Over 1 million tech questions and answers.

Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

Q: Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

Avast continually blocks the following threats: - Win32:Malware-gen - WIn32:Downloader-PKU [Trj] - Win32:DNSChanger-VJ [Trj]Avast scans and detects Win32:Sirefef-PL [Rtk], cannot remove it though.Malwarebytes scan detects BCminer, quarantines it, though never seems to get rid of BCminer. Other issues of possible note: - Windows Firewall not running 0x80070424 - Backup & Restore - last backup did not complete successfully - server execution failed - 0x80080005Ran both DDS and GMER (GMER did not have all the options available as per the preparation guide, and did not log anything when the scan was complete). .DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Family-pc at 12:37:05 on 2012-08-05Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.16383.13888 [GMT -4:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\AVAST Software\Avast\AvastSvc.exeC:\Windows\system32\atieclxx.exeC:\Program Files\AVAST Software\Avast\afwServ.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\spoolsv.exeC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exeC:\Program Files (x86)\Steam\Steam.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exeC:\Windows\system32\conhost.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Windows\SysWOW64\svchost.exe -k hpdevmgmtC:\Program Files (x86)\OpenOffice.org 3\program\soffice.exeC:\Program Files (x86)\Secunia\PSI\sua.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files (x86)\OpenOffice.org 3\program\soffice.binC:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\AVAST Software\Avast\AvastUI.exeC:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Windows\system32\svchost.exe -k SDRSVCC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12C:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.ca/uInternet Settings,ProxyOverride = *.localmWinlogon: Userinit=userinit.exe,BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No FileBHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No FileBHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllTB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dllTB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileEB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dlluRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exeuRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silentuRun: [ogert] "C:\Windows\System32\rundll32.exe" "C:\Users\Family-pc\AppData\Roaming\ogert.dll",BackslashReplaceErrorsmRun: [BiosNotice] C:\Program Files (x86)\BIOSTAR\BiosNotice\BiosNotice.exemRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exemRun: [<NO NAME>] mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" amlmRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttraymRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /noguiStartupFolder: C:\Users\FAMILY~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exeuPolicies-explorer: HideSCAHealth = 1 (0x1)mPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllLSP: mswsock.dllTCP: DhcpNameServer = 192.168.0.1TCP: Interfaces\{FD0F1D5D-B187-4970-B790-B4EA2C427072} : DhcpNameServer = 192.168.0.1Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dllFilter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dllBHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dllBHO-X64: HP Print Enhancer - No FileBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No FileBHO-X64: AMD SteadyVideo BHO - No FileBHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No FileBHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dllBHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllBHO-X64: HP Smart BHO Class - No FileTB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dllTB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileEB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No FilemRun-x64: [BiosNotice] C:\Program Files (x86)\BIOSTAR\BiosNotice\BiosNotice.exemRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exemRun-x64: [(Default)] mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" amlmRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttraymRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui.================= FIREFOX ===================.FF - ProfilePath - C:\Users\Family-pc\AppData\Roaming\Mozilla\Firefox\Profiles\6x7bbbcz.default-1344000566399\FF - prefs.js: browser.startup.homepage - hxxps://www.google.ca/FF - prefs.js: network.proxy.type - 0FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll.============= SERVICES / DRIVERS ===============.R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\aswNdis.sys --> C:\Windows\system32\DRIVERS\aswNdis.sys [?]R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\system32\drivers\aswNdis2.sys --> C:\Windows\system32\drivers\aswNdis2.sys [?]R1 aswFW;avast! TDI Firewall driver;C:\Windows\system32\drivers\aswFW.sys --> C:\Windows\system32\drivers\aswFW.sys [?]R1 aswKbd;aswKbd;C:\Windows\system32\drivers\aswKbd.sys --> C:\Windows\system32\drivers\aswKbd.sys [?]R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]R1 BIOS;BIOS;C:\Windows\System32\drivers\BIOS64.sys [2012-3-14 14136]R1 BS_I2cIo;BS_I2cIo;\??\C:\Windows\system32\drivers\BS_I2c64.sys --> C:\Windows\system32\drivers\BS_I2c64.sys [?]R1 BS_TPIO;BS_TPIO;\??\C:\Windows\system32\drivers\BS_TPIO64.sys --> C:\Windows\system32\drivers\BS_TPIO64.sys [?]R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-6-11 361984]R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-8-4 44808]R2 avast! Firewall;avast! Firewall;C:\Program Files\AVAST Software\Avast\afwServ.exe [2012-8-4 133912]R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-30 655944]R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-7-25 681056]R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\system32\DRIVERS\asmthub3.sys --> C:\Windows\system32\DRIVERS\asmthub3.sys [?]R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\system32\DRIVERS\asmtxhci.sys --> C:\Windows\system32\DRIVERS\asmtxhci.sys [?]R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-4 250056]S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-28 113120]S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]S3 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-7-25 1326176]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?].=============== Created Last 30 ================.2012-08-04 03:59:05 142128 ----a-w- C:\Windows\System32\drivers\aswFW.sys2012-08-04 03:59:03 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys2012-08-04 03:59:03 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys2012-08-04 03:59:03 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys2012-08-04 03:59:03 266776 ----a-w- C:\Windows\System32\drivers\aswNdis2.sys2012-08-04 03:59:03 19600 ----a-w- C:\Windows\System32\drivers\aswKbd.sys2012-08-04 03:57:44 12368 ----a-w- C:\Windows\System32\drivers\aswNdis.sys2012-08-04 03:57:38 41224 ----a-w- C:\Windows\avastSS.scr2012-08-04 03:57:29 -------- d-----w- C:\ProgramData\AVAST Software2012-08-04 03:57:29 -------- d-----w- C:\Program Files\AVAST Software2012-08-03 15:35:54 85472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll2012-08-03 13:12:39 -------- d-----w- C:\ProgramData\Visan2012-08-03 03:42:31 -------- d-----w- C:\Users\Family-pc\AppData\Local\Secunia PSI2012-08-03 03:42:26 -------- d-----w- C:\Program Files (x86)\Secunia2012-08-03 03:22:42 457632 ----a-w- C:\FixExec.com2012-08-03 03:19:26 457632 ----a-w- C:\FixExec.exe2012-08-03 02:11:31 -------- d-----w- C:\ProgramData\82C65AE66C27E56A0046897AF875F0022012-07-31 03:41:13 -------- d-----w- C:\Users\Family-pc\AppData\Roaming\Malwarebytes2012-07-31 03:41:08 -------- d-----w- C:\ProgramData\Malwarebytes2012-07-31 03:41:05 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-07-31 03:41:05 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2012-07-30 17:14:07 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%2012-07-30 16:55:42 -------- d-----w- C:\Users\Family-pc\AppData\Local\{8EC12C23-DA67-11E1-8270-B8AC6F996F26}2012-07-30 16:54:48 -------- d-----w- C:\Users\Family-pc\AppData\Roaming\xsecva2012-07-27 13:09:28 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F14B868B-8885-4309-8705-273549D311CA}\mpengine.dll2012-07-12 07:01:34 3148800 ----a-w- C:\Windows\System32\win32k.sys2012-07-11 19:39:24 2004480 ----a-w- C:\Windows\System32\msxml6.dll.==================== Find3M ====================.2012-08-03 13:58:05 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2012-08-03 13:58:05 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2012-06-11 18:59:38 10248192 ----a-w- C:\Windows\System32\drivers\atikmdag.sys2012-06-11 18:35:48 70144 ----a-w- C:\Windows\System32\coinst_8.98.dll2012-06-11 18:29:34 24826368 ----a-w- C:\Windows\System32\atio6axx.dll2012-06-11 18:00:32 20467712 ----a-w- C:\Windows\SysWow64\atioglxx.dll2012-06-11 17:50:46 187392 ----a-w- C:\Windows\System32\clinfo.exe2012-06-11 17:50:30 75264 ----a-w- C:\Windows\System32\OpenVideo64.dll2012-06-11 17:50:24 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll2012-06-11 17:50:18 63488 ----a-w- C:\Windows\System32\OVDecode64.dll2012-06-11 17:50:14 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll2012-06-11 17:50:06 16457728 ----a-w- C:\Windows\System32\amdocl64.dll2012-06-11 17:49:22 13008896 ----a-w- C:\Windows\SysWow64\amdocl.dll2012-06-11 17:25:06 163840 ----a-w- C:\Windows\System32\atiapfxx.exe2012-06-11 17:24:58 924160 ----a-w- C:\Windows\SysWow64\aticfx32.dll2012-06-11 17:23:12 1090560 ----a-w- C:\Windows\System32\aticfx64.dll2012-06-11 17:20:02 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll2012-06-11 17:19:58 532992 ----a-w- C:\Windows\System32\atieclxx.exe2012-06-11 17:19:14 239616 ----a-w- C:\Windows\System32\atiesrxx.exe2012-06-11 17:17:56 120320 ----a-w- C:\Windows\System32\atitmm64.dll2012-06-11 17:17:42 21504 ----a-w- C:\Windows\System32\atimuixx.dll2012-06-11 17:17:38 59392 ----a-w- C:\Windows\System32\atiedu64.dll2012-06-11 17:17:32 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll2012-06-11 17:16:48 6301696 ----a-w- C:\Windows\SysWow64\atidxx32.dll2012-06-11 17:01:56 6914560 ----a-w- C:\Windows\System32\atidxx64.dll2012-06-11 16:51:54 4246528 ----a-w- C:\Windows\System32\atiumd6a.dll2012-06-11 16:45:48 51200 ----a-w- C:\Windows\System32\aticalrt64.dll2012-06-11 16:45:46 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll2012-06-11 16:45:44 5480448 ----a-w- C:\Windows\SysWow64\atiumdag.dll2012-06-11 16:45:40 44544 ----a-w- C:\Windows\System32\aticalcl64.dll2012-06-11 16:45:38 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll2012-06-11 16:45:26 15703040 ----a-w- C:\Windows\System32\aticaldd64.dll2012-06-11 16:43:18 4729344 ----a-w- C:\Windows\SysWow64\atiumdva.dll2012-06-11 16:40:58 13277696 ----a-w- C:\Windows\SysWow64\aticaldd.dll2012-06-11 16:36:56 6605824 ----a-w- C:\Windows\System32\atiumd64.dll2012-06-11 16:27:02 539136 ----a-w- C:\Windows\System32\atiadlxx.dll2012-06-11 16:26:52 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll2012-06-11 16:26:40 17920 ----a-w- C:\Windows\System32\atig6pxx.dll2012-06-11 16:26:36 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll2012-06-11 16:26:36 14848 ----a-w- C:\Windows\System32\atiglpxx.dll2012-06-11 16:26:30 41984 ----a-w- C:\Windows\System32\atig6txx.dll2012-06-11 16:26:22 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll2012-06-11 16:26:14 367616 ----a-w- C:\Windows\System32\drivers\atikmpag.sys2012-06-11 16:25:20 54784 ----a-w- C:\Windows\System32\atiuxp64.dll2012-06-11 16:25:12 42496 ----a-w- C:\Windows\SysWow64\atiuxpag.dll2012-06-11 16:25:06 45056 ----a-w- C:\Windows\System32\atiu9p64.dll2012-06-11 16:24:58 32768 ----a-w- C:\Windows\SysWow64\atiu9pag.dll2012-06-11 16:24:24 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll2012-06-11 16:23:18 56320 ----a-w- C:\Windows\System32\atimpc64.dll2012-06-11 16:23:18 56320 ----a-w- C:\Windows\System32\amdpcom64.dll2012-06-11 16:23:10 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll2012-06-11 16:23:10 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll2012-05-31 16:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe.============= FINISH: 12:37:22.09 ===============

RELEVANCY SCORE 200
Preferred Solution: Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

Hello Njals, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

Read other 21 answers
RELEVANCY SCORE 204.8

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 184.8

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 181.2

Hello,Please help if you can .I ran free Avast! version 5.0.677 on my Windows XP desktop computer (Pentium 4, 1.5 Ghz CPU, 1 gb ram), and came up with the following virus warnings. Unfortunately the Avast! software internal tools to remove it are grayed out and not functioning. I tried a couple of things to remove viruses from help online and then realized I was in way over my head. I found this forum and am now requesting help.Avast! says I am affected with:JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and Win32:VirutAttached a screen shot of Avast! with viruses and partial path to them. Computer's Symptoms (not sure if these are all due to old slow processor or malware):Computer is freezing often;When it is in sleep mode it is turning itself on;Seems to be downloading stuff often and slowing down;Monitor is going black forcing reboots often;Couple weeks back I began getting floating ads that pop up when browsing online;I get an error message daily that says AdAware has shut down unexpectedly, do I want to send a report? I have been ignoring this, not knowing if it was important, been several weeks.Ok, I think that is all I can think of to share. Please help if you can. I appreciate it.Thanks,Dancer~~~~~~~~~~DDS (Ver_10-03-17.01) - NTFSx86 Run by ljk at 15:52:28.93 on Mon 09/20/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.102... Read more

A:Please Help ~ Infected with JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.I ask that you please refrain from running tools other than those I su... Read more

Read other 42 answers
RELEVANCY SCORE 174.4

I started noticed a couple weeks ago that my computer would link itself to advertisements. Downloaded AVast and it found the following:

win32:Sirefef-PL AND win32:Sirefef-(with other letters)
win32:BitCoinMiner-U
win32:Malware-gen

I completed the DeFogger and I didn't do the GMER as it says not to for 64-bit.

I tried to check on my firewall, but when I clicked 'use recommended settings' it says "Error Code: 0x80070424".

Even though I ran the Avast Boot Scanner and it said it deleted the files.. Avast pops up saying "Trojan blocked" or "Malware blocked" all the time so I know I am still infected.

THANKS IN ADVANCE!

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Rachel at 14:59:18 on 2012-08-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2044 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:... Read more

A:win32:Sirefef-PL/win32:BitCoinMiner-U/win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 23 answers
RELEVANCY SCORE 166.4

I recently got annoyed when my Firefox browser started redirecting me to random websites. So I scanned my computer using aswMBR and it found viruses called Sirefef-PL, Medfos and Agent-APDL.

Here is my aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-17 12:32:14
-----------------------------
12:32:14.193 OS Version: Windows x64 6.1.7601 Service Pack 1
12:32:14.193 Number of processors: 4 586 0x2A07
12:32:14.194 ComputerName: STEVEN-PC UserName: Steven
12:32:15.256 Initialize success
12:32:18.850 AVAST engine defs: 12081601
12:32:23.238 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
12:32:23.241 Disk 0 Vendor: SAMSUNG_HD103SJ 1AJ100E5 Size: 953869MB BusType: 3
12:32:23.264 Disk 0 MBR read successfully
12:32:23.267 Disk 0 MBR scan
12:32:23.271 Disk 0 Windows 7 default MBR code
12:32:23.286 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:32:23.300 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
12:32:23.393 Disk 0 scanning C:\Windows\system32\drivers
12:32:37.944 Service scanning
12:32:52.922 Modules scanning
12:32:52.930 Disk 0 trace - called modules:
12:32:52.946 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:32:52.951 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007db30... Read more

A:Help with Win32:Sirefef-PL/Win32:Agent-APDL/Win32:Medfos

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

Read other 13 answers
RELEVANCY SCORE 164

hello. sorry about this mess. im afraid i dont really know what im doing. my nephew asked me to help get rid of a red circle with a white cross telling him he had spyware but its turned into something much worse. he only used windows firewall and nothing else saying he only uses world of warcraft and msn and music and doesnt surf the web!! i tried to scan with avg but it was aborted and the windows firewall was continually turned off no matter how many times i put it on. tried other antivirus progs but all were turned off. eventually i managed to do online scan on microsoft safety centre and deleted quite a few v high threat trojans but many unable to clean. i also ran sophos rootkit and nearly gave myself a heart attack - 938 hidden things that recommend not to clean. i resorted to you now. i followed the tutorial for posting hijack this and here are the resultskaspersky report for critical areas--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Saturday, November 29, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, November 29, 2008 12:40:36 Records in database: 1426420--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - Critical Areas: C:\Do... Read more

A:win32/alureon.gen, win32/Eldycow.en!A, win32/Small, win32/Olmafik, winNT/Xantvi.gen!A, Trojan-Game Thief and more

i think i have sorted this. i ran SDFix which cleaned up enough for me to install antivirus. avast caught lots of trojans and i have now been able to onlinescan and spybot s/d etc. all logs now coming back clean so can u delete this post please

Read other 3 answers
RELEVANCY SCORE 163.6

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 163.2

Hi,It seems that I have trojan activity on my home pc.I am running Vista and when I log in to my user profile I get a blue desktop with a box saying 'Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer'I have tried a few malware removal programs, Malwarebytes, CCleaner, Adaware and ran virus scans in an attemp to try and remove it myself without bothering you guys but I just can't shift it, so I'm hoping you may have the time to help?What I have noticed is that I only get these warnings when I am logged into my user profile, not as administrator or as another user on the pc. I also get no warnings when running in safe mode.I run Avast and that brings up a warning soon after the blue desktop comes up that points to infection with C:\Users\Guy\AppsData\Local\Temp\tt991.tmp.vbs. The numbers/letters after the tt (in this case 991) change each time I log in. It also states Malware Name: VBS:Malware-gen, Malware Type: Virus/Worm, VBS verison 080805-0,08/05/08 which I try and delete from the warning box.I then am greeted with a windows script host message box that will say the above file (tt991.tmp.vbs) failed (Access Denied).I also regularly get Windows security alert message boxes come up on the screen saying that Windows Firewall has detected activity of harmfull software with mention of one of many trojans. These have been:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan... Read more

A:Vbs:malware-gen - Trojan-clicker.win32.tiny.h, Trojan-downloader.win32.agent.bq, Trojan-spy.win32.keylogger.aa

Hi,I am hoping you can help me.My computer keeps telling me it is infected with spyware/malware. I get a blue desktop on startup with regular warnings saying the computer is infected with:Trojan-Clicker.Win32.Tiny.hTrojan-Downloader.Win32.Agent.bqTrojan-Spy.Win32.KeyLogger.aaTrojan-Spy.Win32.GreenScreenTrojan-Spy.HTML.Bankfraud.dqStrange thing is that these only show up when I log in to my user account. If I log in as administrator, another user or as any user in safe mode I get no warnings and nothing shows up on scans.The pop up warings direct me to this site: www.antispyware-review.info/?wmid=46638&pwebmid=uWfLn0pimL&a= which is Smartsoft reviews to buy PC Antispy or PC Clean pro.Malwarebytes scan picks up Fake.Dropped.Malware, Malware.Trace, Trojan.FakeAlert and Hijack.Wallpaper and even if I remove these and restart the PC they come back.A spybot scan pointed to 2 entries of VirtumondeI'll attach the latest HJT log, Malwarebytes log and Spybot logs in case you need them. Please help me with this, I cant seem to shift it Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:54:34 AM, on 8/7/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Ado... Read more

Read other 5 answers
RELEVANCY SCORE 162.4

Hi, My laptop is running on Windows XP Home Edition Ver 2002 SP3. I also have CA Anti-virus software and Malwarebytes installed.

Recently, my laptop is infected by the malwares Win32/ZAcesss.AC, Win32/Karagany.ZAAE and Win32/Fosniw.ZABA. The CA Anti-virus software detected and quarantined them but it came back again after reboot. Also, Google search results are also redirected to the website xa.com.

I would be most grateful if you could help to solve this issue. The DDS log is pasted below. For your info, I received the following message when GMER completed scanning: WARNING!!! GMER has found system modification caused by ROOTKIT activity.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by CST at 4:20:34 on 2011-11-25
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.2047.1291 [GMT 8:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\Zcfg... Read more

A:Google redirect to xa.com and malware Win32/ZAcesss.AC, Win32/Karagany.ZAAE and Win32/Fosniw.ZABA

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

Read other 16 answers
RELEVANCY SCORE 162

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

A:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 30 answers
RELEVANCY SCORE 156

Firefox and Mostly IE is experiencing redirects when I search through any search engine. Avast is continuously stopping malware in the Windows\Temp folder.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricardo at 15:09:36.31 on Sun 12/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2184 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\... Read more

A:Infected with Win32:Malware-gen, Win32:Rootkit-gen, and Win32:Spyware-gen

Please close this post. I'm reformatting and reinstalling an Acronis Image prior to the infection. Thanks anyway.

Read other 2 answers
RELEVANCY SCORE 156

Originally Virus Heat installed itself onto my computer then we added CA Security anti virus and anti spyware protection. This cleaned up some of the problem but I had to download spybot search and destroy to find more spyware. There was a lot of Z lob spyware on the computer. I have spent countless hours on the phone with tech support with Time Warner who is my internet provider who suggested the CA Security that isn't picking up on everything. Now when I run a full scan with CA on my computer it says there are no infections but I keep getting a pop up from CA saying there are 33 infected items. The pop up is random- it isn't in connection with the anti-virus scan. They aren't deleted or quarentened, the pop up just states the file name, infection name, type which is "file" and status which is infected. There are 10 win32/vmalum.ccpy, 19 win32/crushpy!generic, 1 win32/vmalum.ccqd, 2 win32/bewschy.d and 1 vmalum.ccqa. The files aren't quarentened so I can't go in and delete them and when I run the scan to clean them up it isn't picking up on them. So CA anti virus scan isn't picking up on these infected files but then again it is because the pop up knows they are there? Does this make sense? Almost like it knows they are there but it can't do anything with them? Time Warner suggested I get a trojan hunter, is this appropriate? Are you familiar with these infection types? I have googled the names but nothing comes u... Read more

A:Win32/bewschy.d, Win32/vmalum.ccpy, Win32/vmalum.ccqa,win32/crushpy!generic, Win32/vmalum.ccqd

What OS (Win 2K, XPsp1, XPsp2, Vista) are you using? Have you tried doing your scans in "Safe Mode"? Are you doing scans while logged into the "Administrator Account" or an "account with administrator privileges"? You need to start there first. If rescanning in Safe Mode does not help, then do this:Please perform an online scan with Kaspersky WebScannerClick on You will be promted to install an ActiveX component from Kaspersky, Click The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on Now click on In the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail BasesClick Now under select a target to scan:Select My ComputerThis will program will start and scan your system.The scan will take a while so be patient and let it run.Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:Save the file to your desktop.Copy and paste the scan results in your next reply.

Read other 11 answers
RELEVANCY SCORE 155.2

I seemed to have picked this up last night. So far all I've done is when my anti-virus detects it, I've been moving it to anti-virus chest. When I ran the full scan though, it said it doesn't detect anything. Any help would be greatly appreciated.
 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 1.6.0_30
Run by Toni at 7:09:16 on 2013-09-10
Microsoft Windows 7 Starter   6.1.7600.0.1252.63.1033.18.2048.392 [GMT -5:00]
.
AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Common Files\Spigot\Search Sett... Read more

A:Win32:Sirefef-BTT [Trj], Win64:Sirefef-A [Trj], Win32:Malware-gen

Good evening.  Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder. To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...In the Extraction Wizard window that opens, click on Extract and the contents should appear in a new window. Please close all open programs as this may result in a reboot being necessary.Double click TDSSKiller.exe to begin.Click Change parameters and check the two boxes under Additional Options and then click OK.Click Start scan and allow the tool to do just that.One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.The log that the tool creates will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt. - i'd like a copy of the contents in your next reply.Please check that you get the one with the right date and time.   

Read other 19 answers
RELEVANCY SCORE 154.4

Hi!

Please help. Along with the above virus? names I have an icon down in the bottom right corner that flashes from a yellow X to a yellow ? with a message telling me I have a Critical System error and to go to that site and download software....

I have AVAST and ran a full scan and did come up with several files with virus/trojan names; these files went into the Virus Chest. I deleted the Temp ones but decided not to delete anything else until I know what is going on. I have since ran the Clean Up through Avast and rescanned twice. Did not show any new stuff although there were 6 files that it was not able to scan. It appears that my C drive has all the problems.

One other thing I did notice was that when I went into Device Manager there is the big yellow question mark next to something identified as optional device and below that another question mark as RAID something. Also, down below the volume game controller file? there are several things that have a big yellow exclamation marks......

Someone showed me last night the process to remove the Adware(??) and the icon and clean this up and but I was not at home so I just reviewed the info, decided that I should be able to do it and just wrote down this website address. So, now I have here but do not know where to get started.................

Thanks for you help!

A:Win32:zlob; Win32:ageng-a; Win32:adan-007; Win32:enumplus And On And On

Sorry you didn't get a reply sooner.Here's what to do.Follow the directions in this topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Then post a new topic with your HJT log here: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/Provide a brief description of your problem, and provide a title similar to the one you have here.Please be patient, as the HJT team is very busy. Do not bump your log as the team may think that someone is already helping you. If you have not had a response in five days add a reply to this topic: http://www.bleepingcomputer.com/forums/topic14717.html and paste in the link to your HJT topic there.Orange Blossom

Read other 1 answers
RELEVANCY SCORE 150.8

I started getting fake Windows Security Essentials pop ups every time I attempted to open Chrome, saying that WSE had detected a potential threat. I ran task manager and found that hotfix.exe was running, which I ended and was able to use my browsers again. I ran Malwarebytes, cleaned the problems and restarted. The popups have now stopped, but internet explorer opens randomly with ads and MSE is going nuts with reports of Win32/Renos.LX, Win32/Renos.JS and Win32/FakeYak. Malwarebytes has been reporting Trojan.FakeAlert, Trojan.Downloader and Trojan.Dropper. No matter how many times I remove said threats, they are always there after a restart. DDS (Ver_10-10-31.01) - NTFS_AMD64 Run by Bryony at 21:17:56.29 on 31/10/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3958.2188 [GMT 0:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\... Read more

A:Trojan Downloader: Win32/Renos.LX, Win32/Renos.JS, Rogue: Win32/FakeYak

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 150.8

Hello Bleeping!
A few days ago I removed Norton AV and installed MSSE. MSSE detected Trojan Dropper: Win32/Sirefef.B and Rogue:Win32/FakeRean. For the past two full system scans MSSE has detected and removed the dropper, and the last scan (last night) detected the Fake Rean. The MSSE removals don't appear to be effective against the dropper. Another peculiar thing, when I installed MSSE a few days ago, it told me my firewall was not up, but when I go into MS Security Center it says that the firewall is "ON". Not sure if perhaps the Norton AV removal maybe wasn't complete and that I am getting "false positives", or if something is really there. My logs are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by Eric at 16:37:09 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2216 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\syste... Read more

A:Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 18 answers
RELEVANCY SCORE 150.8

ya heading has list of viruses in my computer per the avast boottime scan ..im not sure how to remove em

A:win32:pswtool_L/win32 malware-gen/win32:funweb

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may take some time to comp... Read more

Read other 4 answers
RELEVANCY SCORE 148.8

Hy there

My eset Nod 32 antivirus 4 detected Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS
I tried to remove them with Kaspersky removal tool, Malwarebytes anti-malware, SPYBOT
All Failed to delete this file C:\WINDOWS\assembly\GAC_MSIL\desktop.ini wich is a Win32/Sirefef.CH trojan
The other Win32/Rootkit.Agent.NUS trojan is in operating memory
My pc symptoms are: 1. can't acces a direct link....i have to press 3-4 times the Enter Key in browser..then page will load.
2. Pc is moving slow

A:infected by Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS

HiPlease do the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
Only if Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)NEXTDownload ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Wind... Read more

Read other 14 answers
RELEVANCY SCORE 148

Hi,I'm running Windows XP - Internet Explorer v. 6.00, SP3. Yesterday Avast alerted me to a virus on my computer (I neglected to write down the exact message). At the time, only Gmail was open and an email was being written. I've had some issues with Avast occasionally reporting a false positive, and since nothing was being downloaded at that time, I took no action with Avast. Instead, I immediately did a Quick Scan with MalwareBytes to see if it would find anything. MalwareBytes found and deleted the following: C:\Documents and Settings\HP_Owner\application data\Sun\Java\deployment\cache\\6.0\44\61b86cac-3c0c0928Trojan.FakeAlert.VGenC:\Documents and Settings\HP_Owner\local settings\temp\0.506697477033.exeTrojan.FakeAlert.VGenA second MalwareBytes scan was clean.I looked "Trojan.FakeAlert.VGen" up on Google and then it clicked: for the past few days, Adobe Flash Player has been crashing an awful lot. When it crashes (on Youtube, for example), it tells me the program is out of date and needs to be updated. The weird thing was that sometimes it worked for a while before it crashed, but I dismissed that as being some strange computer quirk. I went to the Adobe web site and tried to install the newest version of Flash Player, but was unable to. I feel foolish, but it never even occurred to me that a virus could be to blame. It concerns me that (assuming the Adobe Flash Pla... Read more

A:Trojan.FakeAlert.VGen, SpyInstall_HPPre.exe, Win32: Mirc-z [PUP], Win32: Kill App-W [PUP] & Win32: Agent-AMXO (Trj)

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList last 10 Event Viewer logList Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here.Be sure to restart the computer.The log can also be found here:C:\Document... Read more

Read other 13 answers
RELEVANCY SCORE 147.6

I recently purchased this laptop from a friend for a great price. After using the laptop I realize why it was such a bargain...

It had a Win7 fake anti-virus pop-up shortly after using it at home while I was in the process of trying to install avast! on the machine. By running a combination of rkill and MBAM I managed to remove the fake anti-virus and prevent it from rearing its head every time I tried to open any program. This didn't resolve the next issue of the DNS Changer though, not to mention any underlying issues I may not be aware of. After running a boot-time scan with avast! I discovered Win64:Sirefef-C (hiding inside of consrv.dll, my better judgement screamed "LEAVE IT ALONE"), and I also have the issue of Win32:DNSChanger-VJ being blocked by avast! every few minutes. If I disable avast! and attempt to do any internet browsing I got thrown all over the place. I'll never go to yellowpages.com again, that's for sure.

In the end, I ran out of options, so here I am, hoping that you good folks can get me out of this pickle (and a possible case of buyer's remorse! haha). My logs are below. Thanks in advance.

Guy

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Run by Guy at 4:14:05 on 2011-12-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2804.1488 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
... Read more

A:Win64:Sirefef-C / Win32:DNSChanger-VJ

Hi Guy! Welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thi... Read more

Read other 15 answers
RELEVANCY SCORE 147.6

It appears that I have a trojan or trojans on my computer. Avast keeps telling me that either Win32 DNSChanger-VJ has been blocked or Win64 Sirefef-A has been blocked. I noticed that there are a couple of previous posts on similar trojans. Should I just read and follow one of those or does removal need to be tailored to my computer?
I have Toshiba Satellite A135 Windows Vista Home Basic, 32 Bit, Service Pack 2.
Thanks

A:Win32 DNSChanger-VJ/Win64 Sirefef-A

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

Read other 56 answers
RELEVANCY SCORE 146.8

Avg picked them up. Computer is still crashing and programs will not close. Also woke up this morning to my computer with a message saying the driver has crashed. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:26:29 PM, on 8/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:I:\WINDOWS\System32\smss.exeI:\WINDOWS\system32\winlogon.exeI:\WINDOWS\system32\services.exeI:\WINDOWS\system32\lsass.exeI:\WINDOWS\system32\svchost.exeI:\WINDOWS\System32\svchost.exeI:\WINDOWS\system32\spoolsv.exeI:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeI:\WINDOWS\system32\nvsvc32.exeI:\WINDOWS\system32\svchost.exeI:\WINDOWS\Explorer.EXEI:\Program Files\Microsoft ActiveSync\wcescomm.exeI:\PROGRA~1\MICROS~3\rapimgr.exeI:\PROGRA~1\AVG\AVG8\avgwdsvc.exeI:\PROGRA~1\AVG\AVG8\avgrsx.exeI:\PROGRA~1\AVG\AVG8\avgnsx.exeI:\Program Files\Mozilla Firefox\firefox.exeI:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: WormRadar.com IESiteBlocker.NavFilter -... Read more

A:Infected with Generic13.BDTK, Win32/Puce.E, Win32/CryptExe, Downloader.Generic_r.da

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 146.4

Cleaning up my sister's computer (Vista), I ran Spybot Search & Destroy and along with the usual cookies, it said it found Win32.Agent.ieu, Zlob.Downloader.rid, and Win32.FraudLoad. After 'fixing' these, I checked and saw that Windows Firewall was disabled. When I tried to restore the defaults, it wouldn't work. Of course this may be unrelated. I restarted and ran another Spybot scan, and found Win32.Agent.ieu and Zlob.Downloader.rid again, and removed them again. This time when I tried to re-enable the Windows Firewall defaults, it worked. About the same time I was doing this, my sister discovered someone had hijacked their PayPal account and made a large purchase... this may also be unrelated, but I suppose it's possible the malware snagged their login info. At this point I decided it was time to call in the cavalry to make sure this malware was completely gone. I couldn't get GMER to run. After starting the scan, I got a blue screen / restart twice in a row. Your help in clearing this off is appreciated!DDS (Ver_10-03-17.01) - NTFSx86 Run by Chris & Kait at 12:57:21.69 on Fri 04/30/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1022.176 [GMT -5:00]SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ====... Read more

A:Triple infection: Win32.Agent.ieu, Zlob.Downloader.rid, and Win32.FraudLoad

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 146.4

Mates,

I have spent the entire day trying to rid my system (Windows XP Home Version 2002 SP3) of this Win32.TrojanSpy, Win32.WormLovGate, & Win32.TrojanD\.\ader.NewMedia problem. I was alerted to these problems through scanning with AdAware Anniversary Edition after becoming so frustrated with my ridiculously slow internet connection (cable from Comcast). I can't seem to get rid of them and my cable internet speed is at about dial-up speed when testing it through CNET and Toast.net. Very frustrating, indeed. My attempts to remove the culprits have consisted of scanning by using:

(In order of scans):

AdAware Anniversary Edition (found the above mentioned culprits & claimed to have successfully removed them)
ATF Cleaner
Malwarebytes' Anti-Malware (found nothing)
SUPERAntiSpyware (found nothing)
SmitfraudFix (I used 'Search' in normal mode, then I used 'Clean' in safe mode - found nothing)
AdAware Anniversary Edition (scanned once again & in safe mode this time - it still found all of the above malware, trojans, etc., of which I selected it to remove)

Internet connection is still super slow.
It may be helpful to note that after performing these scans, I would select 'Turn Off' the computer (not 'Restart'), but the computer would simply reboot...I found that strange.

Any suggestions?

Thank you.

Daddy?!

A:Need help removing Win32.TrojanSpy, Win32.WormLovGate, & Win32.TrojanD\.\ader.NewMedia

Did AdAware provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system? Please post the results of your MBAM scan for review (even if nothing was found).To retrieve the MBAM scan log information, launch MBAB.Click the Logs Tab at the top.The log will be named by the date of scan in the following format: mbam-log-date(time).txt
-- If you have previously used MBAM, there may be several logs showing in the list.Click on the log name to highlight it.Go to the bottom and click on Open.The log should automatically open in notepad as a text file.Go to Edit and choose Select all.Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.Come back to this thread, click Add Reply, then right-click and choose Paste.Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Exit MBAM when done.

Read other 7 answers
RELEVANCY SCORE 146.4

I have followed the 5 step rule with no luck and have searched the threads i am acualy a hardware guy and not up on the maleware viri so maybe some pitty here here is my HJTL

Logfile of HijackThis v1.99.1
Scan saved at 10:55:46 AM, on 2/1/2007
Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Documents and Settings\stacy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\... Read more

A:Help please 3 trojans present Win32.Qhost.f-Win32.Dialer.mw-Clicker.Win32.Agent.ac

Hi scubbadoo32,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here?s what we do first.


Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer, please navigate to and delete the following FILES (if they exist):

c:\eied_s7.cab


Please let me know if you encountered any problems finding or deleting the file.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:Run the CCleaner install... Read more

Read other 1 answers
RELEVANCY SCORE 146.4

So, this is a newer netbook, almost 8 months old, i dont know how i got these because i have had anti-virus runing from day one

Anyway it all started when i was on facebook it just went to a diffrent page and i never clicked on anything, then MS security center popped up saying everything was infected, and kept tellin me that i didnt have an antivirus program and i coudlnt do anthing thing but keep going to this ADD to buy one... Which was odd because Avast was running. I opend avast and did a quick check and found the first one Dracur_c, But when i tied to do the the action to mvoe to chest it was telling me that there was not enough room on disc... and my disc is NOT FULL ODD, so i deleted it and it worked i can not coppy and paste the results if i can i dont know how But i will tell you it was in: C:/system volume information/_restore{ number letters}.dll and .EXE and it was also in C:/windows/system32/fwcfg32.dll listed TWICE

I then restarted the computer in safemode and did a full scan and it then found it again in system volume information/restore{letter numbers}.DLL twice And then in Windows/system32/75.tmp..

this morning it was still acting wierd when i started EI redirecting me when i would use google and When i would send an error log to MS the page never loded and then i would get a poppup add So i ran another Avast scan and GOT the win32:trojan-gen,win32:alureon-hd, win32crypt-gwl that came up... This time it was found in my TEMP folder as an EXE and one in my ... Read more

A:avast found win32:dracur_c, win32:trojan-gen,win32:alureon-hd, win32crypt-gwl

Read other 14 answers
RELEVANCY SCORE 146

I believe that I have been infected by the following Virus: Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR. They were all removed by either Zone Alarm Anti-Spyware and SuperAntiSpyware. However, I continue to have the symptoms: sporadic hijack of my keyboard so keystrokes are exected in what appears to be a random fashion. I say it's random because most of the time what's typed by the virus doesn't make any sese.I was working with FAX in the ZoneAlarm user forum who recomended the malware removal tools and suggested I post my Hijackthis log if all else failed. All else has failed. Following is the log. Thanks for your help.
 hijackthis.log   16.26KB
  17 downloadsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:13:46 PM, on 6/28/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files (x86)\WinZip\WZQKPICK.EXEC:\Program Files (x86)\WordWeb\wweb32.exeC:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exeC:\Program Files (x86)\HPQ\HP Connection Manager 2�... Read more

A:Infection by Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a... Read more

Read other 26 answers
RELEVANCY SCORE 146

Hello and thank you in advance,I have attached the DSS reports and the Kapersky report below. Besides having a slow computer, I have noticed that in my "suspect e-mail folder" in my Earthlink account I have lots of messages reading "delivery error" and there are a lot of messages I never sent. I'm pretty sure this would be the e-mail worm that's in the Kapersky report. I'm not sure about all the rest. We use the Windows Firewall and AVG Free 8.0. I also have used SpyBot Search and Destroy. I think Kapersky found more than everything else combined. Can you please help me clean up my computer? Thanks!!!THE DSS Main.txt report:Deckard's System Scanner v20071014.68Run by Meredith on 2008-07-28 07:25:29Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --84: 2008-07-28 14:26:14 UTC - RP763 - Deckard's System Scanner Restore Point83: 2008-07-27 16:48:35 UTC - RP762 - System Checkpoint82: 2008-07-26 16:47:22 UTC - RP761 - System Checkpoint81: 2008-07-25 16:17:28 UTC - RP760 - System Checkpoint80: 2008-07-24 15:54:47 UTC - RP759 - System Checkpoint-- First Restore Point -- 1: 2008-04-29 22:03:55 UTC - RP680 - System CheckpointBacked up registry hives.Performed disk cleanup.Total Physical Memory: 255 MiB (512 MiB recommended... Read more

A:Trojan-downloader.win32.vb.ah And Email-worm.win32.sircam.c

Just wondering... how long does it take for someone to respond?

Read other 30 answers
RELEVANCY SCORE 146

Hi... I'm having a terrible time with my desktop computer. MSE detected a trojan sirefef.P virus 3 days ago. After that detection, when I did a Yahoo search, I was being redirected to random ad sites (finesearchsystem dot com, star dot feedsmixer dot org, etc....) I have run MSE, Spybot S&D, Malwarebytes, Kaspersky, and Security Task Manager. All have found some sort of malware, but the sirefef keeps popping back up. In addition, I am unable to turn on my windows firewall as there is an error code 0x80070424. The thing that concerns me the most is that MSE in its history log shows that it allowed the sirefef.P and zbot which means they made all kinds of settings changes and are probably embedded deep in my computer. What steps can I take to remedy this? I have been on another forum, but have not been able to open a topic. I found some instruction on some things I could run to get diagnostic info, but haven't been able to post it. Thanks

A:trojan win32/sirefef.P and PWS Win32/zbot

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 3 answers
RELEVANCY SCORE 144.8

Hi,

My anti-virus is saying that i have got all the above viruses mentioned. It says everytime deleted

but each time i reboot, i am getting those problems

Also , i am having my IE opening http://83.30...... website in multiple tabs and windows everytime.

I am struck up with viruses thts 4 sure

Can anyone help me kindly
 

A:Problem with Win32.Monder, Win32.Virtumonder and Win32.obfuscated Viruses

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:18, on 02/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://... Read more

Read other 2 answers
RELEVANCY SCORE 144.4

Spybot Search & Destroy found win32.agent.sd, win32.tdss.rtk, and zlob.downloader.bit. I removed them successfully, yet my computer is still running incredibly sluggish. When I go to Control Panel>Security Center>Virus Protection, it says VirusRescue3.0 is up to date. I have no idea what Virus Rescue is. Also, when i go to My Computer>C: it gives me the following error message: "windows cannot find resycled\boot.com. Make sure you typed the name correctly and try again. To search for a file, click the Start button, then click Search.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:07 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jr... Read more

A:win32.agent.sd, win32.tdss.rtk, zlob.downloader.bit

Read other 16 answers
RELEVANCY SCORE 144.4

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 01:51:28, on 13.02.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Programfiler\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Programfiler\Alwil Software\Avast4\aswUpdSv.exeC:\Programfiler\Alwil Software\Avast4\ashServ.exeC:\Programfiler\Java\jre1.6.0_03\bin\jusched.exeC:\windows\system\hpsysdrv.exeC:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exeC:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exeC:\WINDOWS\ALCXMNTR.EXEC:\Programfiler\ATI Technologies\ATI.ACE\cli.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Programfiler\Windows Defender\MSASCui.exeC:\Programfiler\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\ctfmon.exeC:&#... Read more

A:Win32:bancos-auk(trj) , Trojan-downloader.win32.small.ast

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems. You have a Backdoor Trojan present on your pc A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions sho... Read more

Read other 1 answers
RELEVANCY SCORE 144.4

Im going nutz with these two and I dont know how to get rid of them. Windows XP running. Tried to understand other threads but not sure if it would apply to what I have here. A great deal of help needed!
 

A:virus IM-Worm.win32 and also Trojan-downloader.win32

Read other 16 answers
RELEVANCY SCORE 142.4

following instructions from my previous posting. at first the tools seemed to clear the search engine redirection, but GMER still shows a problem. Tech decided to send me to this forum, and I started again with step 6 on the guide. DDS worked well. Tried to run GMER with the new instructions, and it stops after about 40 min. Attempts to sneak the GMER through with a scrambled name failed. So I ran it for 25 min and stopped the scan and that is what I am posting.If it runs long enough the virus apparently stops the scan and I have a gray screen and have to turn off the laptop and turn it back on and try again. I ran CD emulation disable, and it said "finished" but I can't tell if I had anything to disable, since I got no further instruction from that program. Laptop seems to be working well with no redirection but tech thinks the virus is still present.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MARK at 22:46:15 on 2012-04-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2118 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\... Read more

A:win32/sirefef.ac and win32/sirefef.ah redirecting trojans?

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send ... Read more

Read other 15 answers
RELEVANCY SCORE 142

Hello all,Because of my careless actions while using my computer and IM i got infected and now i cant get rid of it. Im getting now ad pop-up's only, and i think i got rid of some infections that came but still there are left a few. I got this infection about a week ago. Computer hasnt been used much after that 'cos i had to go away for a week and didnt have time to try to fix it then. Now i tried to fight with this for a couple of days, but no glorious victory for me here.Kaspersky's online scan report is last in my postIf you have time and knowledge to help me, i would appreciate it.Thanks in advancemain.txt:Deckard's System Scanner v20071014.68Run by Jaybird on 2008-06-07 14:21:17Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as Jaybird.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:21:28, on 7.6.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\W... Read more

A:Infected With Win32.virtumonde/win32.monde/win32.ircbot

Hello Jay-EM and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed,... Read more

Read other 2 answers
RELEVANCY SCORE 142

Hey I could use some help getting rid of this virus, I think Ramnit-A might be around too on it. I've done some researching trying to see if I could try and fix this on my own, but I think this might go quicker.I have spybot and adaware (freeware) on my computer, spybot hasn't bothered to pick anything up in this mess. Adaware has picked up Ramnit-A virus on the system and it always ends up with a list of items to repair (mostly files and a few processes at the end of the list), a cookie, and then ~4 misc. items that it recommends the "just once option". Anyways it hasn't been working, so from my reading, from a topic I managed to google from this forum board I downloaded Avast, which has grabbed virus file types that I listed in the topic with quick scan (and with it's "shields" too) . The other disturbing thing is that I think I have about 3000+ files now sitting in my virus chest on Avast from running the thing...safe to probably say it's not fixing anything.I'm a little worried too about the fact that the files Avast is taking are, or were just regular exe's some that were actually on my desktop. Has left me wondering if I should delete everything in the virus chest or not, I'm not going to end up deleting something important if I do? (main worry)From what I've read I hope I posted the required stuff, I'm currently running Gmer right now, I'll probably leave it running and try posting it tomorrow morning as ... Read more

A:VBS:ExeDropper-gen;Win32:Ramnit-B;Win32:Rootkit-gen;Win32:Trojan-gen

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

Read other 2 answers
RELEVANCY SCORE 142

I completed Steps 1 - 5, but couldn't do the Step 2 Panda Scan part, since Avast popped up the following:

File Name: http://acs.pandasoftware.com/actives...cab\pskavs.dll
Malware name: Win32:CTX
Malware type: Virus/Worm
VPS version: 080507-0, 2008/05/0

Problem Discription

The following Trojans keep getting found by avast:

C:\WINDOWS\system32\ahst593.exe\[UPX]
Win32:Lineage-351 [Trj]
C:\WINDOWS\system32\ftpdll.dll
Win32:Small-JMK [Trj]
C:\Documents and Settings\LocalService\cftmon.exe\[UPX]
Win32:Lineage-351 [Trj]
C:\Documents and Settings\LocalService\ftpdll.dll
Win32:Small-JMK [Trj]
etc...

Avast cannot delete them because they are being used by a program I am not sure off, so Avast's description claims. It only keeps popping up if I choose an action that should be done. I run my computer with the warning popup flashing continously, then it seems to be stable.

Also I have Spybot search and destroy installed, and everytime I try and run it to check for problems, my computer freezes and restarts. The same happens if I try to run an AVG Anti-Spyware check.

It seems to be something with Avast, because if I am connected to the internet, the on-access shield Intermail, kept sending out random emails, i disabled it at the moment.

I tried a system restore, but it seems to have deleted all my previous restore points.
Besides this I have a crypt.dll virus, that Avast picks up, that I cannot delete in the registry.

I've seen similar posts, so I ho... Read more

A:Win32:Pakes-APC [Trj];Win32:Small-JMK [Trj];Win32:Lineage-351 [Trj] popups.

Hello and Welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Read other 19 answers
RELEVANCY SCORE 141.2

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

A:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

Read other 37 answers
RELEVANCY SCORE 140

(DDS log below)I re-installed my AV after running without it for a while and found that I had quite a few bad things going on picked up by Nod32 including (see attachment for more detail):Win32/Olmarik.ZCJava/TrojanDownloader.Agent.NBEa variant of Win32/Olmarik.UL trojanWin32/Cimag.CL trojanI also get multiple outbound connection attempts which are at least partially being blocked by Nod32 to weird .cc .cn and a few .com domain urls, this happens after performing a google search. Also getting some browser redirects going on and homepage changes.I tried setting nod32 to pre-release updates and performing a full scan, this picked up the above and removed them, but after a reboot there are still things going on. Before reading the steps on this site, I ran the latest ComboFix twice which picked up a rootkit in intelide.sys both times, but appears to come back each time. While I disabled nod32 when I ran ComboFix, it re-enabled upon reboot automatically, not sure if that matters.I've also been getting a startup delay of around 1 minute after logon, in this time, nothing appears to be going on (no apparent CPU or disk activity), but wireless, AV and other startup items do not run. Then a minute later, everthing fires up.I've tried running GMER several times but this keeps giving me a BSOD with IRQL_NOT_LESS_OR_EQUALLast scan with nod32 came up clean but still getting outbound connections and browser redirects.Looking to sort this out once and for all!DDS (Ver_10-03-17.... Read more

A:WinXP rootkit? problem + Win32/Olmarik.ZC Java/TrojanDownloader.Agent.NBE a variant of Win32/Olmarik.UL trojan Win32/Cimag.CL t...

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.----------------------------------------------Please download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perfor... Read more

Read other 14 answers
RELEVANCY SCORE 139.6

Hello,

My computer is infected with problematic malware which does not go away despite running Spybot Search & Destroy (which removed Win32.Autorun.Tmp, Win32.Muollo), Malwarebytes, SuperAntiSpyware and McAffee Anti Virus. While these software remove trojans/viruses etc at each scan, everytime I restart the computer the problem is back

In addition, google searches keep getting redirected to licosearch, hugosearch and fastsearch. I also cannot connect to Microsoft and other security related websites to download latest anti spyware related files or the Windows Service Pack.

Please help!!

DDS (Ver_10-12-12.02) - NTFSx86
Run by Mike at 18:46:42.95 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.53 [GMT 0:00]

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *Disabled*
FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.... Read more

A:Computer overrun with trojans (Win32.Muollo, Win32.Tmp.Autorun), malware etc

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting... Read more

Read other 2 answers
RELEVANCY SCORE 139.6

Hi I got malwares from videocodec installation. Here are symptoms:1.I have been recieving internet explorer pop-up to the site "yourprivacyguard.com" and "pcsecuresystem.com". 2. Also, Kaspersky detected that my computer has been trying to download something from "http://www.thenetworkcom.com/get-last-update.php?sid=502&aid=610&said=0&pn=5&config=cb" (from the report about 4-8 times every minute). 3. There are fake windows security alert pop-ups saying something that my computer is infected malwares and I need to download program to clean them. 4. My desktop wallpaper changes to some form of a warning sign against a red backdrop (which could be closed when I mouse over the top right hand corner and click on the 'x', after which my wallpaper re-appears)5. 3 web short cuts appear on my desktop labeled Error Cleaner, Privacy Protector, and Spyware &Protection which re-appear everytime after restart.6. There are new internet explorer toolbar: The nssfrch7. The process "explorer.exe" consumes almost 100 percent of cpu and this slow down my computer significantly.I used Kaspersky internet security 7(my anti-virus software), Ad-Aware2007 and Search and Destroy(as suggested by this site) to detect and fix these problems. These fix almost all problems (probem number 1, 3, 4, 5,7). However, problem number 2 is not fixed as Kaspersky still keep reporting that there are contacts between my computer and the site "http://www.... Read more

A:Need Help! Malware Win32.agent.lf, Win32.zlob.cpx. Infected From Videocodec Installation

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nunueng My name is Richie and i'll be helping you to fix your problems.Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.If you have previously downloaded ComboFix,please delete that version now.Now download Combofix an... Read more

Read other 9 answers
RELEVANCY SCORE 139.6

I managed to fix my previous round (in my - urgh - neverending round of issues and errors with this computer). I've been experiencing slow boot-ups, slow browser start-ups and stuttering when watching videos online/playing games. So I decided to check out my comp with aswMBR:

I got several infection results, all surprisingly for my Chrome browser. AVAST! Users are apparently reporting issues with this, but I'm curious about the Malware-gen in the temp files. Is it worth exploring further?

Computer is, as always, a Compaq Presario CQ62 laptop running Windows 7.

ETA: And I've noticed that my SAS hasn't updated since February; whenever I try to update it it informs me that it has all of the proper updates.

A:Win32:Malware-gen in the temp files and Win32:Trojan-gen in Google update?

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.====================================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwar... Read more

Read other 9 answers
RELEVANCY SCORE 139.6

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 139.2

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 139.2

A few days ago the Win32 Heur was showing up on my AVG8 Free software. It is also coming up with a trojan horse rootkit-pakes. Today I done a scan on spybot and it failed to remove Win32.fraudload.net, Win32.TDSS.rtk & Win32.TDSS.reg. In addition to that I read on a forum to download Registry Easy and I done a scan and fix thru that. It stated all the relivant issues had been resolved. But as I mentioned Spybot comes up with those 3 Trojans still. So I have these 5 issues, there is probably more. But I would appreciate if you can help.

Here is a copy of my log HiJackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:42, on 31/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome... Read more

Read other answers