, here is the log I generated:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:18:11, on 24/01/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Spyware Terminator\sp_rsser.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Adobe\Photoshop Album Edition D?couverte\3.0\Apps\apdproxy.exeC:\Pr... Read more

A:infected by Trojan-Downloader.Win32.agent variant

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh HijackThis log back here

Read other 2 answers
RELEVANCY SCORE 132.8

Hi,
I have been advised by ZoneAlarm of the infection: Trojan-Downloader.Win32.Agent.kgv Path: c:\WINDOWS\system32\msdtcs.dll.vzr. It's been Quarantined. The only out of the norm experience I have been having is freezing every now and then and requires me to reboot. Not sure if this is a side affect of the infection. The infection had been Quarantine at 5 times and indicates to me that it could be a program I am running. I have been trying to update ZoneAlarm Anti-spyware for two days now and it won't update...Anti Virus updates and is updated. Please help me to remove it from my pc. I have included what I believe would be needed to get started (after reading several similar/different post).

Thank you in advance....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:00 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com... Read more

A:Solved: Infected: Trojan-Downloader.Win32.Agent.kgv

Read other 16 answers
RELEVANCY SCORE 132.8

Last night I encountered an issue when I received the blue screen and my Win7 laptop shut down, after that, I tried booting in safe mode (which works most of the time, but sometimes the blue screen reappears) and noticed Kaspersky was not able to open. When I tried opening it from the start menu, nothing happens and the same goes for when I follow the prompt from Windows Defender to turn on my anti-virus: nothing but the same trojan alert. Windows defender informs me of the inruy.h Trojan, and even after removing it, it doesn't seem to do anything, as it will pop up again if I try to open Kaspersky, or generally by itself. Is there any way to permanently remove it? I've tried Malwarebytes, and it doesn't seem to pick up anything when I tried it last night, though I know the virus is still present, because windows defendor will alert me of this every time I try to open my anti-virus - not to mention the blue screen of deaths that show up when I boot up normally.

I am able to start safe mode with networking if that's a start, though I'm not sure if the use of the internet on the infected computer with this trojan would be ideal. Anyone care to help me out with this tedious issue? If I were to require a new program/file - the usb slots on the computer does not seem to pick up any device in My Computer, which might be problematic unless using internet in safe mode is okay. Though I generally have no clue as to how to rectify this issue.

Thanks in advance fo... Read more

A:BSOD and win32 unruy.h trojan downloader

Sorry, forgot to include the log from MBAM beforehand. Hopefully this'll be of some use.

Read other 3 answers
RELEVANCY SCORE 132.8

I hope I posted this information correctly. I need help removing the downloader trojan Win32 Unruy. My system is running Vista Home Edition. I've tried removing it with Malware bytes and the most up to date Mcafee. I'm attaching the logs from DDS. I'm hoping someone can please help me.

A:Help Removing Trojan Downloader Win32 Unruy

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download GMER Rootkit Scanner from here to your desktop. Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ... IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post i... Read more

Read other 6 answers
RELEVANCY SCORE 132.4

There are several trojan horse detected such as Trojan-Backdoor.Win32.Agent.sp,Trojan-Downloader.Win32.QQhelper.kb, Trojan-PSW.Win32.OnlineGame.qy,Trojan-PSW.Win32.OnlineGame.yn, Trojan-BAT.KillAV.es, Trojan-proxy.Win32.small.du, Trojan-Downloader.Win32.Zlob.gj and many more...I do not know how to remove those trojan, pls HELP!!!Logfile of HijackThis v1.99.1Scan saved at 10:49:43 PM, on 7/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\FixCamera.exeC:\WINDOWS\tsnp2std.exeC:\WINDOWS\vsnp2std.exeC:\WINDOWS\system32... Read more

A:Several Trojan Such As Trojan-backdoor.win32.agent.sp, Downloader.win32 .qqhelper.kb

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 130

Not sure if I should follow the recommended Malwarebytes action "remove" or if I should do something else first... keeping the program open for now.I am running Win7x64 RTM English Retail Professional, genuine version, with all recommended SPs & updates. Phenom II X4 proc, system runs very well in general. 4 GB RAM, plenty of HD space, etc. etc.I did have a problem with the same virus or trojan a couple of weeks ago (probably the same exact date as the files are stamped with, which is 7/8/2010. The files are:c:\users\<me>\AppData\Local\Temp\trz7D02.tmpc:\users\<me>\AppData\Local\Temp\0.2880280364299931.exethough that probably doesn't help you (afaik usually mal/spyware programs create random file names on the fly, right?)Anyway, after I found myself infected a couple of weeks ago, I ran a System Restore and thought everything was hunky-dorey. But perhaps not. I am not sure if the system is truly infected, or if the files are just sitting there, but obviously I am concerned and would appreciate your help.Here is the DDS.txt, and I have attached the zipped Attach.txt. I am also including links from VirusTotal.com on the two files in question, if that is of any use to you.Link 1, re: trz7D02.tmp:https://www.virustotal.com/analisis/64cebae...7e18-1280237630Link 2, re: 0.2880280364299931.exe:https://www.virustotal.com/analisis/d05d804...214e-1279984996The Trojan in question when I was infecte... Read more

A:Infected with Trojan downloader & Trojan dropper

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

Read other 26 answers
RELEVANCY SCORE 130

Hi guys,I ran a rogue executable sent to me by a friend and knew immediately that something was awry.SYMPTOMS- Computer bogged down immediately and i saw i was infected with the Nmehaa.exe process (which i ended).- Received repeated warnings that Spoolsv.exe was trying to access secure files (selected no)- Received repeated warning that internet explorer wasn't executing script properly and prompted to continue running script. I don't use IE, just firefox. I selected no repeatedly, then accidentally hit yes, which resulting in my google links being hijacked and sending me to shopping pages within firefox.- could not run malwarebytes anti-malware OR Superantispyware free- my wireless zero configuration continually turns itself off, meaning wireless network access is nearly impossible- PC doesn't recognize a plugged in ethernet cable- my taskbar at bottom has messed up colors (i run a black theme and the taskbar is now black with gray sections)ACTIONS- disabled wireless network card- ran AVG anti-virus in standard mode, which gave a false negative and didn't remove any infection- attempted system restore several times, to no effect- found and followed the preparation guide here on bleepingcomputer.com (DDS and GMER files are attached)- After following guide, i took one more stab at a solution: I downloaded the latest versions of superantispyware and malwarebytes and their latest definitions, transferred them to the PC via USB, and ran them in safe mode after t... Read more

A:Infected with Malware.Trace, Trojan.Agent, Trojan.Downloader

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please downloa... Read more

Read other 9 answers
RELEVANCY SCORE 129.2

I have followed all the preparation steps before posting, but am still getting a variety of Windows Security Alerts popups about Trojans . First was Trojan-Downloader.Win32.Agent.bq, and then Trojan-Spy.Win32.GreenScreen, and the latest is a Windows Security Alerts popup with sort of a section of a screen shot of a verizon yahoo search results page for antispyware-review.Running Windows XP on a Pentium PC DesktopHJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:44:57 PM, on 9/13/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\sm56hlpr.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Fi... Read more

A:Trojan-downloader.win32.agent.bq, Trojan-spy.win32.greenscreen, Etc.

Hello and welcome to BCApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so we can have a look at the current condition of your machine.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.
Note: If you are using Windows Vista, right click at RSIT.exe and select 'Run as administrator'.

Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)NextPlease do a scan with Kaspersky Online ScannerNote: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Click on the Accept button and install any components it needs.The program will install and then begin downloading the latest definition files.After the files have been downloaded on the left side of the page in the Scan section select My ComputerThis will start the program and scan your system.The scan will take a while, so be patient and le... Read more

Read other 3 answers
RELEVANCY SCORE 129.2

It started two days ago. My Kaspersky detected a trojan intrusion win32.agent. I tried to delete it, but it just won't go away. It crashed a few times. today, I used the autoruns to remove the nonessential items comparing to the startup list. After, I used the spybo and adware to scan and clean it. all this time, my virus scan is going crazy trying to delete these two intrusions. but nothing has worked. I'm just about to give up and reinstall windows. Please Help....
Logfile of HijackThis v1.99.1
Scan saved at 0:31:11, on 2006-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\a... Read more

A:Trojan.win32.startpage.amg&trojan-downloader.win32.agent.bbc

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Read other 2 answers
RELEVANCY SCORE 128.8

Hi,

My partner's laptop is infected with a pretty nasty virus (and she gave me the job of fixing it!).

The virus killed the internet connection, disabled Norton anti-virus and generally slows down the whole machine.

I already ran malwarebytes anti-malware, which found the following:
Trojan.Downloader
Trojan.Agent
Trojan.Spammer
Rootkit.Bagle

Malwarebytes tried to remove the infected files but the virus just returns on reboot.

I also ran hijackthis. I can post both the logs if requested.

Thanks in advance for any help!

Cheers,
Karol.

A:Infected with Trojan.Downloader / Trojan.Agent / Bagle

Hi Karol and welcome to BC Let's do a few tasks. If you are using a wireless router, please reset it and make sure it is set to automatically obtain a DNS address. Routers vary, so you may have to reference your manual. If you do not have a manual, please let us know what the model and make of your router is. Also, please make sure you place an administrator password on your router. Don't forget to write this information down = you may need it 6 months from now Please rerun Malwarebytes using these instructions:On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list of any malware that was found.Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply and exit MBAM.Note:-- If MBAM encounters a file that is dif... Read more

Read other 9 answers
RELEVANCY SCORE 128.8

Hi,My partner's laptop is infected with a pretty nasty virus (and she gave me the job of fixing it!).The virus killed the internet connection (but I managed to figure out how to get the internet back), disabled Norton anti-virus and generally slows down the whole machine. The virus seems to prevent me from restarting into Windows safe mode. Various tools don't run - for instance, I could not run DrCureIt or even Kaspersky online scan. I've been moved to this forum from the 'Am I infected? What do I do?' forum. For a full report of the problem, and the steps taken so far, please see:http://www.bleepingcomputer.com/forums/t/228965/infected-with-trojandownloader-trojanagent-bagle/I'm posting a DDS log as in the instructions.Thanks in advance for all your help!Cheers,Karol.DDS (Ver_09-05-14.01) - NTFSx86 Run by Eczka at 12:48:08.06 on Tue 26/05/2009Internet Explorer: 6.0.2900.2180Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.82 [GMT 10:00]AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\ACS.exesvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\TOSHIBA\... Read more

A:Infected with Trojan.Downloader / Trojan.Agent / Bagle

Hello KarolF, and to Bleeping Computer Forums, My Nick is Net_Surfer I'll be glad to help you with your computer problems.I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.Please be patient and I'd be grateful if you would note the following:The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. 1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic. 2. The lo... Read more

Read other 15 answers