Over 1 million tech questions and answers.

Don't know if I have malware/trojan/rootkit problem - fake facebook friend request malware.

Q: Don't know if I have malware/trojan/rootkit problem - fake facebook friend request malware.

Hi, I recently got suckered into receiving and falling for the 'fake facebook friend request' malware email (hxxttp://www.net-security.org/malware_news.php?id=1813) and am not sure if I have been infected or not. In the email, I clicked on the link and it brought me to facebook but nothing seemed amiss - however I realized immediately after that it was probably some sort of virus and that, wow, I really am guillible to fall for something like that. In researching about the malware I noticed that a prompt was expected to come up and ask me to download the latest version of Macromedia Flash - but it didn't. So I am uncertain if I've contracted something. Anyway, I haven't noticed any major issues with my computer but I will admit that I'm a little green when it comes to these things so I'm unsure of what to look for - if it's something dangerous running in the backround, how would I know, etc.? So I followed the instructions on here and have a few logs. Problem is I don't really understand the language, so to say. What's good or bad. Really I am wondering if someone can take a peek at the logs and tell me if I have a real issue and if it's something I need to address. I'm wary of using this computer in case it's something serious.

Oh, and my computer is running Windows Vista.

Any help is appreciated, thanks.

------------------

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_29
Run by Elspeth at 19:41:44 on 2011-11-23
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2942.1797 [GMT -4:00]
.
AV: Emsisoft Anti-Malware *Enabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Emsisoft Anti-Malware *Enabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Elspeth\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2guard.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\System32\mobsync.exe
C:\Users\Elspeth\AppData\Local\Akamai\netsession_win.exe
C:\Users\Elspeth\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AdobeBridge]
uRun: [Google Update] "c:\users\elspeth\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] c:\users\elspeth\appdata\local\akamai\netsession_win.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [emsisoft anti-malware] "c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: elspethdesigns.ca\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.1.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{6393A61B-4B7A-4051-BC63-E2EE48DF2C3D} : DhcpNameServer = 192.168.2.1 192.168.2.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\elspeth\appdata\roaming\mozilla\firefox\profiles\u0ob98yr.default\
FF - component: c:\users\elspeth\appdata\roaming\mozilla\firefox\profiles\u0ob98yr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\elspeth\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-11-14 17904]
R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-11-14 34768]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-11-14 11776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 67656]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-11-14 2996784]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-10-10 2749736]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2011-3-29 1373480]
R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-11-14 51632]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-10-10 15656]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2010-4-8 618112]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]
S4 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-9-28 120232]
.
=============== Created Last 30 ================
.
2011-11-23 23:39:03 50477 ----a-w- c:\program files\Defogger.exe
2011-11-16 06:01:01 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d77ff1fa-2d6b-4f70-9ef9-db0d1ed8fb44}\offreg.dll
2011-11-16 06:00:58 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d77ff1fa-2d6b-4f70-9ef9-db0d1ed8fb44}\mpengine.dll
2011-11-15 02:59:40 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-15 02:58:35 102518920 ----a-w- c:\program files\EmsisoftAntiMalwareSetup.exe
2011-11-15 01:17:31 -------- d-----w- c:\program files\Autoruns
2011-11-10 01:04:01 -------- d-----w- c:\users\elspeth\appdata\local\Akamai
.
==================== Find3M ====================
.
2011-10-26 00:05:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-29 23:14:06 9356416 ----a-w- c:\program files\frostwire-4.21.8.windows.exe
2011-04-12 03:38:15 399736 ----a-w- c:\program files\utorrent.exe
2011-03-30 01:20:15 5432616 ----a-w- c:\program files\WacomTablet_605-7.exe
2011-03-30 01:04:02 101059584 ----a-w- c:\program files\260.99_desktop_win7_winvista_32bit_english_whql.com
2011-03-11 18:38:11 4251204 ----a-w- c:\program files\FileZilla_3.3.5.1_win32-setup.exe
2010-09-20 15:44:21 38323704 ----a-w- c:\program files\PS_AIO_DriverOnly_NonNetwork_ENU_NB.exe
2010-09-14 00:54:28 98925600 ----a-w- c:\program files\258.96_desktop_win7_winvista_32bit_english_whql.exe
2010-06-13 23:51:55 6927472 ----a-w- c:\program files\sp26893.exe
2010-05-10 02:29:18 20709564 ----a-w- c:\program files\Install_Samorost2.exe
2010-05-08 00:26:34 67200131 ----a-w- c:\program files\WorldOfGooSetup.1.30.exe
2010-05-08 00:20:20 306252647 ----a-w- c:\program files\penumbra_overture_1.1.exe
2010-05-07 23:31:27 203654351 ----a-w- c:\program files\Aquaria111.2008.12.12.exe
2010-03-17 00:38:01 6637689 ----a-w- c:\program files\freeswfconverter.exe
2010-03-02 04:00:23 421346 ----a-w- c:\program files\Lame_v3.98.2_for_Audacity_on_Windows.exe
2010-03-02 03:18:05 11468190 ----a-w- c:\program files\audacity-win-unicode-1.3.11.exe
2010-01-21 16:13:14 368112 ----a-w- c:\program files\X16-69453_DLM.exe
2009-12-13 02:59:37 503929 ----a-w- c:\program files\ie-spyad_zo.exe
2009-12-13 02:55:56 3012768 ----a-w- c:\program files\spywareblastersetup42.exe
2009-12-03 00:32:15 800544 ----a-w- c:\program files\jre-6u17-windows-i586-iftw-rv.exe
2009-11-27 01:21:26 812344 ----a-w- c:\program files\HJTInstall.exe
2009-11-27 00:40:18 7392800 ----a-w- c:\program files\SUPERAntiSpyware.exe
2009-11-10 23:37:16 135528 ----a-w- c:\program files\315265.exe
2009-08-15 02:59:01 679880 ----a-w- c:\program files\StumbleUpon.exe
2009-07-28 03:07:18 66916509 ----a-w- c:\program files\AquariaDemo.2007.12.07.exe
2008-09-11 17:48:46 5408074 ----a-w- c:\program files\Last.fm-1.5.2.38918.exe
2008-08-04 16:13:21 63530280 ----a-w- c:\program files\iTunesSetup.exe
2008-06-28 18:15:36 19153264 ----a-w- c:\program files\aaw2008.exe
2008-06-15 17:04:51 3008512 ----a-w- c:\program files\WacomTablet_498-2.exe
2008-06-06 19:44:13 305672 ----a-w- c:\program files\dxwebsetup.exe
.
============= FINISH: 19:42:34.89 ===============

RELEVANCY SCORE 200
Preferred Solution: Don't know if I have malware/trojan/rootkit problem - fake facebook friend request malware.

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Don't know if I have malware/trojan/rootkit problem - fake facebook friend request malware.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429204 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
Please do this even if you have previously posted logs for us.If you were unable to produce the logs originally please try once more.If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system. If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.Thank you for your patience, and again sorry for the delay.*************************************************** We need to see some information about what is happening in your machine. Please perform the following scan again: Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE We also need a new log from the GMER anti-rootkit Scanner. Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Please first disable any CD emulation programs using the steps found in this topic: Why we request you disable CD Emulation when receiving Malware Removal Advice Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here: How to create a GMER logAs I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Read other 8 answers
RELEVANCY SCORE 84

Yesterday, I had troubles with Windows live messenger where it (still) says:

"Windows Live Communications Platform has encountered a problem and needs to close. We are sorry for the inconvenience. "

although, the problem isnt about MSN. I found out that this problem was caused by having Malware on your computer. Hence, i decided to run a scan using Malwarebytes Anti-Malware (MBAM).

I noticed that my Avast was disabled and if i try enable it, it comes up with a window saying: the operation could not be completed.

My google searches also SOMETIMES get redirected to links that is clearly out of topic.
like if i google search the terms "malware wikipedia" and i click on the wikipedia link but i get redirected to some Myspace/Anz credit card crap.

Then this happened.
MBAM CRASHED after 2 mins of scanning -> tried to re-run MBAM but a window came up saying:
"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
I ran several other programs such as:
HJT -> scanned for 2 mins, then crashed (no logs were made)
SUPERAntiSpyware (SAS) -> scanned for 2 mins, then crashed
and same goes for any other programs that searched for any malware.
The only program that worked was TROJANHUNTER and came up with a couple of false positives
I also tried using Avira's Rescue CD (the one where you boot up with it and it does a scan)
A scan using Avira was also successful but failed to... Read more

A:Malware/Anti-virus tools wont run due to a rootkit/trojan/malware

i am having the exact same problem!
i have no clue what to do, any help would be amazing!

Read other 2 answers
RELEVANCY SCORE 82.8

Opening new topic per instructions from Orange Blossom , Link to previous Thread: http://www.bleepingcomputer.com/forums/topic321540.htmlMy desktop got infected with rootkit virus a week ago. After a lot of pain, I was able to remove the fake security pop ups but it kept coming back in different form. It has hijacked my IE and Firefox and it opens pop-ups on it's own and takes me to some strange sites. Now it has completely disabled my internet connection and sound card. I can not start various services such as Windows Firewall or as simple as Help & Support service of XP.Malware Byte's scan with defn as of 6/1/2010 DB version 4161 scan completes successfully.PC Details: Windows XP Pro SP3Here is the DDS Log from infected machine:DDS (Ver_10-03-17.01) - NTFSx86 Run by malgaonr at 9:45:22.09 on Mon 06/07/2010Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3567.2997 [GMT -5:00]AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC&#... Read more

A:Rootkit/Malware Removal Request

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,I am thcbytes and I am here to help you!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received and do not proceed if you need clarification.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!Again I would like to remind you to make no further changes to your computer unless I direct... Read more

Read other 12 answers
RELEVANCY SCORE 82.8

I recently removed the Antimalware Doctor Virus from my computer, and Antimalware Bytes was still trying to block outgoing attempts from my computer. I was able to remove the virus using RKIll and then updating Antimalware Bytes. I believe there may be a rootkit hidden within my files trying to reach out to malicious sites. I need help removing it and was hoping for some help or advice. I rand the DDS for my computer which confirmed my fears that something has lingered. How do I get rid of it?
Thank YOU

DDS Log
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Rigel at 17:52:03.88 on Sun 04/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1267 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Fil... Read more

A:Malware Removal Request (rootkit)

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.Please read carefully and follow these steps. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


If an infected file is detected, the default action will be Cure, click on Continue.


If a suspicious file is detected, the default action will be Skip, click on Continue.


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Read other 1 answers
RELEVANCY SCORE 82.4

Last night I received a Facebook friend request from someone I don't know. I did not accept it but clicked on the name to check them out as I always do to see if I MAY know them. When I did it was pornographic pictures. I quickly left the profile but I could not get back to the home page to log off. I tried from my iphone, ipad and finally my home computer. I did manage to log off from the home computer. Today, the friend request has vanished and I changed my password. I have run Malwarebytes and Microsoft Security Essentials scans and both say clear. However, I keep getting the busy "circle" on my home computer next to the mouse arrow. It comes on and off continuously like something is running in the background. I don't know what to do but I want to make sure my computer is really clean. Please tell me what to do. THANK YOU SO MUCH!!
HP H8-1020
Intel®Core™ i7-2600S CPU @2.80GHz 2.80 GHz
RAM 8.00 GB
64 Bit

Windows 7 Home Premium 2009
Service Pack 1

Please let me know if you need anymore information. Thanks so much again!

A:Facebook not friendly friend request!

I would be more concerned about the security of your Facebook account than a virus to be honest with you. Report the suspicious activity to FB admins to ensure that no one is hijacking your account.

I have had a couple shady encounters with FB, more and more these days, You were smart to change your password, I would change the passwords of any linked accounts. Such as Emails that you use with FB. (just to be sure!)

Good Luck!

Read other 2 answers
RELEVANCY SCORE 82.4

I seem to have a problem similar to many others. Symptoms include -
- fake Windows Security Center screen pops up often
- red background 'trojan found' download screen pops up often
- random pop ups in taskbar warning about malware, slow PC, etc
- Diabled Task Manager
- System seems to 'refresh' every minute or so
- Ad aware, Spybot and Spyware doctor repeatedly find & clean malware, but it returns
- Symantec unable to detect any problem (after I did the SDFix as suggested in other posts)
- Browsers often not taking me to the desired site. Some anti-malware sites seemed to be blocked, or don't open the page which talks abt this particular problem
- Before running SDFix, I could not even open Notepad because of 'Data Execution Prevention'

I've already run Symantec Antivirus, Ad aware, Spybot, Spyware Doctor and SDFix and the problem is not yet fixed (maybe some small symptoms are gone after running SDFix)

I've listed below the logs for SDFix and HijackThis. Can someone help plz!!

=====
SDFix
=====

SDFix: Version 1.183
Run by Administrator on Sun 05/18/2008 at 09:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper

Rebooting
Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downl... Read more

A:Trojan problem - Fake Windows Security screen, taskbar popups abt malware

Hi Welcome to TSG!!
Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy the entire report and paste it in your next reply with a new Hijackthis log.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Click here to download Dr.Web CureIt and save it to your desktop.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has fin... Read more

Read other 3 answers
RELEVANCY SCORE 82

I am currently having an issue where I cannot access update.microsoft.com or download.microsoft.com, or any variations of the two. Any attempt, even in safe mode is instantly redirected to google.com. Malwarebytes.org and safer-networking.org are also directed to Google. I am also getting popup adds on many sites, despite my best efforts to remove any form of spyware/adware/etc. I am currently using Symantec Anti-Virus, after having multiple issues with McAfee, so I am turning to the professionals.

GMER instantly pointed out gaopdxserv.sys, which is a fairly well known trojan, and I'm confident I could remove it on my own, but at this point I'd rather be aware of any and all threats currently on my computer, and remove them.


Thank you for any help you guys have to offer!

DDS.txt results:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Luke at 20:00:15.03 on Sun 02/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1395 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS... Read more

A:Malware/Rootkit removal assistance request

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

Please follow these directions in the order they are set out for you.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Read other 9 answers
RELEVANCY SCORE 81.2

Seems like I am infected with some sort of malware, I've gone as far as I can alone, and I'm no expert with computers. Reformated my system after initial crash now still infected (or more likely reinfected), keeps making my system attempt to connect to 206.161.121.2,3,4,5 etc. , my research so far yields this is not a new problem in the virusphere, though no one seems to be saying anything more about it other than that they have the infection. Start ups and restarts often very buggy and crash a significant number of times, though when running mbam it just restarts to remove it and it comes right back after restart. mbam has gotten it down to one trojan and its memory process each time, though they come right back. Anyway I can be helped would be wonderful, thanks. Windows 7 OS. If I see any more crash logs, I'll try to catch the errors and add them in.

A:malware problem, rootkit? Trojan keeps coming back.

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

Read other 9 answers
RELEVANCY SCORE 79.6

Okay. I've had a bit of trouble for about a week. First I noticed that my google searches kept redirecting to different sites. And then I noticed my browser was running entirely too slow. I tried pulling up the Task Manager to see what was going on but I kept getting an error message upon a black screen saying that Task Manager failed to boot up or something. At this point I was very aware that I had something on my computer and phoned a friend who said to download Malwarebytes and use it.

I did just that. Took care of the Task Manager problem. I decided to run an AVG scan. Full scan waited for 3 hours and came back with nothing. I use Google Chrome as my browser and hopped back on but was still experiencing the same problem. So I searched around and find a Youtube video demonstrating Malwarebytes, Hitman Pro and ComboFix. I downloaded/ran Hitman Pro and was shown a "possible TDSS/Alureon/variant" message across the top of the scan and something about hidden drivers. I was still convinced that the problem was present but I had read the warnings about ComboFix and how it was to be used only by pros. I googled ComboFix and after some browsing came across a forum post of the Admin Gringo helping someone get rid of a problem that seemed very similar to mine. So this is me giving it a shot.

Since I found out I was infected I've been operating in Safe mode with Networking support fairly often so i dont get slowed down too much. Hope that is a good thing. My OS ... Read more

A:Google redirect malware/Trojan/Rootkit/problem slowing down computer!

Welcome aboard With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Read other 4 answers
RELEVANCY SCORE 79.6

Okay. I've had a bit of trouble for about a week. First I noticed that my google searches kept redirecting to different sites. And then I noticed my browser was running entirely too slow. I tried pulling up the Task Manager to see what was going on but I kept getting an error message upon a black screen saying that Task Manager failed to boot up or something. At this point I was very aware that I had something on my computer and phoned a friend who said to download Malwarebytes and use it.

I did just that. Took care of the Task Manager problem. I decided to run an AVG scan. Full scan waited for 3 hours and came back with nothing. I use Google Chrome as my browser and hopped back on but was still experiencing the same problem. So I searched around and find a Youtube video demonstrating Malwarebytes, Hitman Pro and ComboFix. I downloaded/ran Hitman Pro and was shown a "possible TDSS/Alureon/variant" message across the top of the scan and something about hidden drivers. I was still convinced that the problem was present but I had read the warnings about ComboFix and how it was to be used only by pros. I googled ComboFix and after some browsing came across a forum post of the Admin Gringo helping someone get rid of a problem that seemed very similar to mine. So this is me giving it a shot.

Since I found out I was infected I've been operating in Safe mode with Networking support fairly often so i dont get slowed down too much. Hope that is a good thing. My OS ... Read more

A:Google redirect malware/Trojan/Rootkit/problem slowing down computer!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 16 answers
RELEVANCY SCORE 78.8

Hi,
 
I would really appreciate any help or advice on the next steps for removal of this malware. Thanks in advance!
 
I'm experiencing pop-up redirects and I noticed there are many processes and services that are fake. I've tried a variety of solutions and tools (Malwarebytes, CCleaner etc.) but unfortunately I'm having no luck in solving the problem. 
 
I attached a screenshot(processes.png) as an example to show some of these fake processes and I also attached the Addition.txt log.
 

 processes.png   81.31KB
  0 downloads

 Addition.txt   34.46KB
  1 downloads
 
EDIT: Added screenshot example of pop-up
 

 chrome_update_popup.png   36.13KB
  0 downloads
 
Here is my FRST log:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by william (administrator) on IDEA-PC on 04-03-2015 18:42:04
Running from C:\Users\william\Downloads
Loaded Profiles: william (Available profiles: UpdatusUser & william)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. ... Read more

A:Redirect pop-ups in chrome, fake processes (see screenshot), malware/rootkit?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
BHO: No Name -> {4671dc37-1bf7-4c26-8d4d-b3d843442ad6} -> No File
BHO: No Name -> {bed3f755-e8b1-4104-913e-3692901aaa2c} -> No File
C:\WINDOWS\MEMORY.DMP

End
Save the files as fixlist.txt into the same folder as FRSTRun FRST and click Fix only once and wait.Restart the computer normally to reset the registry.The tool will create a log Fixlog.txt please post it to your reply.===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool... Read more

Read other 6 answers
RELEVANCY SCORE 77.2

DDS (Ver_09-02-01.01) - NTFSx86
Run by Emin at 13:43:15.64 on Fri 02/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.478 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Emin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar ... Read more

A:Trojan/Malware Removal Request

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Read other 18 answers
RELEVANCY SCORE 75.6

I picked up a trojan last night on my Windows XP load. I believe it is called trojan.fake.(something). I used malwarebytes and it showed it, then it didnt on rescan, but whenever i try to google something I am redirected to an ad page multiple times before I get there. Attached is my HJT log. Any help you can provide is most welcome!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:15 AM, on 8/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\windows\explorer.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.... Read more

Read other answers
RELEVANCY SCORE 75.6

ok so i got the fake alert thing and i immediatly turned off system restore and booted into safemode. in safe mode i scanned with iobit security 360 free edition and with i did a boot time scan with avast antivirus, both updated. i tried to run malware bytes anti malware but it wouldnt open up. when i scanned with iobit, it deleted the files. after i scanned with avast and found nothing. but when i boot into normal mode 1. the trojan automatically turns off my Mcafee on access scanner 2. completly blocks my internet connection meanwhile i know i still have a connection because my antivirus programs update successfully. and 3. makes my computer run EXTREMELY slow. please help. ill try posting an HJT log soon. also it blocks some programs from running
 

A:malware trojan fake alert

Read other 6 answers
RELEVANCY SCORE 75.6

Hello my Friends,

First of all I would like to thank you for taking your time to read my post. Well, the problem is yesterday, something was changing the Facebook status of everyone in my House to this message: " Finaly I changed the plain and boring white and blue Facebook colors to something a little more expressive! Ahhh that looks much much better! Try out hxxp://bit.ly/pag3rag3" and a second browser window is open for a short time then dissapears. So I ran my Kaspersky as usual, and Ad-Aware, and detected some minor Malware that was removed... but the problem persists... It is pretty annoying and I also feel my PC running a little bit slower... So here are my logs in hope that someone can please help me:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Xcellence at 20:22:05,35 on 13-07-2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.351.1033.18.3070.1652 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k Networ... Read more

A:Please Help, Some Trojan/Malware is changing my Facebook Status.

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please go to: VirusTotalClick the Browse button.
Please copy/paste the following bolded text into the 'File name:' box:

c:\users\xcellence\appdata\roaming\InstallMon.exe

Click Open then click the Send File button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analysed: click Reanalyse file now
Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

Read other 2 answers
RELEVANCY SCORE 74.8

I have 3 computers :
DeLL DIMENSION 4600 running Windows XP.
DeLL DIMENSION E510 running Windows XP.
DeLL DIMENSION E310 running Windows XP.

These problems relate to the 4600 machine.

I have run several spyware/malware programs and have identified some suspicious files or programs. I am having trouble finding and/or removing them.

1 AGENT.FL
This is reported as a Trojan (Severe risk) type Registry key. I cannot locate or identify anything associated with this name.
How do I eliminate this?

2 Vendo Trojan. This is reported as a Trojan (Severe risk) type Registry key. It is identified as the following object: software\microsoft\windows\currentversion\explorer\browserhelperobjects\{549b5ca7-4a86-11d7-a4df-000874180bb3}

I cannot locate or identify anything with this name on the computer. It did turn up in a HijackThis log file - attached below.
How do I eliminate this?

3. MWSSRCAS.dll
I believe that this file is related to MyWebSearch. I deleted almost everything that was in this directory but this file remained under MyWebSearch\SrchAstt\1.bin and consistently returned the following message: Error deleting file or folder
"Cannot delete MWSSRCAS.dll: access denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.

I had tried to determine if there is a process running that prevents removal but could not figure it out. I was finally able to delete this file by going to Internet options\Advanced\Browsing options and uncheck... Read more

Read other answers
RELEVANCY SCORE 74.4

This showed up when i started up my computer last night (I'm running XP). My desktop background changed to red with biohazard type logo, windows keep popping up trying to sell me protection, etc. when it first showed up some of my desktop icons dispeared and i couldn't get into my c drive, but that seems to have stopped for the moment.I've run my Kasperskys Antivirus, which says it can't delete it, disinfects it, but doesn't seem to change anything.I've also used System Mechanic 5, Spybot Search and Destroy, Smitfraudfix (i saw this suggested to someone else veiwing another forum- and it seems to work and everything looks good for 5 minutes, but then low and behold it comes right back) plus RegClean, RegistryFix, Tracks Eraser Pro, BugDoctor- to try and clean stuff out- some things seem to get rid of it, but then it returns. I've been looking it up on google to see what other people did, and trying these things, but obviously this strategy hasn't worked. its just given me a headache.I'm out of my depth. I really need help! Thankyou in advance for your wisdom.Here are my dss reports:Deckard's System Scanner v20071014.68Run by Aqua Dragon on 2008-06-08 11:54:45Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --5: 2008-06-08 15:54:53 UTC - RP230 - Deck... Read more

A:I Have An Error Cleaner, Privacy Protector, Spyware And Malware Protection Problem (virus? Malware? Trojan?)

Hi,Please uninstall the following programs since they are known to cause more damage than anything else:RegistryFix v6.2Bug Doctor 3.0.3.8Reboot afterwards.After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Read other 2 answers
RELEVANCY SCORE 74

Hello,

my computer (running on windows xp) is infected with something, as far as I know a trojan, and keeps giving messages concerning fake malware threats, such as win32.netbooster. It also copied a few files to my desktop, each one a link to some malware fixer. Can someone help me?

This is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24: VIRUS ALERT!, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA... Read more

A:Solved: Trojan reporting fake malware threats

After using combofix and Malwarebytes' anti-malware, the problem seems to be solved. Hooray!
 

Read other 1 answers
RELEVANCY SCORE 74

Hello!

I am a new and reluctant member of the trojan/malware/virus world and certainly appreciate your assistance!

Suddenly, Firefox kept opening on its own, either as a tabbed page or its own window, and would open to some seemingly random advert.

The bug is bringing up a "Windows security alerts" red shield with an x on it on my icon tray (lower right of the start bar). Clicking on the icon brought up a faux-microsoft page telling me that my computer was infected and that it wanted me to download a file to fix the problem. I did not do so.

Also, Windows Automatic Updates is switched off when I click on the red x-shield icon on my start bar, BUT when I check Windowns Automatic Updates via the Control Panel, it looks as if they are on...

Following the instructions on another thread in this forum, I ran Malwarebytes and Spybot multiple times, fixing the errors after each run. HOWEVER,
I still have the red-x-shield on my icon tray.

I am running Windows XP Home Edition Version 2002 Service Pack 2.

HERE IS THE LOG FROM MALWAREBYTES RUN #1.Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

12/28/2008 5:15:46 PM
mbam-log-2008-12-28 (17-15-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 269614
Time elapsed: 3 hour(s), 58 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Inf... Read more

A:fake Windows Security Alert - Trojan/Malware

Read other 16 answers
RELEVANCY SCORE 74

Hello!I am running Windows XP with SP2. There are constant pop up windows that just keep appearing. After going through the steps I've listed below, lately I keep getting these pop up messages:Malware AlertWarning!Trojan Adware.W32.ExpDwnldr spyware detected. This trojan alllows attackers to access your computer from remote locations, stealing passwords, Internetbanking and personal data. This also prompts advertising popups.This process is a secruity risk and should be removed from your system.Type: Trojan HorseSystem Affected: Windows 98, 2000, NT, ME, XPSecurity Risk(0-5): 4Recomendations: Click Yes to get all available antispyware software.Windows Security AlertWarning! Potential Spyware Operation!Your computer is making unauthorized copies of your system and Internet files. Run a full scan now to prevent any unauthorized access to your files! Click here to download spyware remover...I went ahead and installed and ran the Spybot Search and Destroy which resulted in over 200+ infections detected.I also installed and ran the AVGAnti-Spyware Free Edition. and am running it right now to see if I can get the report to show up. Currently it shows Adware.RogueSuspect as infected objects.I wasn't able to run any online virus scans due to internet connection issues with the computer. I also have installed and run Ad-Aware 2007 on this computer. I ran the PC Tools Spyware Doctor and the results listed the following infections with several cases of each tot... Read more

A:Help Request: Trojan Horse Malware Alert, Several Infections Found Listed Here.

Welcome to the BleepingComputer HijackThis Logs and Analysis forum skenopic My name is Richie and i'll be helping you to fix your problems.Download LSPFix from:http://www.bleepingcomputer.com/files/spyware/lspfix.zipOnce LSP-Fix is downloaded, extract it to your desktop.Close all windows on your computer.Launch/start lspfix. Put a checkmark in the 'I know what I'm doing' checkbox.Now move any instances of "c:\windows\system32\rlls.dll" into the remove box using the >> button. Press the finish button.Then reboot.Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.Download SmitfraudFix (by S!Ri), to your desktop.Double click on Smitfraudfix.cmdSelect option 1 ? Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy and paste the content of that report into your next reply.*IMPORTANT* Do NOT run any other options until you are asked to do so!Also post a new Hijackthis log please.

Read other 1 answers
RELEVANCY SCORE 73.2

Hi all,My dad has asked me to take a look at his computer after it's been acting odd, and it looks like he's got a doozy of something running on the system. He's been getting some pop ups advertising various programs, the desktop is changed to text reading "Your system is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected" (which is not something any program that should be running would display", Task Manager is blocked from opening and a fake piece of anti-spyware has taken up residence (don't have the name off hand).Looking at the log, I found a couple of things that I'm not a fan of - batmeter16.dll, for starters. There's a couple others I don't recognize, but I am not sure if they are bad or not.Unfortunately, my attempts to fix it have been thwarted - an AVG scan said it cleared it up, but more pop ups came. I tried to run Malware Bytes, but when I download the latest update through the program, I get a nice warning message saying "The database you are using is not supported by this version of Malwarebytes' Anti-Malware. Download the latest version of the program."Additionally, this came about because I tried to start into Safe Mode to get this cleaned up. I couldn't get my keyboard to register keystrokes before Windows started, which kept me from accessing the dialogue allowing Safe Mode to be entered, so I modified boot.ini to force a safe mode boot. Unfortunately, this brought about a blue sc... Read more

A:Malware blocking MalwareBytes (post-update), fake anti-malware program

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....Please download The Comedian.exe by Rorschach112 to your desktopPlease disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..Double click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedSTOP! if you can't complete this step.. Tell me more about it..NEXTPlease download OTL by OldTimer and save it to your desktop.Under the Custom Scans/Fixes box paste this innetsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINTDon't change any setting... Just click on the Run Scan button.. Let it scan till finish..Then a log will pop-up at your Desktop. Post the content of the log hereNEXTWe need to scan for Rootkits with GMERPlease download GMER from one of the following locations, and save it to your desktop:Main Mirror
This version will download a randomly named file (Recomm... Read more

Read other 3 answers
RELEVANCY SCORE 73.2

New malware detects browser, shows fake malware warning page.

Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before.

-- Tom
 

A:New malware detects browser, shows fake malware warning page

Thanks
 

Read other 1 answers
RELEVANCY SCORE 73.2

I left my comp on while i went out and one of my family members must of got on and went some were they shouldnt have and now i am getting in pop ups and pages coming up all over the place.. Its saying i have got things like "[email protected]", "[email protected]" and "psw.x-vir trojan".Heres my log file maybe u can help Logfile of HijackThis v1.99.1Scan saved at 11:39:13 AM, on 8/17/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:F:\WINDOWS\System32\smss.exeF:\WINDOWS\system32\winlogon.exeF:\WINDOWS\system32\services.exeF:\WINDOWS\system32\lsass.exeF:\WINDOWS\system32\svchost.exeF:\WINDOWS\System32\svchost.exeF:\WINDOWS\system32\spoolsv.exeF:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeF:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeF:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeF:\WINDOWS\system32\nvsvc32.exeF:\WINDOWS\system32\PnkBstrA.exeF:\WINDOWS\Explorer.EXEF:\WINDOWS\system32\nvraidservice.exeF:\WINDOWS\SOUNDMAN.EXEF:\WINDOWS\system32\RUNDLL32.EXEF:\Program Files\QuickTime\qttask.exeF:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeF:\Program Files\Google\Gmail Notifier\gnotify.exeF:\Program Files\C... Read more

A:Trojan/malware Spam Popups And Fake Virus Balloons

Hello Harrisn, I am SifuMike and I will be helping you. I see some bad items in your log, so let's run these scans. You will need to use Internet Explorer for this scan. Disable your antivirus program and go here to run BitDefender Online Scan. Click on I Agree. Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer. NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.******************Download and install AVG Anti-Spyware v7.5.After download, double click on the file to launch the install process. Choose a language, click "OK" and then click "Next".Read the "License Agreement" and click "I Agree".Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-cli... Read more

Read other 6 answers
RELEVANCY SCORE 73.2

I have spent a lot of time trying to clean my computer from a softpedia file encryption download. It immediately put a fake virus alert on my desktop, disabled my desktop options in display, and has disabled task manager. I have done a deep scan via safe mode, and also ran superantispyware, which found and quarantined 2 trojans and a rogue.fakealert/wallpaper. However, the display options are still disabled, as well as task manager. I know my system is not clean yet. Attached is my hijackthis log. If anyone has any ideas on what I can do as I wait for a return phone call from the company that handles our a/v (usu. 2-3 days wait!~) I would appreciate any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:28 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOW... Read more

A:Help please, malware or trojan (fake virus alert, disabled task mgr)

Never mind! I did another scan while I was at lunch, this time with Malwarebytes, and it caught everything that the others missed. It fully removed the sinister junk that softpedia allowed on my computer. BOO! HISS! I was led to believe that softpedia.com was a reputable site with safe downloads. NOT SO! BEWARE OF THEIR GARBAGE.
 

Read other 2 answers
RELEVANCY SCORE 73.2

Getting lots of popups and (I think) fake Malware Alerts that want me download something called SpyShredder. Can't seem to get rid of any of it and it seems to be progressively getting more and more obnoxious.

Please help.

Panda Log:


Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\docume~1\admini~1\mydocu~1\smbols~1\csrss.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mkigjluc.dll
Adware:adware/commad Not disinfected Windows Registry ... Read more

A:[SOLVED] Fake Malware Alert? - - Trojan.Adware.W32.ExpDwnldr

Quote:




Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.





Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------
Click here to download HJTinstall.exeSave HJTinstall.exe to your desktop.
Double click on the HJTinstall.exe icon on your desktop.
By default it will install to C:\\Program Files\\Trend Micro\\Hijack This.
Click I accept
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix... Read more

Read other 8 answers
RELEVANCY SCORE 73.2

Description of problem: several days ago, while visiting a website, I noticed some fake security messages popping up (both in system tray next to clock and as IE windows). Unfortunately, I did not think things through clearly and clicked something I shouldn't have. The result was the installation of "Malware Defense" on my computer, a fake antispyware program. I uninstalled the program and thought everything would be fine afterwards. Unfortunately, everything was NOT fine. The next day, after I turned on my computer, I noticed some weird activity going on in my Task Manager: iexplore.exe was running even though I had no browser windows open! I killed the process, but it would come back every few minutes. Every time I'd search something on Google to find a solution, the search results came up fine, but any time I clicked on them I would be redirected to some other site.Another process that I had never seen before was "settdebugx.exe" which I killed, then deleted the exe file associated with it. I went to msconfig to stop both settdebugx.exe and Malware Defense from starting up. But iexplore.exe still kept coming back even though I was not browsing. I conjectured there was some kind of .dll file at work here. I looked through my windows/system32 folder to find a dll file that was introduced very recently, much more recently than the rest of the dll's in there, and came across krl32mainweq.dll. After some internet searches (I used ... Read more

A:Infected with H8SRT Trojan via Malware Defense (fake antispyware)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand cor... Read more

Read other 2 answers
RELEVANCY SCORE 72.8

Hello,
 
I am pretty sure my computer has caught the virus.  It goes to the blue screen of death after a minute or 2 and then reboots.  At least when I bootup in Safemode with networking it behaves OK.  In the task manager I can see the following process that I don't recognize:
 
svchost.exe with description winrscmde. Properties of that process says that this file was created today and is located in C:\Windows.
 
In the Event viewer I see the following bugcheck error message:
 
The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff80002efd0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 031713-43953-01.
 
I haven't removed the virus or anything using Malwarebytes yet. Just wondering what I should do next.
 
Thanks.

A:Malware bytes detected Trojan.Agent, Trojan.BHO, Rootkit.0Access and PUP.IBryte

Please download TDSSKiller from here and save it to your DesktopDoubleclick on TDSSKiller.exe to run the application, then click on Change parameters


Check Loaded Modules  and Detect TDLFS file system.  Do not check Verify file digital signatures (even though it is checked in the example)If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


Click Start Scan and allow the scan process to run

If threats are detected select Skip for all of them unless I instruct you otherwiseClick Continue


Click Reboot computerPlease post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply===================================================aswMBR--------------------Download aswMBR and save it to your desktop.
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.If you need help to disable your protection programs see hereDouble click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

Please post the contents of the log in your next reply.NOTE:  aswMBR will create MBR.dat fil... Read more

Read other 17 answers
RELEVANCY SCORE 72.8

Edited to add information from another topic that will be shortly deleted. ~ OBI had a quick question before I start backingup all my personal/doc/data/photo files.I have an external HD for backup, connected by USB. I haven't turned it on or backed anything up for a couple months (I know lazy), so hopefully its hasn't had a chance to have any infected files on it yet. If i turn it on while its still connected to infected computer what is chance the virus/trojan will transfer to external hard drive?and along the same concept, if i start copying over photos and other personal files to the external hard drive how do I know i'm not copying over the virus/trojan with it?End of added information. ~ OBMy computer is an HP,AMD Athlon 64x2, 1.0GB RAM, WIN XPsp2 desktop that was infected with lots of virus/Trojan/adware/malware. Its mainly for home personal use (our only computer) but I also telecompute for work sometimes. I haven't been able to backup all our personal files, so I'm trying to avoid rebuilding the whole machine if possible.I've already run, cleaned infected files and run again and received clean slate now from Avast!, MBAM (quickscan) and SuperAntiSpyWare (complete scan).here's my original post in the "Am I infected forum?"http://www.bleepingcomputer.com/forums/t/192399/win32monder-gbtrj-win32trojan-genother-adwarepopcap-trojanvundo-trojanagent-and-more/The computer seems stable now. I can load up the computer without a problem. But after reading this forum and the ... Read more

A:Seneka Rootkit, Monder-GB, Trojan.Vundo, Adware.PopCap, Trojan.Agent, Malware.Trace

Hello, Lex H to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)Please give me some time to look over your computer's log(s).Please take note of the following:In the meantime, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Finally, please reply using the button in the lower left hand corner of your screen.We need to scan for Rootkits with GMERPlease download GMER from one of the following mirrors:This is the Primary mirrorThis is a Secondary mirrorThis is a Secondary mirrorClose any and all open programs, as this process may crash your computer.Unzip the downloaded file to your desktop.Double click on your desktop.Allow the gmer.sys driver to load if asked.You may see this window. If you do, click No.
Click on and wait for the scan to finish.If you see a rootkit warning window, click OK.Push and save the logfile to your desktop.Copy and Paste the contents of that file in your next post.In your next reply, please include the follow... Read more

Read other 13 answers
RELEVANCY SCORE 72.4

I AM USING WINDOWS XP HOME EDITION AND AM MY WITS END. I HAVE TRIED RUNNING MALWAREBYTES, HIJACK THIS, SUPERANTISPYWARE AND WHATEVER I HAVE ON MY COMPUTER IT STOPS ALL IN ITS TRACKS. PLEASE HELP! WHAT CAN I DO? MY AVAST HAS BEEN DISABLED AND SITS IDLE. I HAD MCAFEE PREVIOUSLY AND IT SAT IDLY BY WHILST I PAID THEM GOOD MONEY FOR DOING NOTHING.Edit: Moved topic from XP to the more appropriate forum. ~ Animal

A:MALWARE, ROOTKIT, TROJAN???

It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible. Download this Utility and save it to your Desktop.Double-click the Utility to run it and and let it finish.When it states Finished! Press any key to exit, press any key to close the program.It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.Let me know how that went.

Read other 1 answers
RELEVANCY SCORE 72.4

I've found a very similar problem someone else was having on this forum... I've having these processes starting over and over draining my CPU usage, rendering my comp, highly unusable.
It's located in Appdata/LocalLow/SKS/cwlrxnyhxxt/rvnvggatw
 
I've tried removing it several times, nothing works. Ran malwarebytes, it found some problems, reran it, found nothing, and my problem still persist.
 
Malwarebytes pops up saying "Malicious Website Protection: IP 88.214.197.89  PORT: 51593 Users/BrandonAppdata/LocalLow/SKS/cwlrxnyhxxt/rvnvggatw"
So it blocks it but not removes it... please if anyone can help me clear this thing from my comp, i'll be highly appreciative.

A:Hello! I need help! Malware/Trojan/Rootkit

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).===Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit)and save it to a folder on your computer's Desktop.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first t... Read more

Read other 2 answers
RELEVANCY SCORE 72.4

The pc was infected with xp antivirus 2010. I used malwarebytes on it and all of the popups stopped. However, since that time whenever I do a google search the first results are always antispyware links and advertisements. Additionally, when I try to click on a link in google that would take me to this site or any other site similar to this, such as trend micro and other ant-imalware sites, the link goes to a totally different page, usually an advertisement. Included is the hijackthis log, thanks for any help. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:34:43 AM, on 3/4/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\WINDOWS\system32\basfipm.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\WebUpdat... Read more

A:Malware problem, request assistance

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 7 answers
RELEVANCY SCORE 72.4

While I was on Internet Explorer looking at some furniture websites and Pinterest, I downloaded some stuff, then wrote an email and about 20 windows cascaded across the screen. Then a pop-up (which I may or may not have clicked on) with some sort of bogus scan that found bad stuff. I restarted the computer and it did the same thing. I think the fake scan was called S.T.A.R.T.

My desktop was now blank and no programs showed up in File Explorer.

I ran Windows Security and Malwarebytes which found q2VRHJjifZ4RHt.exe and DKgPKMXgvSnGH.exe and PUM.Hijack.StartMenu (Reg Data) and TrojanWin32/FakeSysDef

I figured out how to make my files and programs show in Explorer but they are still not on the Start menu.

I use Microsoft 7 Home Premium. Thank you for any help.

A:Unknown malware / trojan / fake scanner has hidden my files and programs

Hello and welcome!This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:Unhide.exe Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.Reboot into Safe Mode with Networkinghere. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the Control Center screen.Back on the main screen, under "Select Scan Type" check the box for Complete Scan.If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).Click the Scan your computer... button.After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".Make sure everything has a checkmar... Read more

Read other 14 answers
RELEVANCY SCORE 72

OK- I am not extremely computer savvy... I may have destroyed the computer beyond repair, but my files are not backed up and all of the videos of my son when he was a baby are on there and only there. So, HELP!!!! I had a bad virus that started as pop ups for fake virus protection- I can't even remember what it said. I gave it to my brother in law to fix and it took him a month to tell me I needed to backup my files cause he was going to dump the whole thing. Last night after plugging in the USB and having it fill up without even getting through a 1/4 of our pictures, I decided to try to get rid of the virus myself. I ran malwarebytes which found some items and told me to shut down to complete. I did, got the blue screen- started in safe mode w/ networking (got a pop up that said malwarebytes could not be located). After some more searching, I downloaded Hitman that was made for the DNS virus- I know whatever it is on my computer is really bad. The local connection icon was completely removed. Ethernet driver gone and microsoft system tools like firewall and security all gone. Here is a what hitman said before it told me to reboot to complete the deletion of the virus (s). Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.graftor.13001 (engine A), backdoor.maxplus, trojan-dropper.win32.sirefeflIK... and 57 items in tempfiles..... HELP PLEASE!

A:. Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.g...

Copy this tool to the infected PC FSS Checkmark all the boxesClick on "Scan".Please copy and paste the log to your reply.

Read other 1 answers
RELEVANCY SCORE 71.6

This computer hangs, freezes both with web and non web pages. I have been able to improve performance with unhackeme and AVG. In general I run CA anti virus and have uninstalled AVG. Performance is still not great. Thanks for your help.
Ken
DDS (Ver_09-12-01.01) - NTFSx86
Run by scher family at 10:54:29.14 on Sun 12/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2046.1113 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Pr... Read more

A:malware/rootkit/trojan/virus oh my

bump, please
Thanks

Read other 1 answers
RELEVANCY SCORE 71.6

Hello, this is my first time posting here.The reason I'm doing so is that I recently have been infected with the TDSS/Alureon rootkit. I used Kaspersky's TDSSKiller to remove it, and it worked. I manually removed the trojans that came with it, as the rootkit was the only really "unsolvable" without external application help. (I've had quite a bit of experience with it)Later, I installed Avira and it found no infection.However, there's still something suspicious (just that "gut feeling" as well as some other quirks) so I'm posting a HijackThis logfile in hopes that someone will be able to help me. I will write my own comment on a log file line in brackets if I think it's necessary (as I figure some are remains from the trojans which I removed beforehand).Thank you all in advance! Logfile of Trend Micro HijackThis v2.0.4Scan saved at 8:24:11, on 9.6.2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20861)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS&#... Read more

A:Rootkit/Trojan/Malware trouble? (XP SP3)

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:Step # 1 Download and run DDSDownload DDS and save it to your desktop from here or here or hereDisable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop. Post them back to your topic.Step # 2: Download and Run GmerPlease download gmer.zip from Gmer and save it to your desktop.***Please close any open programs ***Double-click gmer.exe. The program will begin to run.**Caution**These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security AnalystIf possible rootkit activity is found, you will be asked if you would like to perform a full scan. Cli... Read more

Read other 3 answers
RELEVANCY SCORE 71.6

I have Windows XP Professional Version 2002 Service Pack 3
MBAM version 1.50 database v.5241
Microsoft Security Essentials Virus and Spyware version 1.95.1144.0

I had visited mangareader website a few days back to read manga and noticed a whitesmoke program which got installed onto my computer.
Ran MBAM which quarantined several whitesmoke files and then had it remove all.

A few days later, I realized my shutdowns were taking awhile and clicking on google search links were directing me elsewhere.
Additionally MSE was giving error code 0x80072efe for being unable to update. The scan didn't have anything show up either.
MBAM worked and cleared several malware, but did not fix the problem even after being run in safe mode.

I concluded my PC was compromised.

I have ran Kaspersky Virus Removal Tool 2010 which has detected & rid a few rootkits. (ie: Rootkit.Win32.TDSS.fa and Rootkit.Win32.FlyStudio.op
I suspect the latter may still be on my computer.

At this time, I have managed to get MSE to update. Quick scan shows nothing.
MBAM can update too, but can not quick scan. It freezes and does not respond after a few minutes. Have not tried full scan.

P.S. I will be away till evening of Dec 5th. Thanks in advance to those who can assist me.

A:Various Malware & possibly Trojan / Rootkit

Update

MBAM full Scan shows nothing.
MBAM quick scan still does not work.

MSE full scan shows nothing too.

Read other 8 answers
RELEVANCY SCORE 71.6

Hi, I originally posted in "Am I infected" was told to post hijacklog here:I ran SDFix which greatly helped regain control and removed some problems, but Kaspersky still shows infections including a rootkit. I don't know how to further eradicate the known problems.Hijacklog:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:12:17 AM, on 4/28/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.htmlR3 - URLSearchHook: Yahoo! ?u??C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7... Read more

A:Trojan/malware/rootkit .. How To Remove?

Hello and welcome to BC. Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it?s taking us longer to catch up. If you haven?t received help elsewhere already and still require assistance please post a fresh HijackThis log and I?ll be happy to help you. Thanks for your patience.

Read other 2 answers
RELEVANCY SCORE 71.6

http://www.bleepingcomputer.com/forums/topic451500.html/page__gopid__2679226#entry2679226

the above link is my original post.

I have now disabled all CD emulation software.

I cannot enable windows firewall as the virus is not allowing me. (error message pops up)

Download and run DSS - wont work. the download opens up in notepad, unintelligible gobildigook.

here is my log file from AswMBR:

aswMBR version 0.9.9.1665 Copyright? 2011 AVAST Software
Run date: 2012-04-26 12:25:43
-----------------------------
12:25:43.694 OS Version: Windows x64 6.1.7600
12:25:43.694 Number of processors: 2 586 0x170A
12:25:43.694 ComputerName: MARKS-PC UserName: mark's
12:25:48.085 Initialize success
12:30:15.176 AVAST engine defs: 12042600
12:30:32.326 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:30:32.330 Disk 0 Vendor: Hitachi_ PC4O Size: 476940MB BusType: 3
12:30:32.342 Disk 0 MBR read successfully
12:30:32.346 Disk 0 MBR scan
12:30:32.354 Disk 0 unknown MBR code
12:30:32.366 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
12:30:32.377 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 463342 MB offset 409600
12:30:32.405 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13397 MB offset 949334016
12:30:32.443 Disk 0 scanning C:\Windows\system32\drivers
12:30:52.985 Service scanning
12:30:55.740 Service AMService C:\Windows\TEMP\dipbvk\setup.exe **INFECTED** Win32:Zbot-OHK ... Read more

A:malware, rootkit & trojan!!! need removal

Hello and Welcome to Bleeping Computer!!use link 2 or 3 for ddsMy name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at y... Read more

Read other 23 answers
RELEVANCY SCORE 71.6

Since yesterday, whenever I try to go to Facebook, the log-in page is basically a skeleton. By that, I mean nothing is shown except text. The logo is replaced by the phrase "Facebook logo". In other words, everything looks as is if I were running some sort of low-end mobile app.
 
If I type in my sign-in information, the next page is bare bones, just like the log-in page.
 
Looking around on google, I see that some comments from people with similar problems, who suggest it is related to  http://fbstatic-a.akamaihd.net
 
I have no clue. Nothing that I try seems to work to fix it.
 
Any help would be appreciated!
 
 

A:Not sure if this is Malware or ?? (problem with Facebook on ALL browsers)

Follow up -- I forgot to mention: I ran a scan with MiniToolBox, and got this result:
 

# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection 2"
set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp
# Interface IP Configuration for "{377A7A23-BF10-4761-A6B6-D8A5ED6DABB0}"
set address name="{377A7A23-BF10-4761-A6B6-D8A5ED6DABB0}" source=dhcp
set dns name="{377A7A23-BF10-4761-A6B6-D8A5ED6DABB0}" source=dhcp register=PRIMARY
set wins name="{377A7A23-BF10-4761-A6B6-D8A5ED6DABB0}" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
        Host Name . . . . . . . . . . . . : customer-c80fbe
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Inte... Read more

Read other 1 answers
RELEVANCY SCORE 70.8

First it started with a Trojan Back Door virus and I was able to remove that, then AVG rootkit scan detected a possible 28 unknown file location rootkit IRP hooks, which I am unable to remove. Please help, I have ComboFix, Gmer and PandaSecurity Anti-Virus along with AVG downloaded. I just need to be told exactly what to do.

Thank you.

A:Rootkit infection and Malware/Trojan Virus.

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Read other 3 answers
RELEVANCY SCORE 70.8

I started finding logs that told me I had a problem even Logs that said someone had been logging remotely so I Reinstalled Windows Vista. I then saw that it didnt do what it was suppose to with more investagation I found out I have at least one rootkit and trojan's and malware.. The rootkit has rewrote my reinstallation section and short of ordering another installation disk I was hoping you could help me fix this problem. Plz see attacted...DDS (Ver_09-12-01.01) - NTFSx86 Run by Babykitty at 0:49:30.90 on Mon 02/15/2010Internet Explorer: 8.0.6001.18882Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3002.1760 [GMT -6:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows&... Read more

A:Rootkit (Haxdoor) Trojan's Worm's Malware

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 70.8

I had the TDSS trojan. It was a rootkit thing that redirected all searches, and was good at preventing removal. I also had (maybe a part of it) MyWebSearch bar and My Fun Web spyware.

After exhaustive efforts, and running Combofix, Malwarebytes, Spybot, and McAfee, I think it is gone, but would like some confirmation. I'd appreciate any help. Pieces of MyWebSearch have been hard to keep gone.

BTW, I just finished running Malwarebytes before this scan, and then rebooted.

Below is the DDS txt log file. I'm new here, do I need anything else?? A Hijackthis log??
(Attach.txt or attach.zip would NOT upload for some reason)

DDS (Ver_09-01-07.01) - NTFSx86
Run by comctr at 14:55:31.37 on Thu 01/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1644 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Fil... Read more

A:tdss virus/trojan/rootkit and other malware

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scans:Please update Malwarebytes' Anti-Malware and run a full scan and post the logs with the DDS log. * Download DDS by sUBs from one of the following links. Save it to your desktop. ... Read more

Read other 2 answers
RELEVANCY SCORE 70.8

This is the problem where AVG found but couldn't remove some trojan adloads (then didn't find them), then new windows in IE (and new tabs in Firefox) started popping up random numbered HTTP links or links to ads for downloadable music and crap, plus Windows Generic Host System32 would have a problem and need to close fairly frequently (thus disabling sound for Warcraft III and new Youtube windows). So on the advice of boopme:EDIT: Gmer log:GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-10-02 15:10:34Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:\DOCUME~1\April\LOCALS~1\Temp\uxddqpob.sys---- Kernel code sections - GMER 1.0.15 ----.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9727340, 0x121A5F, 0xF8000020].rsrc C:\WINDOWS\System32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xF7555394]init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB95D5590].text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\System32... Read more

A:Trojan Adloads; possible rootkit/protected malware

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

Read other 25 answers
RELEVANCY SCORE 70.8

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i7-3820 CPU @ 3.60GHz, Intel64 Family 6 Model 45 Stepping 7
Processor Count: 8
RAM: 16326 Mb
Graphics Card: NVIDIA GeForce GTX 660 Ti, -2048 Mb
Hard Drives: C: Total - 317821 MB, Free - 240266 MB; D: Total - 317971 MB, Free - 215664 MB; E: Total - 317972 MB, Free - 38488 MB;
Motherboard: ASUSTeK COMPUTER INC., P9X79
Antivirus: Panda Free Antivirus, Updated and Enabled

I made the mistake of doing a survey for a pdf book. I should of known better and accidentally clicked what now seems like a some sort of trojan filled item. When nothing happened I quickly downloaded Malware bytes as I didt have it after the recent clean up of my computer. It blocked the root kit engine files when I tried to run the program
I quickly realized and and did a system restore, unfortunately it didn't fully work.
I fully removed and reinstalled Malware bytes, but its blocking the rootkit part of the program.

In safe mode it was blocking the antivirus, and disabling the security centre on window. I fixed it and that seems okay for now in regualr mode.

I just want to fix this before it gets worst. At one time in safe mode I think it was using a script to block the use of the browser. I'm not sure. everything is fine for now but it wont let malware bytes work

Its probably only a matter of time before it blocks the other antivirus / malware prog... Read more

Read other answers
RELEVANCY SCORE 70.8

Hi guys, ive never posted on here b4, and i really need help. its been like 5 years since ive been on the net (maybe more) and its jjust volitile. my computer is unstable. im noticing data being sent to unknown IP addy's.. I have 7 svchosts...
this computer was given to me and im pretty sure theres alot wrong with it and i have tried to catch up and heres what ive done

1)Process Explorer.exe Stumbled accross it it helped me cut a few auto runs out that i didnt need learnt about identifying good sources. sped up the computer a little

2)RegCure I know im gonna get bleep for this.. i dl'd regcure and it told me i had like 1300 errors?? and it offered to fix 1.. so i YT'd a crack and dl'd a random .exe from some server host and replaced it with my reg cure. i know this now was the dumbest thing i coulda done but i cant undo it. i promise after your help i wont do this stupid stuff again. ive spent a number of hours droning through was to prevent infection and phising filter software and another one that gives reports on thousands of websites *weary*

3) Comodo Internet Security I have this its my anti virus, firewall, and my outbound connection monitor (which has been very supsicious) there are 4 svchost.exe's *listening* for info in my Inbound/Outbound monitor. heres an example.
came from windows/system/svchost.exe 192.168.0.1: tooquicktocatch port listening 2869 sent 55kb?? recieved 66kb?
these happen while... Read more

A:Win XP SVCHost/Trojan/Rootkit?/Mean Malware Case?

First run thisPlease download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".----------------------------------------------------Then update mbam and run a full scan.Please post the logThe process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' A... Read more

Read other 3 answers
RELEVANCY SCORE 70.8

Hello everyone, I have been searching for how to remove this and for some reason it does not go away, I have formated over 5 times, erased everything.. all partitions everything. Thats why I think it is some kind of nasty rootkit boot virus.. I need my pc to work and this thing is just beating me up.. Ive never seen anything like it. I would appreciate the help, Ive been days on this and nothing.. It semms to have masked my anti virus (bitefinder) also.. it wont find anything when I run it.. It also opens a lot of connections and SVChosts, shooting my CPU usage to the sky.. I have download the programs to try to do this myself but I really have not encountered anything like this before. Thanks!!

I am running a HP i7 2.0MGHz / Windows 7 / SP1 (I think.. I heard it might have something to do with the updates and since i have formated so many times I just download the first updates) / 6GB RAM / 500GB HD.

Here are the logs: Btw I ran while in safe mode.. let me know if I should run it normally

DDS
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 8.0.7600.16385
Run by Alexandre at 23:05:01 on 2013-10-10
#Option Extended Search is enabled.
#Option Whitelisting is disabled.
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1033.18.6092.4647 [GMT -3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows... Read more

A:Help me debug please! Rootkit/boot trojan/malware

Attach is attached.

HIJACK:
Logfile of HijackThis v1.99.1
Scan saved at 23:20:49, on 10/10/2013
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Running processes:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Alexandre\Downloads\TCPView\Tcpview.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Alexandre\Downloads\94czz5sc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - ... Read more

Read other 2 answers