Over 1 million tech questions and answers.

AGONY - wininit.sys - NTRootKit-K - infection!

Q: AGONY - wininit.sys - NTRootKit-K - infection!

Please help me with this infection! I have run the following programs with no luck to remove the infection: HitmanPro (Kickstart), Malware Bytes Anti-Rootkit, JRT, ADWcleaner, SuperAntiSpyware, Malware Bytes Anti-Malware and Dr Web Cureit.
 
Any assistance would be greatly appreciated!
 
Here is my DDS log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.17037
Run by Mayra at 8:11:46 on 2014-01-30
Microsoft® Windows Vista™ Home Basic   6.0.6000.0.1252.1.1033.18.445.63 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\AOL\1173975032\ee\aolsoftware.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082
uProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: EFOToolbar: {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - c:\users\mayra\appdata\roaming\osi\dlls\EFOToolbar.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: EFOToolbar: {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - c:\users\mayra\appdata\roaming\osi\dlls\EFOToolbar.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [HostManager] c:\program files\common files\aol\1173975032\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\mayra\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: &3D Satellite Search - c:\users\mayra\appdata\roaming\osi\dlls\EFOToolbar.dll/GoSatteliteSearch.dll.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: S&earchSave Web Search - c:\users\mayra\appdata\roaming\osi\dlls\EFOToolbar.dll/GoWebSearch.dll.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{9F36A383-E0E8-4F5F-8A3F-591F72B2BEC9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{F88B3CCC-9538-4E20-B035-30E372AA84F7} : DHCPNameServer = 192.168.1.254
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-29 22856]
S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-1-29 75480]
S3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-9-12 1439744]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
.
=============== File Associations ===============
.
ShellExec: BitDownload.exe: open=c:\program files\bitdownload\BitDownload.exe
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
ShellExec: ymp.exe: open="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
ShellExec: ymp.exe: play="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
.
=============== Created Last 30 ================
.
2014-01-30 12:52:52 -------- d-----w- c:\programdata\Doctor Web
2014-01-30 12:52:40 -------- d-----w- c:\users\mayra\Doctor Web
2014-01-30 12:35:38 -------- d-----w- C:\AdwCleaner
2014-01-30 12:28:32 -------- d-----w- c:\windows\ERUNT
2014-01-30 07:35:45 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dba186de-e35d-4540-ba25-1634bdc9e39f}\offreg.dll
2014-01-30 05:31:36 -------- d-----w- c:\users\mayra\appdata\roaming\SUPERAntiSpyware.com
2014-01-30 05:31:35 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-01-30 03:49:54 -------- d-----w- c:\users\mayra\appdata\roaming\Malwarebytes
2014-01-30 03:49:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-30 03:49:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-30 01:41:03 -------- d-----w- c:\programdata\Malwarebytes
2014-01-30 01:40:10 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-30 01:05:53 7760024 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dba186de-e35d-4540-ba25-1634bdc9e39f}\mpengine.dll
2014-01-30 00:44:55 135464 ----a-w- c:\windows\system32\LnkProtect.dll
2014-01-30 00:43:34 -------- d-----w- c:\programdata\HitmanPro
.
==================== Find3M  ====================
.
2014-01-16 15:59:46 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH:  8:13:56.81 ===============
 

RELEVANCY SCORE 200
Preferred Solution: AGONY - wininit.sys - NTRootKit-K - infection!

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: AGONY - wininit.sys - NTRootKit-K - infection!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/522612 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.Please do this even if you have previously posted logs for us.If you were unable to produce the logs originally please try once more.If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.
Thank you for your patience, and again sorry for the delay.
***************************************************
We need to see some information about what is happening in your machine. Please perform the following scan again: Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.DDS.com Download LinkDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control can be found HERE.As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Read other 25 answers
RELEVANCY SCORE 62

I have read many posts on this subject, and the instructions for removal vary. I am currently in safe mode, as this is the only way I can use firefox. I run Mcafee, and it is (to the best of my knowledge) fully updated. Unfortunately, it was unable to successfully remove it fully. I have a Hijack This log, but it was run in safe mode. I will repost with a log file from normal operating mode if this is necessary for removal. Thank you all in advance.
Hijack this log file:
***Note: Edited for length, see post below***
 

A:Another NTRootkit-J Infection

Ok, I ran a search, and found SDFix. This appears to have solved the issue. Excellent little script. For anyone who comes across this and has the same problem, I found it here:
http://forums.techguy.org/security/549513-ntrootkit-j-trojan-cant-kill.html?highlight=ntrootkit-j
 

Read other 1 answers
RELEVANCY SCORE 61.2

anyone please help me with thisi hv mcafee installed but somehow NTRootkit-J got innow mcafee is flashing screen sayin removedwhen i press continue it comes bck againwt do i dohere is my HIJACK fileplsss help me!!!!Logfile of HijackThis v1.99.1Scan saved at 12:29:14 PM, on 05/07/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exec:\progra~1\mcafee\mcafee antispyware\massrv.exeC:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\PROGRA~1\mcafee.com\vso\OasClnt.exeC:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exec:\program files\mcafee.com\vso\mcvsshld.exeC:\WINDOWS&... Read more

A:Ntrootkit-j Trojan Infection-pls Help

Hi maverick143 and Welcome to the Bleeping Computer!Does Mcafee specify a location of the infection its finding?Click Start-> Run-> Type in Services.msc and Click OKScroll that list and locate this entryMicroSoft Media Tools<-- Match the name exactly as I have it listed!Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to DisabledClick Apply-> OK and Exit the Services PagePlease download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it.Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\MSmedia.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Select Delete on Reboot then Click on the Single File button.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try K... Read more

Read other 7 answers
RELEVANCY SCORE 59.6

This is my girlfriend's laptop and I'm trying to help her and goig by her description of some of the problems, which include BSOD, incredibly slow internet, random reboots, etc. Loading her email can take 15 minutes, and her computer CPU is often at 100% due to what looks lie wininit.exe and one or two other programs.

Here are the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Sunshine Moonbeam at 20:00:37 on 2011-09-15
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1015.55 [GMT -4:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Trend Micro Security *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: AVG Internet Security 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Trend Micro Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\... Read more

A:possible wininit and other infection

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===This is the first entry on your Extra.txt log. 9/15/2011 8:03:53 AM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.I hope that your Hard Drive is not failing on you.Make sure you have a backup of all your Important files just in case.===Next time you get a BSOD please make a note of the message and post it for my review.===Close applications, programs and disconnect from the internet.Open a CMD (Command prompt) How To:http://www.sevenforums.com/tutorials/27778-open-command-window-here.htmlAt the C:\ prompt execute this command. CHKDSK /R make sure you have a space after the K.This may take a while. Let it finish.Please let me know what is reported.

Read other 18 answers
RELEVANCY SCORE 59.6

After a short chat here I've decided to come over to this section and ask for help. Please read that thread for more information about my problem.

As jcgriff2 explained in the previously mentioned thread, I can't run dds.scr due to x64 incompatibility. I've also had a problem with gmer.exe. Most of the options are unavailable, but I've ran the scan as close to the instructions as I could anyway. Attached is a screenshot of gmer's options and the results. The scan was done using the same options as the screenshot in the .zip archive.

Any help or advice in getting dds and gmer to work properly or more information on the wininit.ini file would be greatly appreciated.

A:wininit.ini/UAC.dll infection?

Hi,

Please do the following:

Download OTSto your DesktopClose ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Check the box that says 64 bit
Under Additional Scans check the following:File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

Read other 4 answers
RELEVANCY SCORE 59.6

I'm a little worried. I just found a file named "wininit.ini" in C:\Windows. I never knew that file existed. Out of curiosity I opened it up with Notepad and it contained the following lines:


Code:
[Rename]
NUL=C:\Users\Nofew\AppData\Local\Temp\nsh992.tmp\UAC.dll
NUL=C:\Users\Nofew\AppData\Local\Temp\nsh992.tmp\
(That is the exact contents of the entire wininit.ini file. Please note the blank line at the bottom.)

Since when does UAC.dll exist in a temporary folder (or even exist, for that matter), and why is it being renamed to nothing? I've already backed the folder up to be safe but I'm afraid to reboot or remove the lines from wininit.ini. Any advice would be helpful, and sorry if I've posted this in the wrong section. I had a feeling it might be amlware, but I've seen Vista do some pretty strange things before.

A:wininit.ini/UAC.dll infection?

Hello, NoFew!


Quote:





Originally Posted by http://www.aumha.org/a/loads.php


THE WININIT.INI FILE

Another file, C:\Windows\WININIT.INI, also is loaded at each Windows normal mode startup. WININIT.INI is used to complete Windows and program installation steps that cannot be completed while Windows is running and, therefore, are deferred until after a reboot. During the boot process, Windows checks to see if there is a WININIT.INI file and, if it finds one, executes its instructions. (After its successful use, it is supposed to be automatically renamed to WININIT.BAK.) You can search for a copy of this file using the Find or Search feature on your Start Menu, and then examine and edit its contents with Notepad. You can temporarily suspend any line of this file by placing a semi-colon in front of the line.




According to Google, in most cases it's considered a virus - but, I'm not sure - if you feel like it might be infected, then . . .

I recommend that you read this article?
"NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the Virus/Trojan/Spyware Help section of the forum.
(Simply, click on the colored links to be re-directed.)

Please ensure that you create a new thread in the Virus/Trojan/Spyware Help Forum; not back here in this one.

When carrying out The Malw... Read more

Read other 4 answers
RELEVANCY SCORE 58.4

I have run my McAfee scan and it finds nothing. I ran a online scan in Safe Mode using CA. Shows clean. Spybot shows clean. SuperAntiSpyware just shows a tracking cookie. However when I run ProcessLibrary is shows this infection running on my system. Please help me remove it. I can post a hijackthis log if needed.
Wollf.16

wininit.exe

A:Woolf.16 Virus---wininit.exe Infection

Your infection doesn't have a program that will move it as far as i can tell.Read the Preparation Guide for use before posting a HijackThis Log thread up until Step 9.Then download the new version of HijackThis from here. Then unzip/extract hijackthis.zip.If you are unsure how to unzip/extract, a link showing how to can be found by clicking here Then create a permanent folder and move hijackthis.exe into it. The reason for this is because HijackThis creates backups and they may be deleted they are in a temp-folder.How to make a permanent folder:Click My Computer, then C:\ and then on Program Files.In the menu bar (2nd bar from the top) select File>New>Folder.That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there by copying and pasting. I would recommend you create a shortcut for HijackThis for easy access. Just right HijackThis and select create shortcut. Copy and paste that shortcut onto the desktop.Please be patient, as there are a limited number of helpers and a lot of demand for help. Also, do NOT bump your topic, as the HJT team members work on a first come first serve basis, and if you bump your topic by replying to your thread, they will assume someone is already helping you as your thread has been replied to.

Read other 5 answers
RELEVANCY SCORE 58.4

I seem to have acquired this infection 4 days ago, i noticed when i tried to boot up my laptop and wound up stuck at a blue screen after the logon password screen. I banged my head around and tried various things, and i now have the computer more or less booting correctly and pretty stable, but i'm still infected. Avast and Avira both show Win 32:Bamital-X in C:\Windows\explorer.exe and C:\Windows\System32\wininit.exe, and neither can fix the problem. I would appriciate any assitance i can get for this problem.

DDS (Ver_10-10-21.02) - NTFSx86
Run by daniel's bleepe at 5:30:38.83 on Thu 10/28/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.840 [GMT -5:00]

SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows ... Read more

A:Bamital-x infection in explorer.exe and wininit.exe

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The ... Read more

Read other 16 answers
RELEVANCY SCORE 57.6

After running MalwareBytes, Avira, and Combofix, Combofix continues to complain aboutc:\windows\system32\wininit.exec:\windows\system32\settings.iniAt about stage five, Pev.exe fails. Combofix attempts to reboot, but hangs at the "Logging Off" screen. I assume it's trying to reboot to correct a rootkit infection? Upon hard shutdown (poweroff) and reboot, icons and anything on the program menu is unoperable until reboot again. Multiple runs of ComboFix fails to correct the problem. Combofix log below.ComboFix 10-08-24.0A - a full house 08/24/2010 23:15:15.4.1 - x86Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.2012.1105 [GMT -5:00]Running from: c:\users\a full house\Desktop\cf.comSP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\settings.iniInfected copy of c:\windows\system32\wininit.exe was found and disinfected Restored copy from - c:\windows\ERDNT\cache\wininit.exe .((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 ))))))))))))))))))))))))))))))).2010-08-25 04:23 . 2010-08-25 04:23 -------- d-----w- c:\users\Public\AppData\Local\temp2010-08-25 04:23 . 2010-08-25 04:23 -------- d-----w- c:\users\lorretaj\AppData\Lo... Read more

A:Combofix fails to correct wininit.exe infection

Hi drbeams,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will rev... Read more

Read other 2 answers
RELEVANCY SCORE 47.6

Deckard's System Scanner v20070826.66
Run by Chad on 2007-08-31 01:43:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2007-08-31 05:44:01 UTC - RP188 - Deckard's System Scanner Restore Point
30: 2007-08-30 08:34:58 UTC - RP187 - Software Distribution Service 3.0
29: 2007-08-30 06:47:12 UTC - RP186 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
28: 2007-08-30 03:18:06 UTC - RP185 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
27: 2007-08-28 23:30:38 UTC - RP184 - System Checkpoint


-- First Restore Point --
1: 2007-08-07 21:29:00 UTC - RP158 - Installed Windows Media Player 10


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Chad.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:03 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\l... Read more

A:OH the Agony of pop-ups!

Please download SmitfraudFix
Extract the files to the Desktop

~~~~
Now, start the computer in Safe Mode:When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Press Enter to boot into Safe Mode.
Open SmitfraudFix Double-click smitfraudfix.cmd
Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

~~~~
Restart the computer to complete the removal process.

~~~~
Also download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Please run HijackThis once again to obtain a new log.

~~~~
Please post the SmitFraudFix report located at C:\rapport.txt , the ComboFix.txt, and a new HijackThis log.

Read other 1 answers
RELEVANCY SCORE 46.8

I ran chkdsk when starting windows and it has been running for two days and no end in sight at all! What to do? And i desperately need a laptop.

Please help!

Read other answers
RELEVANCY SCORE 46.8

I hope someone out there will help me! I have this Movieland thing going on and it's driving me nuts. I read Jelly_tots post earlier today and followed the advice as far as the HijackThis log, but now I need to know what to do from here!! Please help me! The log is below:
Thank you!!

Logfile of HijackThis v1.99.1
Scan saved at 5:00:19 PM, on 11/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\Program Files\AltPayments\AltPayments.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\MediaPipe\DownloadManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Pack... Read more

A:Movieland agony

Read other 7 answers
RELEVANCY SCORE 46.8

Despite my efforts to maintain a clean and safe computer, something miserable has bitten me. I'm not entirely sure what the issue is, but I know something unusual is going on.

Here are some signs and symptoms ...

Recently, after periods of unattended downloading, I would lose internet connectivity. The only way I could regain connectivity would be to reboot. Reboot would take what felt like forever. Sometimes there would be a windows dialogue box asking for login credentials for dial-up, which is odd considering I am not on dial. Recently, it has been discovered that all boot ups are agonizingly slow with apparent lengthy periods of inactivity (ie hard disk activity, or even a signal being sent to the monitor) On average, 4-5 minutes to boot up.

Today, while surfing, my AVG anti-virus went crazy picking up immediate virii from websites that were appearing out of know where. Bam Bam Bam Bam! A new virus infected webpage auto opens and is caught by AVG. There was also an unusual blue webpage titled windows critical update that could not be closed. I use Firefox, not IE, but if I recall, these websites may have been hosted by IE.

I have randomly been asked on occasion to shut down.

I have lost ability to access regedit (says the administrator has removed privledges, even in safe mode as the administrator). Even known workarounds commonly available on the internet have failed.

I am unable to run Adaware ... it says it's already running, when it's not ... that I ... Read more

A:Agony With wmpscfgs.exe

Kaspersky Labs Online file scanner has identified the file wmpscfgs.exe as being infected with Trojan-Dropper.Win32.Agent.bsmw .

There is very little reference material online regarding this virus.

Since posting original message, I have scanned again with onboard AVG virus can, and online Housecall scan. Both identified several other virii, but not the one in question. These secondary virii were removed as part of the scan process.

Read other 6 answers
RELEVANCY SCORE 46.4

Hello Peeps,    I just received T520 package today and my excitement suddenly turned to grief when I saw a bright glowing red dot on my screen. OMG... a dead pixel right out of the box! Did I just drop my hard earned grand that I have been saving for months on something that would bug me for the rest of the products life?    I quickly searched Lenovo's dead pixel policy and almost fainted when I found out the unit has to have at least 3 dead pixels to be considered for replacement noooooooo...wahhhh....boohohoho..sob       Why did they ship out a unit with dead pixel??? I'm pretty sure it was NOT missed by QA because it glows like a laser beam in the dark and a dead pixel would not develop while in transit!           I'm going to contact Lenovo post sales tomorrow and really hoping something can be done. I know some of you will consider this as another guy who got a dead pixel rant, but man, when someone spend this amount of cash, and I'm not rich, I would at least expect to receive a non-defective product. Oh Lordy, I should have trusted my instinct and buy something of this value in a brick and mortar store. Hoping for the best but this night would not be a pleasant one. Sigh,Jason   













Solved!

Go to Solution.

A:Dead Pixel Agony

You just got it and you're not satisfied you can return it.So return it.The End





T520 Model 4239 Intel(R) Core(TM) i7-2860QMbr>; Nvidia NVS 4200M Win 10 64bitZ70-80 I7 - 5500U 16GB GB - 1TB HD Win 10 64bit FHD 17.3", G840 w/2GB

Read other 9 answers
RELEVANCY SCORE 46.4

Hi all, after loosing my desktop Medion PC - maybe consecutive to audio folder downloaded + win media player plugin download (post in Vista forum)- now the VAIO lapton win can't start windows. Can't remember how to satrt in safe mode and then what should I do. PLEASE HELP, urgent all my work is stock in these 2 PCs. I only got one PC left.
Thanks Thanks Thans for URGENT HELP>
 

A:Solved: laptop in agony

Read other 7 answers
RELEVANCY SCORE 46.4

Hi Everyone,

Here is the dilemma that I am currently in. I just installed XP on a WD 40GB hard drive. I have been using a maxtor 80GB up till now for storage. Well, I want to transfer all the digital photos and files (Which I have yet to burn, by the way). and put them onto the 40GB. I see both HDs on bios. I see both HDs in device manager. I dont see BOTH hard drives in MY COMPUTER!!! From what I keep reading, the only way windows will see the 80GB is if I partition/format it. There is one problem with that: I will lose all of my files if I partition/format it. Is there a way I can transfer these much needed files over??? PLEASE HELP!!!!

Thanks,
JGC77
 

A:hard drive agony -- please help!!

I had a Western digital and a Maxtor HDD together in a system a few years ago. I can remember that they didn't both work together. Since then, I have sort of become brand loyal and only use Maxtor (Western digital and most others are just as good)-I don't mix hard drives. Most drives will work together but occasionally you get two that don't and you can avoid the possibility of this by just using one brand. If this is the case, then you might be able to put them both on different IDE channels long enough to transfer files.
If it isn't brand compatability, then check to see (in cmos) that your unrecognised drive is using the same access mode as it was before when it worked, probably LBA. If it is somehow set to a different mode, then what you described is exactly what happens.
In event of a corrupted partition, you may need to buy some partition salvaging software. One peice of software you can get for free usually on the Maxtor site is Maxblast, which runs on DR. DOS (one comes with each new boxed HDD too, if you still have it somewhere). If you download this HDD installation disc, and put it on a floppy it will give you a lot of great utilities to install and troubleshoot Maxtor hard drives.
One more thing to check is the cable. I have had ribbon cables that had one wire break somewhere and even though the drive continued to work, funny things would happen. You do have the proper 80 pin (not 40 pin) IDE cables, right?
 

Read other 2 answers
RELEVANCY SCORE 46.4

MS Update installed a Realtek driver that really does not agree with my system. I'm fine with the MS 5 High Def version.

Ever time I g to device manager and programs & features and delete it and spec the MS generic version I'm good for about a minute then the Realtek gets installed. Even after I delete the folder in programs. I am totally stumped here as this version MS is pushing out is really having problems and I cant make it go away.

I have gone to advanced settings and set it to prevent downloading ANY driver updates at all. It keeps coming back.

I've tried just about everything I can find on Google. I'd really appreciate some help on this. It began happening after this past Tuesdays update. I had other issues (now solved) with that update

A:MS Realtek driver agony - please help

The following steps worked for me...
First uninstall the faulty driver, but do not restart your machine until you do the following:

Type"Device Installation Settings" in your Windows search box. A result named "Change device installation settings" should show up.

?Choose No

Once that's done, you have to go into the Windows Update Settings and change it to "Notify Schedule a restart".

Now go ahead and do a restart.

At this point, the driver won't automatically install, but will be listed in Windows Update. Microsoft expects you to install it anyways. What you need to do is hide it from Windows Update. Download the "Show or hideupdates" troubleshooter package

https://support.microsoft.com/en-us/kb/3073930

That tool will then let you see what's in Windows update and you can then hide it from Windows update.

Read other 0 answers
RELEVANCY SCORE 46.4

can anyone tell me if sound card drivers exist for a sbt-sp6c 6 channel 5.1 surround sound audio card to run in vista x64? the card has two chips on it. the large one is a forte media fm 801-au. the small chip is a realtek alc650.

i have not been able to find the correct drivers to install the card in my pc. i have tried many different drivers and none have worked. i've tried all the realtek sound drivers. none have worked. i have downloaded the latest forte media drivers i can find. they don't work with vista x64.

please, help if you can. it's very frustrating not being able to install the sound card.

thanks in advance.

A:sound card agony 2

Originally Posted by glennpalmore


can anyone tell me if sound card drivers exist for a sbt-sp6c 6 channel 5.1 surround sound audio card to run in vista x64? the card has two chips on it. the large one is a forte media fm 801-au. the small chip is a realtek alc650.

i have not been able to find the correct drivers to install the card in my pc. i have tried many different drivers and none have worked. i've tried all the realtek sound drivers. none have worked. i have downloaded the latest forte media drivers i can find. they don't work with vista x64.

please, help if you can. it's very frustrating not being able to install the sound card.

thanks in advance.



Hi Glenn, Welcome to the Forum.

The best answer here is probably to buy a new sound card

Pooch

Read other 2 answers
RELEVANCY SCORE 46.4

Hi Everyone,

Here is the dilemma that I am currently in. I just installed XP on a WD 40GB hard drive. I have been using a maxtor 80GB up till now for storage. Well, I want to transfer all the digital photos and files (Which I have yet to burn, by the way). and put them onto the 40GB. I see both HDs on bios. I see both HDs in device manager. I dont see BOTH hard drives in MY COMPUTER!!! From what I keep reading, the only way windows will see the 80GB is if I partition/format it. There is one problem with that: I will lose all of my files if I partition/format it. Is there a way I can transfer these much needed files over??? PLEASE HELP!!!!

Thanks,
JGC77
 

A:Hard drive agony -- please help

Why can't you use the Data Lifeguard Tools diskette that came with you WD HD? I just put a new WD in last month and I only formatted the new drive before copying over data.
 

Read other 2 answers
RELEVANCY SCORE 46.4

I have read other forum topics about the problem I am having (a blinking red icon in my windows quickstart menu). I continually have the process cool.exe popping up and it's making a strange "clicky" sound from my cpu-- sort of like the sound you get when you're about to access dialup.Anyhow, I'm a Master's student at a major Canadian university and it's not helping my thesis that I have these constant ads popping up and these malware problems.Any help would be appreciated greatly! Thanks!Logfile of HijackThis v1.99.1Scan saved at 7:05:19 PM, on 18/11/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\crypserv.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Prevx1\PXAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ishost.exeC:\Program Files\ATI Technol... Read more

A:The Agony Of My Malware Infections

You have no active AntiVirus!Get the free AVG 7 install it, check for updates and run a full scanAVG 7 - http://free.grisoft.com/freeweb.php/doc/2/========================Add remove programs - remove logitech desktop messenger==================You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typi... Read more

Read other 11 answers
RELEVANCY SCORE 46

Okay quick run up on how XP boots Boot.ini file loads windows. Most experienced users know the way to check a boot path is the msconfig option from run that is on every windows except win 2000. Start>Run>msconfig>boot.ini. You can change some boot options here and get rid of os's that were deleted with their boot path. But you know what not so on Vista, it uses a whole new system called bcdedit.exe I believe that boot.ini doesn't even see or acknowledge. So to bring you up to speed here's what happened:

I was on the release candidates with build 2600 I tried to install it to my 2nd spindled drive. A totally seperate physical drive I labeled as F:. It wouldn't work it would give the black screen of death with no blinking cursor, no nothing, just my monitor looking at me saying "I'm glowing amber on my led what are you going to do?". Obviously install Norton Partition Magic and make room for it on the main drive.

So now I stretch out room on my C: for two more partitions. Another Primary I label G: and an extended volume I label as H:. Guess what Vista RC1 build 2600 works great! I get a dual boot option after the motherboard logo goes away and it will default to Vista but I can also choose Vista...... for about 2 weeks then the same pill looking icon Windows says to install for protection starts causing problems, I think the thing was PC Chillin or something like that. I uninstall it, RC1 kind of works but inevitably something is ... Read more

A:Dual Booting and the agony of Vista

Read other 14 answers
RELEVANCY SCORE 45.2

A client brought in his laptop a few days back saying it wouldn't start up anymore. I took a look..

When turning on the laptop, I am presented with a HP login screen requesting a fingerprint or password. This password is known, we type it in and get a windows error stating that the bootloader is corrupt.

I figured this would be easy enough - simply repair the bootloader. I booted off of the windows 8 disk and tried startup repair. Startup repair failed, because it could not access the drive the OS is installed on.

I decide to look up what the HP login screen post-bios is all about. It turns out HP Protect Tools was used to encrypt the partition the OS and my clients (important!) data is on. I later found out that messing with the bootloader on a drive encrypted with HP's software can mess things up further, so I'm glad in a way that the windows DVD repair options didn't function.

I searched online for ways to recover the data and found a way to perhaps rescue the files here:
ftp://ftp.hp.com/ftp1/pub/caps-softpaq/TCE&Q/
However, this method requires the backup encryption key (typcially saved to usb) to work.

Now here comes the fun stuff. The guy this laptop belongs was not aware that his drive was encrypted and didn't even know it was installed.. His laptop was originally installed at his companies main office, so we turned there to get the key file required to unlock the files on the drive. They don't have the backup encryption key. Brilliant.

Oh, did I mention tha... Read more

A:Hp Protect tools plus corrupt bootloader = agony

Any settings in BIOS for this HP Protect Tools?
Would a Live Linux see the data? You can try Linux Mint MATE for this purpose.

Read other 6 answers
RELEVANCY SCORE 42.4

Terribly annoying virus keeps popping up... heres my log

Logfile of HijackThis v1.99.1
Scan saved at 10:53:42 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\runservice.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hkcmd.exe... Read more

A:NTRootKit-J

You have a program located on your Desktop - webcam.exe.
Do you know what it is? If not, visit this website - http://virusscan.jotti.org
Submit the file for a comprehensive scan & then post the results back here.

C:\DOCUMENTS AND SETTINGS\MICHAEL.D472PG61\DESKTOP\Webcam.exe


Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


I have attached a file to this post - regdel.txt
Download it & rename it "regdel.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as regdel.reg.txt (double extensions)
Double-click on it & answer YES when prompted to merge into the Registry


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

rdrivRem.zip

Ewido Security SuiteInstall Ewido Security Suite
When installing, under "Additional Options" uncheck..Install background guard
Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.... Read more

Read other 1 answers
RELEVANCY SCORE 42.4

Hi Everyone,

I'd appreciate some help to remove a Trojan. Looking at some of the other threads it looks like I'm not the only one to experience this.

I'm running W2000 SP3. McAfee Virus Scan keeps reporting a NTRootKit-H Trojan. It says it has been deleted but a restart is required. So I restart and it still reports the same trojan but in DLL with a different name. If I look for the DLL, its not there. This is what I've done so far:-

1. Downloaded NoAdware, run it and fixed everything
2. Downloaded Spybot, run it and fixed everything
3, Downloaded CWShredder, run it and fixed everything
4. Downloaded and installed SPywareblaster

ALthough noadware fixed everything the first time, 2 items keep coming back. Same with spybot. CWShredder is clear now.

I downloaded hijackthis 1.99 but it kept crashing at O23. So I downloaded 1.98.2 and that's ok. I think this means that there must be another trojan on board but I don't know why McAfee doesn't find it. Here is the log from HJT:-

Logfile of HijackThis v1.98.2
Scan saved at 19:03:40, on 05/02/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Siemens\Common\Ace\bin\CCAgent.EXE
C:\WINNT\system32... Read more

A:NTRootKit-H

http://forums.techguy.org/t110854.html

Go here and get the Cool Web Search removal tool It is at the bottom of the page
Follow the instructions there Do a scan then post another log here please
 

Read other 1 answers
RELEVANCY SCORE 42.4

Hello,

I have NTRootkit-H on my computer and am having difficulty removing it.

I read a similar post which advised running CWShredder which I have done. I have also pasted my hijackthis log file below. Any advice would be greatly appreciated.

Many thanks

Mememe



Logfile of HijackThis v1.99.1
Scan saved at 15:37:20, on 27/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\WINDOWS\System32\CTSvcCDA.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
D:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
D:\Program Files\NetComm\NB2\dslstat.exe
D:\Program Files\NetComm\NB2\dslagent.exe
D:\Program Files\Network Associates\VirusScan\Webscan... Read more

A:NTRootKit-H

Hi mememe, Welcome to TSG!!

Go into NETWORK CONNECTIONS in control panel. Then right click on your default connection there and choose properties.
Then click on NETWORKING tab. Then click on INTERNET PROTOCOL. In the window that comes up, click on the obtain DNS SERVER ADDRESS automatically radio button.
That may not be avaiable on some systems ^
Next Go to start>run and type cmd Press enter
On the black screen that comes up
type
ipconfig /flushdns
then press enter, type exit hit enter

Reboot your machine.

Download Adaware SE http://lavasoft.element5.com/software/adaware/

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window: Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Reboot and post another HJT log for review.
 

Read other 3 answers
RELEVANCY SCORE 42.4

Hi everyone, have gotten a NTRootKit-H trojan on my system. Below is the hijack this log. My system is a Dell Dimension 4600, 2 hard drives (80gb and 200gb), Pent 4, 2.6 ghz, 512 MB of RAM, Win XP. Any help would be greatly appreciated!! My McAfee keeps popping up and says "A Trojan Has Been Detected!" and my McAfee can't clean, delete or quarantine it even though I am updated. Thanx!

Roosty


Logfile of HijackThis v1.97.7
Scan saved at 9:30:59 AM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\PROGRA~1\McAfee.com\... Read more

A:NTRootKit-H

Read other 11 answers
RELEVANCY SCORE 42.4

I have been infected by HTRootkit-h and keep getting hit again everytime
I'm back on the internet. I have Mcafee firewall and virus scan which does
catch it but it leaves additions in my favorites links. Also get poker and
nasty popups. I ran Spybot and Hijack this in safe mode but it's back.
Here's my log file:

Logfile of HijackThis v1.99.0
Scan saved at 11:46:07 PM, on 2/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\about\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {7B017AFA-5D4E-43E3-A5E7-9AB9B8AC43EC} - C:\WINDOWS\System32\mshyh.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..... Read more

A:NTRooTkit-h

Read other 8 answers
RELEVANCY SCORE 42.4

well im back oddly enough ..... with the same problem kinda .....
and my pc keeps restarting because of errors like "cannot find lsass.exe"

i tried the stuff in my last fix to get rid of NTR but it didnt work
well heres my HJT log once again

Logfile of HijackThis v1.99.1
Scan saved at 8:59:07 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cobra.LINDA-QB2ZOVZIG\Desktop\HijackThis.exe

R0 - HK... Read more

A:NTRootKit again ... and some others

Read other 11 answers
RELEVANCY SCORE 42.4

Hi HOPE YOU CAN HELP ME. my pc is infected with ntrootkit-j so mcafee is saying so i'm new to forums so i'm not sure who are how to post any help.
below is a log of my pc which hijack this colated.
Logfile of HijackThis v1.99.1
Scan saved at 12:49:34 PM, on 12/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\program files\mcafee.com\agent\mcdetect.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\Program Files\McAfee.com\VSO\mcvsshld.exe
D:\Program Files\McAfee.com\VSO\oasclnt.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Palm\AlarmApp.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Palm\HOTSYNC.EXE
D:\Program Files\Internet Explorer\iexplore.exe
c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
D:\Program Files\iTunes\iTunes.exe
D:\My Documents\HIJACK THIS\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READE... Read more

A:NTRootKit-J help

Welcome to TSG

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It gets too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.
 

Read other 2 answers
RELEVANCY SCORE 42.4

some how i have gotten this trojan...but how???
i've downloaded different removers but with weird results...

when i boot up my computer its there, but after awhile the pop up goes away.BUT if i reboot again its back....whats going on...is it gone
i need help...is this thing going to ruin my computer or just be an annoyance
 

A:ntrootkit j..is it gone??

Read other 16 answers
RELEVANCY SCORE 42

Hi, my computer is infected with the NTRootKit-J virus and I would appreciate some help on how to fix it. Here is my HiJackThis log:Logfile of HijackThis v1.99.1
Scan saved at 11:13:57 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo... Read more

A:NTRootKit-J virus

hi, welcome to TSG.
IMPORTANT! Move Hijack this from the Temp or from the Desktop to it's own folder!

Make a new folder in C:\ and call it Hijack this, and Save hijack this to
this folder so that it runs properly and can make back ups. Click scan,
then save the log and post it here so we can take a look at it for you.
go to add/remove and uninstall weatherbug and ShopatHomeSelect Agent and delete their folders from C:\program files.
you'll need to run the LSPfix to repair winsock.

http://cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
This is the dll in question, lsp.dll move it to the right hand pane and hit "finish"

go to this site and download these tools and once you get both
adaware and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk entries".
Click next to start the scan.Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again
With CWshredder close all browsers and programmes and select the FIX button.

Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In t... Read more

Read other 1 answers
RELEVANCY SCORE 42

Im on windows xp i run mcafee internet security firewall and virus scanner. This is the first virus iv had in a long time. ( since i switched to mcafee from norton). From what i understand the file has been blocked from using the internet. I am completely updated, i'v done a virus scan in safemode. I just downloaded hijack this and kill box. mcafee see's the file deletes it and it just comes right back. (The firle c:\windows\system\rdriv.sys was infected by the NTRootKit-j trojan and has been deleted to complete the clean process. I click continue with what i was doing and it pops right back up again. When i had the problem i messed around a little bit and found a new program called winfire.exe, with no idea of how this program came on my computer. (it also shows on the hijackthis log)

I am new at attempting to clean stuff like this, normally i would reformat but with just doing this two days ago..i really want to try this route.

Logfile of HijackThis v1.99.1
Scan saved at 12:46:39 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program ... Read more

A:rdriv.sys ntrootkit-j

Read other 10 answers
RELEVANCY SCORE 42

hi,
i really need help with fixing my computer...i was doing some browsing and now i have several pop ups for strip poker and things similar to this that keep popping up. also, my internet explorer seems weird..it keeps going to about:blank and messages from windows keeps popping up and they tell me that my spyware protection is low and that i should 'click here' to get spyware products. I have also noticed that when i restart my computer, McAfee antivirus picks up a trojan (C:/windows/system32/hdih.dll is infected with NTRootKit-H) and it says that the deleting the file has failed. another thing is that when i open up internet explorer or windows media player the virus scan tells me that there is a buffer overflow detected as bo:heap and other bo: type things...as you can see, i'm completely computer illiterate, so i would be much appreciated if someone could help me fix this problem. here is my log if it helps:

Logfile of HijackThis v1.99.0
Scan saved at 7:59:24 PM, on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C... Read more

A:need help please!!! NTRootKit-H, bo:heap

Read other 16 answers
RELEVANCY SCORE 42

Ok, Im going to start from the begining.

I play a game, MMORPG.... and i need an aimbot to win a war, cause the enemy have their own.

I downloaded an aimbot...but however it contained the trojan Trojan.NtRootKit.54

How can i remove the trojan wihtout getting rid of the files. Some one told me to use a hex editor but i have no clue what i am doing.

I need Help Thank you.
 

A:Trojan.NtRootKit.54

Read other 13 answers
RELEVANCY SCORE 42

I posted this message on McAffe's site and received the reply below.
I will reply with the scan results afterwards.
Thanks
3D





I have scanned through various forums with removal instructions and McAffe pops continuous message that NTRootKit-J has detected this, I remove and restart, same thing. I think this is an itunes thing since everytime I end task through task mgr, itunes keeps coming back. I tried deleting rdrive.sys, won't let me.
Went into safe and scanned with HiJack this and it didn't find it.
Only shows up on normal boot up.
I get continuous reports in services that windows update has been disabled.
I have disabled the itunes service in services, it comes back.
Help!!
_________________
DeltaDawn


Register at this Forum then follow these Steps post the required log in that forum,not here.
_________________

Sweet..
ZEITGEIST




Thanks!
I have been scanning for over 24 hrs so....
I am hesitant to post the log for privacy issues, but I need to get this out of my computer.
Thanks for getting back to me so soon.
3D
_________________
DeltaDawn

A:NTRootKit-J, can't remove this

Incident Status Location

Adware:adware/savenow Not disinfected c:\program files\Save
Adware:adware/whenusearch Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9o7xc0jp.default\cookies.txt[.2o7.net/]
Spyware:Cookie/WebtrendsLi... Read more

Read other 11 answers
RELEVANCY SCORE 42

Hello,

I've run AVG 8, spybot, etc. AVG does a good job of finding the file on startup and deleting it, but the backdoor.ntrootkit comes back on every restart as a different file name. Here are some examples so far:

C:\windows\system32\drivers\Wintb28.sys
Winov85.sys
Winqw17.sys
Wintb74.sys
etc...

This is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:21 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:... Read more

A:BackDoor.Ntrootkit

After going over some solved cases in the forums, I deleted some no name/missing file items that were determined to be malicious from the other posts. I haven't restarted yet though, so I'm not sure if I fixed the problem. Here is my log after I made the changes.

-----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:34 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C... Read more

Read other 2 answers
RELEVANCY SCORE 42

Hello,

Please help!!!!

I posted this a few minutes ago and then changed my e-mail address. I think the thread was lost.

I have a virus that is detected by my AVG virus software at startup. It is called "Backdoor.Ntrootkit".

I've tried to delete it, put it into the vault, and i've used Haxfix to attempt to wipe it out.

Can someone please help??

Here is my HiJack this LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:33 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\AVG\avgrsx.exe
D:\PROGRA~1\AVG\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
D:\PROGRA~1\AVG\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Sony\VAIO Action Setup\VAS... Read more

Read other answers
RELEVANCY SCORE 42

Hello, I'm currently trying to clear out the above trojan without much luck, sadly our epolicy server went down leaving the front door open for sdbot, sdbot was picked up and removed by McAfee as was rdriv.sys but this is not true as it is still on the system.

I'm not too clued up when it comes to AV/Spyware, looking at the log I think svchost.exe is looking suspect, surely it shouldn't be unknown owner?

Any help would be well appriciated, Thanks
Ryan


HJT Log (HJT Analyzer Used) Results.txt : -

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Servic... Read more

A:NTRootKit-J (rdriv.sys)

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

rdrivRem.zip

Ewido Security SuiteInstall Ewido Security Suite
When installing, under "Additional Options" uncheck..Install background guard
Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions befo... Read more

Read other 4 answers
RELEVANCY SCORE 42

McAfee detects and cleans the file but it continues to loop the error message no matter how many times i ask it to close.I have been to McAfees forums for help to no avail.
My Specs:Windows XP sp2
1024 mb of ram.
ANY help would be greatly appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 1:34:18 AM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTr... Read more

A:Need help removing NTRootKit-j

Hi and welcome to TSG,

Before we proceed please move HijackThis out of the Temporary files and into a separate folder of its own in program files, so that it can function properly and create back-ups which can be restored, if necessary and then post a new log.
 

Read other 3 answers
RELEVANCY SCORE 42

Hi, my computer is infected with the NTRootKit-J trojan and I can't seem to get rid of it. I tried using McAfee's virus scan, but it couldn't delete it either. The trojan has also disconnected me from the internet, so I am using a different computer in the household. I do have a HiJackThis log file... I appreciate any help that you can give me. Here's the log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:00 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.e... Read more

A:NTRootKit-J trojan

Read other 11 answers
RELEVANCY SCORE 42

ive read other post on this but i figured they would be useless cause my hack this log file would be way different then thiers .... so heres mine
there is most likely other crap go'n on but this one is really on my nerves ... took me right out of a game and wont let me back in cause that lil mcafee tab wont go away

Logfile of HijackThis v1.99.1
Scan saved at 9:45:24 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\windows\system32\jvihpw.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\program files\valve\steam\steam.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Docume... Read more

A:Solved: NTRootKit-J help

Read other 11 answers
RELEVANCY SCORE 42

McAfee VirusScan detects and cleans the NTRootKit-J Trojan every time I start my computer. Can you help me get rid of it permanently? I'm running Windows XP. Here's my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:15 AM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MUSICMATCH\MUSICM... Read more

A:HijackThis - NTRootKit-J

first please do this

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\NITEAIM.EXE

then

* Download the trial version of Ewido Security Suite here
http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know
how.
How to boot to safe mode

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.
* ... Read more

Read other 1 answers
RELEVANCY SCORE 42

Hi,
Like some other posters, I have contracted NTRootKit-H and McAfee can't get rid of it. I switched from IE to Mozilla Firefox v1.0, to stop my home page from becoming aboutblank, but I still get the occassional poker and adult pop-up ads, and McAfee periodically informs me it has cleaned a trojan and that I must restart. When I restart, McAfee again tells me NTRootKit-H is still there. I downloaded HijackThis and ran a scan, producing the following logfile. Any tech help would be greatly appreciated!

Logfile of HijackThis v1.99.0
Scan saved at 7:50:44 AM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.e... Read more

A:Solved: NTRootKit-H HELP!

Read other 9 answers
RELEVANCY SCORE 41.2

anyone please help me with this
i hv mcafee installed but somehow NTRootkit-J got in
now mcafee is flashing screen sayin removed
when i press continue it comes bck again
wt do i do
here is my HIJACK file
plsss help me!!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:29:14 PM, on 05/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~3\masalert.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\prog... Read more

A:Solved: NTRootkit-j trojan-pls help

Read other 11 answers
RELEVANCY SCORE 41.2

Hi-Forgive my basic knowledge of viruses in advance. Yesterday my computer started acting totally crazy. Anytime I click a link or try to open a window, the window freezes for up to 5 minutes, before it finally loads. I use AVG, and for probably about 3 months now, every time I open IE, it detects the backdoor.ntrootkit.r thing, and heals it, but it always pops back up whenever I open IE no matter what. Ran spybot and adaware yesterday since I hadn't ran them in a while, and they found like 200 things, and cleaned them but no help. I odn't understand how if these virus checkers heal the virus, why they continue to come back. Anyhow, I downloaded the Hijack This yesterday and ran a log. I am desperate and literally about to throw this computer out and get a new one due to frustration!! HELP!!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:02:30 PM, on 3/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\cc... Read more

A:Help - Malware & Trojan Ntrootkit.r

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you.
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.

Read other 2 answers
RELEVANCY SCORE 41.2

Hello everyone,

I am having issues with a trojan. VirusScan keeps detecing NTRootKit-J on c:\\WINDOWS\system32\rdriv.sys. Status says deleted, but the minute I hit continue, the box reappears immediately.

I don't know what to do? Can someone please help me. I'm running XP.

I have downloaded all the avaible tools and run in the safe mode. I am at a complete loss right now. I hope someone can help

Thanks
[email protected]

Logfile of HijackThis v1.99.1
Scan saved at 11:05:29 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDO... Read more

A:Solved: NTRootKit-J Hijack Log

Read other 16 answers