Over 1 million tech questions and answers.

Nasty Rootkit, no updates, no installs.

Q: Nasty Rootkit, no updates, no installs.

I have been running with PCs since CPM, and have gotten away from many a blue screen...but this one is tough.
Usually I think I run a tight ship, with SafeXP but....

OS: WIN XP SP3 Prof.Ed.
Avast free
Disconnected from network.
Backed up, Console installed, Registry backed up.

Logs:
GMER works,
DDS does not, even DDS.htm or .scr. Even in Safe mode. Logs posted. "This tool does not support your Operating System" bogus error. Hijaak This file supplied.


Symptoms:
Security logs initally were full of a svchost service accessing the internet by disallowed of high port number. Searched but nada. The trouble seemed to get nasty when IPv1.6 was added by a MS update. It seems the raccoons figured out how to make a tunnel under the Network Service, so that the network icon in the taskbar was not blinking when I was accessing the network. PC disconnected.

Novell Netware was spontaneously installed but I defeated this and removed IPv1.6.
It looked like the network was sent to a filtering site, and then to the address of interest.

RKill helped get the Network Service behavior back. Now it shows I am disconnected.

Symptoms:
Avast intially reported rootkit in locater.exe (replaced with clean copy but no effect).
Many boots have a dirty byte set so CHKDSK.exe runs on C drive.
RKill reports many fake error messages but does not find anything in the log when it finally runs. It did work though.

Clear selective blocking of executables .exe,.scr,.htm with ficticious MS error reports.
Registry filled with porn sites.-CCcleaned.

Inability to install programs/updates such as MSBSA, and the like. It gets to the end and then dies mysteriously.
Avast clean,
Malwarebytes, clean...but you know it isn't.
Superantispyware found junk.
Wierd drive entries in the registry in the Current Control Set, with colon entries.

It smells of some sort of rootkit using a non-visible method of physical address of the hard drive sectors to hide its code.
I see a program IPv6to4 suggesting tunnels.

RELEVANCY SCORE 200
Preferred Solution: Nasty Rootkit, no updates, no installs.

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Nasty Rootkit, no updates, no installs.

OK, I read the instructions on Kapersky TDSSKiller, downloaded latest:

Both the TDSS.exe versions came up blank on Alureon.

So this would seem to suggest the virus is not Alureon-related or a new version.

Still a lot of CHKDSK activity...wondering if this CHKDSK file could be corrupted?

RKill clearly shows hilarious bogus MS errors.

Bootkit?

N.

Read other 47 answers
RELEVANCY SCORE 60.8

Hello! It seems that I have a "TDSS ROOTKIT" in my computer. My brother uses the infected computer most of the time, so, God knows where he got it from. I ran malwarebytes anti-malware, nod32 smart security, prevx, hitman pro, gmer, and tdsskiller. However, none of them seem to remove it. (Thanks In Advance) Here are my latest logs: GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-04-15 12:52:37Windows 5.1.2600 Service Pack 3Running: gmerr.exe; Driver: C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\afddqaoc.sys---- System - GMER 1.0.15 ----SSDT 86D2F580 ZwAssignProcessToJobObjectSSDT 86D30100 ZwDebugActiveProcessSSDT 86D2FB30 ZwDuplicateObjectSSDT 86D2ECC0 ZwOpenProcessSSDT 86D2EFC0 ZwOpenThreadSSDT 86D2F9C0 ZwProtectVirtualMemorySSDT 86D2F860 ZwSetContextThreadSSDT 86D2F6E0 ZwSetInformationThreadSSDT 86D2C700 ZwSetSecurityObjectSSDT 86D2F420 ZwSuspendProcessSSDT 86D2F2C0 ZwSuspendThreadSSDT 86D2EE50 ZwTerminateProcessSSDT 86D2F150 ZwTerminateThreadSSDT 86D2FF50 ZwWriteVirtualMemory---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)AttachedDevice &#... Read more

A:NASTY TDSS ROOTKIT! (REALLY NASTY BUGGER) HELP!

TDSS is evolving fast at the moment and some tools are lagging behind it. Please run CombofixPlease download ComboFix from one of these locations:BleepingcomputerForoSpywareGeeksToGo* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exeDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to c... Read more

Read other 2 answers
RELEVANCY SCORE 57.2

I have a new T470p (type 20J6) with Windows 10 Enterprise x64 Build 16296 and System Update v5.07.0065. When I run System Update I am shown 11 optional updates. I select all these updates, click 'Next >' then 'Download'. The packages are downloaded and installed (9 successful, 2 could not be installed) then I reboot the laptop. If I then run System Update again I am offered exactly the same 11 optional updates. I've been through the entire process 5 or 6 times now. How can I 'reset' System Update so it doesn't keep offering me the same updates which it says have been successfully installed? UPDATE: If I install and use the 'Lenovo Companion' app and select 'System Update' from there I am told 'No updates are available. Your system is up to date'.

Read other answers
RELEVANCY SCORE 54

I play this game called knightonline and through one of its recent patches it changed the way the game loads into memory. It basically hides the process in the "windows task manager" under the processes tab. Come to find out it it basically installs a rootkit at the launch of the game.

This program uses a lot of CPU time (50% on a core duo and 100% on single processor PCs) and I have program called BES limiter (limits the CPU). Since the program disappears in the task manager, BES cannot hook onto it.

Anyone have any suggestions?
 

A:Game Installs a rootkit?

Read other 6 answers
RELEVANCY SCORE 54

From Slashdot here.

"Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"

Follow the link above to another link for more info about the rootkit and how to remove it.

-- Tom
 

A:BioShock Installs a Rootkit

Read other 8 answers
RELEVANCY SCORE 53.2

http://www.bleepingcomputer.com/forums/topic405604.html

78 views and no reply. thanx in advance for any help you can give me.

A:no installs or updates

Since you are already receiving help here, please continue in that thread. Do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Further, it necessitates staff spending time with housecleaning to remove those duplicate postings...time which could have been provided to others needing assistance.Thanks for your cooperation.This thread is closed. If you have any questions, please PM me or another Moderator.

Read other 1 answers
RELEVANCY SCORE 53.2

my pc wont let me install any anti virus programs. i have a legitimate copy of Windows Vista Home Premium and it wont let me install microsoft essentials or mcafee. i am currently unprotected and windows defender or windows itself will not update. i am also being prevented from removing certain programs. HELP!!!!!!!!!!!!!!! THANK YOU IN ADVANCE.

A:no installs or updates

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwareNOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program bef... Read more

Read other 1 answers
RELEVANCY SCORE 52.8

Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit detected as TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar...blog.trendmicro.com (includes sreenshots)

Read other answers
RELEVANCY SCORE 52

 hijackthis.log   5.71KB
  0 downloadsi have vista 32bit and comodo int. security detected rootkit [email protected] over 5,000 bad files. Gmer shut down when i ran it so i renamed it and it worked now when i was about to post logs i got BSOD. Need help fast if possible. I run up to date security and antivirus so i am stumped. . help!!GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-15 19:30:46
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 HTS541080G9SA00 rev.MB4OC60R
Running: iexplore.exe; Driver: C:\Users\ASSMAN\AppData\Local\Temp\uxlyqpoc.sys
---- User code sections - GMER 1.0.15 ----

.text C:\Windows.old\Program Files\Mozilla Firefox4\firefox.exe[1796] ntdll.dll!LdrLoadDll 7735EB00 5 Bytes JMP 6D8D64D0 C:\Windows.old\Program Files\Mozilla Firefox4\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp ... Read more

A:Nasty Rootkit HELP

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 5 answers
RELEVANCY SCORE 52

looks like TDSSkiller may have fixed it. Thank you

Read other answers
RELEVANCY SCORE 52

Hi everyone,
Looking for some help on this XP machine w/service pack 2. I've been battling this for a week now and just can't seem to get rid of it. My daughter launched an older browser I have on this machine and was searching for photos for school and WHAM.

Initial problems were the machine would run chkdsk after every boot up and eventually gave a blue screen with a system volume issue. After researching that, and putting in my OEM windows disk from Dell, I was able to run chkdsk /r and get into safe mode. I was also receiving all sorts of popup errors - false ones, from the virus, but have been able to stop those for now. Along with that, all icons were gone from the desktop, but they are now back from some of the success I've had in the last week. Tools I've run and in no particular order trying to get rid of this are Combofix, Malwarebytes, SuperAntispyware, Rootkitbuster. None would allow me to update them to the newest definitions, but did find and supposedly get rid of some stuff. After numerous attempts, the virus has now cut off my internet and for the life of me I can't find the fix to it. I have been running programs from a flash drive from a clean computer so I can downlod and run some programs. Just ran RKUnhooker and it found a ton of stuff, but I'm uneasy running that without instruction.

I have attached the latest combofix log file I just ran. Any help would be appreciated! I have tried to run tdsskiller but it won... Read more

A:I've got a nasty rootkit

Since you have ran Combofix please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.Post any logs that you want analyzed such as your RKUnhooker.

Read other 3 answers
RELEVANCY SCORE 52

I am fixing a computer for a friend, he told me it was slow so I scanned it with malwarebytes and it had over 200 infections. I removed all of infections then scanned again but this time it found nothing. The computer is working fine and not as slow as before, but when I open a programs the graphics are messed up, a symton of a virus or something. Any help would be appreciated, Thank you in advance.

A:NASTY ROOTKIT!

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Read other 4 answers
RELEVANCY SCORE 52

Good evening,

A few weeks back, I was encountering issues in which I was being redirected from websites (using Google search) to an address containing the following URL:

http:///z43523673.cn (Thankfully I am using NoScript on Firefox!)

I updated Malwarebytes' Antimalware, and ran a full system scan. I found three Rootkit.TDSS programs and a Worm.Agent. Not fun. I thought the worst was over, but I was wrong.

Recently, I have begun encountering the very same problem again. I am being redirected, occasionally, to the same URL, but I am now completely unable to boot into safe mode. I update Malwarebytes' Antimalware at least three times daily, but I am still unable to find anything during a full system scan. Also, my browser is beginning to crash unexpectedly.

Is there any insight into what I should do?
D:

I am using Microsoft XP Professional Service Pack 3.

A:Possible (VERY NASTY) Rootkit?

Anyone?

Read other 2 answers
RELEVANCY SCORE 52

I am running XP sp3 and my computer is infected with a nasty rootkit. I have tried everything I can think of. I ran super antispyware and nothing. Combofix 3 times, this did kill the rootkit however many viruses are left behind and I can not shake them. I know one is scandisk.dll. I tried to kill with hjt and got an error message that told me to email hjt. AVG will scan and pick up around 25 viruses and clean them but they all return. I am pretty computer literate but this one is over my head. Thanks in advance to anyone who can help me.

A:Help with nasty rootkit

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.Please note the blue text at the top of this forum about ComboFix.Next run ATF:Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the install... Read more

Read other 7 answers
RELEVANCY SCORE 52

Moms comp got infected and left on for days connected to net *facepalm*

CANNOT UPDATE or INSTALL most virus removal programs. MBAM has definitions from 01/11 any attempts to update will not work. AntiVir will not install. Spybot works but does not help much (disabled TeaTimer). COMBOFIX will not run either.

ALL LOG FILES ADDED TO ATTACHMENTS, SEE BELOW

A Kaspersky scan showed up with win32.ruskill.bv , win32.vbkrypt.datl , trojan.win32.generic

PLease HELP. THANKS!

--------------------
UPDATE: This is a very important computer so I am still working on it. I have thus far gotten MBAM to update and am currently running scans. I also am using SUPERantispyware to remove trojan.agent/gen-exploit and Rogue.antimalwaredoctor. I also have used a removal tool for vbkrypt which removed Bagel.O.Worm

UPDATE: Running AntiVir, detected Aleuron rootkit. scan still running...

A:Nasty Rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 52

Some sort or Trojan/Virus Infection

I am fixing a computer for a friend, he told me it was slow so I scanned it with malwarebytes and it had over 200 infections. I removed all of infections then scanned again but this time it found nothing. The computer is working fine and not as slow as before, but when I open a programs the graphics are messed up, a symton of a virus or something. Any help would be appreciated, Thank you in advance.


OTL logfile created on: 2/3/2011 11:31:09 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\skater boy\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 113.00 Mb Available Physical Memory | 22.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 35.15 Gb Free Space | 47.18% Space Free | Partition Type: NTFS
Drive F: | 7.75 Gb Total Space | 7.22 Gb Free Space | 93.15% Space Free | Partition Type: FAT32

Computer Name: NEC-E750A3827B0 | User Name: skater boy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whit... Read more

A:Nasty Rootkit!

Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT T... Read more

Read other 4 answers
RELEVANCY SCORE 52

Hello everyone! I have an awful rootkit problem. I've ran numerous virus scans. Either the rootkit would not allow it to download, or the app would download, but during the updates, it would have an error message to appear. Even when I'msuccessful with downloading & updating, it detects very little or nothing.I tried the latest Hiren's BootCD using SuperAntiSpyware version 4.41.1000. I know as of 9/15/10, there is a new version4.43.1000 that's available. I scanned the computer with it, and it found 11 items. Rootkit Unclassified/USB Hub B [8 items] Registry Keys: HKLM\SYSTEM\CurrentControl\Services\usbhubb HKLM\SYSTEM\CurrentControl\Services\usbhubb#DisplayName HKLM\SYSTEM\CurrentControl\Services\usbhubb#ErrorControl HKLM\SYSTEM\CurrentControl\Services\usbhubb#Group HKLM\SYSTEM\CurrentControl\Services\usbhubb#ImagePath HKLM\SYSTEM\CurrentControl\Services\usbhubb#Start HKLM\SYSTEM\CurrentControl\Services\usbhubb#Tag HKLM\SYSTEM\CurrentControl\Services\usbhubb#Type Security HiJack[Image File Execution Options] [2 items] Registry Keys: HKLM\Software\Microsoft\WindowsNT\Current Version\ImageFileExecutionOptions\TASKMGR.EXE HKLM\Software\Microsoft\WindowsNT... Read more

A:Nasty Rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.I would like to get a better look at your system, please do the following so I can get some more detailed logs.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message w... Read more

Read other 3 answers
RELEVANCY SCORE 52

Shortly after 3 am today, I noticed my Win 7 SP1 computer was about to automatically restart in order to complete installing updates. Before I could abort this, the computer restarted. And I immediately noticed that wretched Icon to "Get Windows 10" in my notification tray, with no way to remove or disable it.
When I checked my view updates history in Control Panel>Windows update, I saw that no less than 39 "Recommended" updates had been installed on May 31 - some issued as far back as 2012. Not one of them applied to issues on my system (the ones fixing problems with Lithuanian and Russian currency spring to mind as examples). In short, they all looked like updates I had hidden.
I checked my Windows Update settings, and Automatic Updates was still disabled. I went to Windows Update, and my "Hidden Updates" folder was empty. Well, at least I knew the what and where, if not the how and why, of what had happened.
Well, it was easy enough to uninstall the update that put the "Get Windows 10" icon in my tray - I just uninstalled the KB3035583 update from Control Panel in the usual way. Only took 3-4 minutes, including a system restart. Great - one uninstalled useless update down, only 36 to go. That should only take 2-3 hours.
But KB2600217 and KB2901983 were .NET Framework updates I had hidden back in 2015. And when I check Windows Update, it is now offering me no less than 12  Important .NET security updates that have been issued ... Read more

A:Windows installs hidden updates

Did you install the recent Win 7 SP1 KB3125574 convenience rollup? Maybe they got installed via that rollup??  Or did they get automatically installed because you didn't install the roll-up?
I have Win 7Pro+SP1 (32-bit) and I've only been offered MSE updates in past few days...
Make sure you specifically cancel the upgrade to Win 10 by clicking the link in the upgrade box to Change or Cancel... Just clicking the red X to close the box does not cancel the update. Clicking that X means you accept the upgrade and it will happen without further warning.
MS has been getting way too pushy and doing things without permission recently and that needs to STOP!

Read other 1 answers
RELEVANCY SCORE 52

Hi all,

On more than 1 occassion I have been offered an update immediately after I had successfully installed it (as confirmed in update history). I would venture to say that in about 50% of the times the update is no longer offered a second time after I reboot(whether or not instructed to by Vista). However, that still leaves me with plenty of occassions where I have to install the same update 2 or 3 times to be sure "it took" and the fact that this happens at all lol

Thanks in advance for your help!

A:Updates keep getting offered after successful installs

Hello Viviand,

Welcome to the Vista Forums.

Next time that happens, instead of downloading and installing the updates again, try clicking on the check for updates button on the left of WU. See if this updates WU or still finds that you need the updates.

Gary

Read other 2 answers
RELEVANCY SCORE 52

When I get ready to shut down it gives me the option to install updates everytime I get ready to click the shut down but and it didn't do this before.

I have a screen shot of what happens when I get ready to shut down...It's always on update 1 of 1. I thought it would eventually finish updating, but it must be a glitch or something. It's been going on for about a week. Help please, thanks in advance.

A:My computer installs updates 1 of 1 when I shut down.

Welcome Caramelfyneqt.

It would be helpful if you knew what update this is trying to install? Perhaps going to Windows Update on your computer and try to find out what update it is trying to install?

That said, perhaps this will fix your problem :- How do I reset Windows Update components?

Read other 11 answers
RELEVANCY SCORE 52

See attachment. Has anyone else had trouble installing this update? I just ran a Windows validator on Windows 7 (legitcheck.hta) with said it was valid software (duh), and I have been able to install other updates and patches, except this one, which has to do with:

Security Update for Microsoft Visual C++ 2008 Restributible Package (KB973924)

I have it downloaded, but each time I try to install it, it fails. Is there a reason for this?

A:Windows Update installs all updates but this one.. Why?

  
Quote: Originally Posted by djpurity


See attachment. Has anyone else had trouble installing this update? I just ran a Windows validator on Windows 7 (legitcheck.hta) with said it was valid software (duh), and I have been able to install other updates and patches, except this one, which has to do with:

Security Update for Microsoft Visual C++ 2008 Restributible Package (KB973924)

I have it downloaded, but each time I try to install it, it fails. Is there a reason for this?


Hi and welcome

What error message are you getting on fail?

If no message you can go into event viewer (type eventvwr in search) go to the windows logs>applications tab, and systems tab. Look for updates and see what event ID and "source" are listed and let us know what they are.

Kenn J++

Read other 3 answers
RELEVANCY SCORE 52

Hello; I hope any1 could help me with this error;
E: Sub-process /usr/bin/dpkg returned an error code (100)

that's all i get every time i try to install or upgrade. This started when i did an upgrade on my ubuntu box; now i dont even have sound and I can update or install anything without getting this:

E: Sub-process /usr/bin/dpkg returned an error code (100)

HELP PLEASE
 

Read other answers
RELEVANCY SCORE 51.6

I have been informed by Budapest that I have a "Nasty Rootkit infection", as instructed by Budapest, I am posting a new thread here with the required info and atachments in the hopes of eliminating this problem.This is a redirect that happens in my browser. it forces my browser to minimize if I close the redirect link, not allowing me to restore the window and with a window that appears asking you if you are sure with a message that says "Sure to leave?" In order to get it to go away I would have to use task manager usually after killing the browser and/or using the computer for x amount of time a Generic Win32 process fails, after this happens my computer pretty much becomes unusable and I have to shut it off manually instead of through Windows. but this Generic win32 process doesn't fail when I am in safe mode.Additional issues and items of note:1) There is a Generic win32 process has a habit of failing in normal mode making the computer inoperable then forcing me to shut off computer via power button. I'm not sure if it's because of me uninstalling a program I thought was not needed (which I hope can be remedied via recovery console) or if this rootkit infection is the cause. Here is the error info.Error SignatureszAppName: scvhost.exe szAppVer: 5.1.2600.5512szModName: Flash10d.ocx szModVer: 10.0.42.34 offset: 000e6f80Error Report ContentsC:DOCUMENTS~1\HP_ADM~1\LOCALS~1\Temp\WER26a7.dir00\svchost.exe.mdmpC:DOCUMENTS~... Read more

A:Nasty Rootkit Infection

Greetings Densuo and Welcome to the Forums,...it looks like you already ran Combofix too. Can you post THAT log please? Thanks!Edit added:You do appear to have the latest TDSS variant. You should delete the copy of combofix you may have on your desktop and follow these instructions to properly run the program:Please download combofix from This Webpage...and read through the instructions there for running the tool.***Important Note***Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems. The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.Once installed, a blue screen prompt should appear that reads as follows:The Recovery Console was successfully installed.When you see that screen, please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix... Read more

Read other 23 answers
RELEVANCY SCORE 51.6

Hello -I spent most of Friday trying to get rid of a rootkit virus, and thought it was gone. But this morning my computer will not boot - the windows logo comes up, but then there is just an endless black screen and the hard drive purrs away - but i can't see anything.I use ComboFix to remove the virus Friday after GMER it said the iastor.dll driver was infected. It was keeping browser redirects anytime i clicked on a google search result about the TDDSKiller.So here is my current log from GMER - hopefully someone can point me in the right direction. This is after booting using the Windows 7 install disk (which shows up as drive X:) and runner gmer off a usb drive (G:)GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-01-18 13:40:02Windows 6.1.7600 Running: zerby.exe; Driver: X:\windows\TEMP\kgliqkod.sys---- System - GMER 1.0.15 ----INT 0x51 ? 90003058INT 0x92 ? 90003CD8INT 0xB0 ? 90037A58INT 0xB2 ? 90003558---- Devices - GMER 1.0.15 ----Device ... Read more

A:Help with nasty Rootkit virus

Finally got to boot in safe mode after using the windows 7 install disk to do a repair.Here is the new gmer log

Read other 3 answers
RELEVANCY SCORE 51.6

So my computer is always getting the BSOD,, from atapi.sys to mbr.sys and other messages. I tried running gmer but computer would crash when it initializes a scan. most of the time when i start up my cpu it stays at 100% and it takes forever before i have a chance to do anything.

Here is a HJT scan, again please recall that if i am asked to run combofix in safe mode or gmer in normal mode, it crashes and for some reason gmer wont run in safe mode. Also, I am aware that I don't have an anti virus on my system but that is due to the fact that I removed avg last week as i thought that was a symptom, now i can't even initialize a program as it crashes when i make an attempt.
thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:26 AM, on 10/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Mic... Read more

A:Possible rootkit? Nasty stuff

Read other 9 answers
RELEVANCY SCORE 51.6

Hi guys, been working with a church couple on a very nasty infection they have. So far every antivirus/antispyware software I've thrown at it has only discovered various symptom files produced by it (with various viral names) and removing those only has them recreated.

The primary symptoms are that any search engine searches will be redirected to a variety of sites. Browser (IE8/FF5.0) makes no difference, and it affects pretty much any search engine. The actual search is ok, but when clicking any result from the search listed it will redirect. Always it will start off showing an attempt to connect to 100ksearches.com, then proceed to connect to any random page from what seems to be a limited list.

Of all the antivirus scans that I've done, only a couple actually reveal anything, but again these are only symptom files and are quickly reproduced after cleanup. The one that seems to come up most often is from MSE, which reveals Backdoor:Win32/Smadow and the occasional Exploit:HTML/IFrameRef.Z. The file details for each are as followed:

Win32/Smadow
file:C:\Windows\assembly\GAC_32\Desktop.ini

Exploit:HTML/IFrameRef.Z
file:C:\Users\Muhr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01RXQL7E\08_10daysearches_com[1].htm
file:C:\Users\Muhr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TJW24O7\08_10daysearches_com[1].htm
file:C:\Users\Muhr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77QFT7AJ\08_1... Read more

A:Nasty Backdoor (Possible rootkit)

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is do... Read more

Read other 2 answers
RELEVANCY SCORE 51.6

Alright i was told to post a srenglog after here from this post http://www.bleepingcomputer.com/forums/t/255814/help/its like a win32k rootkit my log is in the attachements. Thanks for helpingEDIT: I think this is the rootkit I have

A:Nasty rootkit need help win32k

Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Read other 23 answers
RELEVANCY SCORE 51.6

I am running Windows 7, I have tried everything to get rid of this rootkit but it keeps coming back.  Rootrepeal keeps saying it does not support 64bit.  Can anyone help me please?  Thank you.

A:Nasty Rootkit will not leave

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to t... Read more

Read other 1 answers
RELEVANCY SCORE 51.6

Referred from here: http://www.bleepingcomputer.com/forums/topic362826.html ~ OBDear Bleeping Computer people,My partners laptop (ms windows home basic 32 bit sp2, intl celeron M CPU 530 @1.73 ghz, 1.0 gb ram) is infected with a serious rootkit,It stops you from downloading all anti-virus/ scanners. If I do get them load they all fail to scan most just stop with the error mesage- Windows cannot access specified device path or file. Group moderator boopme has been helping me but he says I need stronger tools and different assistance. I couldn't get GMER to run and my DDS log is incomplete as the first scan failed to finish, so I did another one and stopped it just before the point it stopped previously.I saved that thinking something is better than nothing! Any help is greatly appreciated Many thanks kadzoGMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2010-11-26 11:02:55Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHY2080BH rev.890BRunning: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys---- Kernel code sections - GMER 1.0.15 ----? win32k.sys:1 The system cannot find the file specified. !? win32k.sys:2 ... Read more

A:infected with seriously nasty rootkit!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

Read other 66 answers
RELEVANCY SCORE 51.6

Hi,

I am new to "bleeping" and am extremely grateful for any help anyone can offer me! I think I must have a nasty virus/trojan/rootkit or something of that sort. I am running Vista Ultimate 32 bit. I can basically only get into my computer through safe mode as of last Friday. My computer started to feel a bit sluggish a few days before this, but now will barely load in "standard" mode, and I can only see my desktop when it does. In safe mode, I am getting redirects in my web browser (among other funky things). I tried to run AVG and other antivirus programs, but they shut down when I try to run them. I was able to run Kaspersky Online Scanner for a bit (before it too shut down) and it minimally found Packed.Win32.TDSS.z.

I just followed the Preparation Guide, and I tried to run DDS and RootRepeal, but both of these shut down when I try to run them.

What should I do next?

Thanks for your help!!

Edited to add: When I install RootRepeal, I get the following error:
FOPS - DeviceIoControl Error! Error Code = 0xc0000024
Extended Info (0x00000130)

Edited (again) to add: I was able to run Kaspersky Online Scanner last night (yay, something finally worked!), and I am attaching the report here.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 22, 2009
Operating system: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
K... Read more

A:I think I have a nasty rootkit... can't run rootrepeal or dds

Right-click on rootrepeal.exe and rename it to tatertot.scrAlso just select Drivers when scanningLastly. you can Click Settings - Options. Set the Disk Access slider to Highpost back with the results

Read other 7 answers
RELEVANCY SCORE 51.6

Have had help in other forums on bc, on scanning with mbam, atf cleaner and sas, it showed i had Vundo, Alureon WD and the dreaded tdss, which is why i have been referred here. I had tdss before and am wondering if we didnt get it all before, (removed manually using ubuntu/linux with a sophos tech) or i'm just plain unlucky and have it again.
All scans come back that everything has been quarantined and deleted successfully, although the mbam found files are still in its quarantine folder. I also ran a sophos linux/tdss detect and fix disc and that also came back clear.
I have now run the DDS scan as it says at the top of this forum i should do...and have included the DDS.txt below. and would now be OOOOBER grateful for any help in trying to kick this out the backdoor it came in !!!

Many thanx in advance

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:43:03.81 on 12/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.135 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\... Read more

A:Tdss nasty rootkit

please please please can someone advise me what to do next ...my daughter has her final A2 IT exam in a couple weeks and needs to take the work on our pc into school...which I cant allow untill i'm clean.....and since last post i ran dr.web in safe mode and it dleted 2 killapp ...TERRIFIC ...thanx in advance===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use ano... Read more

Read other 26 answers
RELEVANCY SCORE 51.6

I'm not sure if you need to see what transpired before I moved to this forum, but if you do, here it is: http://www.bleepingcomputer.com/forums/t/259143/total-security-at-least-thats-how-it-started/Here's the part where Garmanma said: Win32.TDSS.dt = a pretty nasty rootkitSo here's the back story:Let me start by saying Thank you all for being here. This "HP Pavillion Entertainment PC" laptop came to me as a gift back in the spring.It was completely reformatted by a dear friend's geek-mother and reset to factory specs. Except for a small bit of physical damage, it is absolutely perfect.Last month my 13 year old son clicked somewhere he should not have clicked (I asked - he said it was a link in an email - and no he would not tell me what it was -ok - we can all guess - but he is a good kid and feels really bad about the results).How did I realize that he had done something? I logged on after work the next day and my entire desktop was replaced by a bright blue and pink screen with the words "TOTAL SECURITY" across the top... being prompted to download their Total Security System to protect my computer. Well I know better than that! I finally managed to get my desktop back by using ctr-alt-del and ending its process. I tried AVG - it said the file had been corrupted and would not load - I should get Total Security instead. I tried SpyBot - it said the file had been corrupted and would not load - I should get Total Security instead. I tried to get to a restore point, but it... Read more

A:Garmanma said I have a nasty rootkit

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.*If you have since resolved the original problem you were having, we would appreciate you letting us know. *If not please perform the following steps below so we can have a look at the current condition of your machine. *If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.**If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.----------------------------*-------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is ne... Read more

Read other 27 answers
RELEVANCY SCORE 51.6

Hello, I'm writing this on a new laptop I purchased yesterday. I will split my issue into two paragraphs to keep this as simple as possible. Desktop Infection: My desktop was running Windows 8.1 Pro Student Edition. I was logged into my router settings and noticed that the log reported "DoS Smurf Attack" and listed a bunch of remote TCP/UDP connections. Instantly scanned with Rkill, TDSSKiller, MBAM, and they reported Rootkit.Agent but I couldn't get rid of it. I did a little research, looks like the rootkit set up a SMB Relay attack, and this has been going on for some time. I took everything out of my system, RAM, peripheral cards, etc. I reset the BIOS via CMOS jumpers, used DBAN to nuke my HDD's, and put everything back together. I re-installed Windows 7, did another scan with MBAM, and it still reported that I have the rootkit. Since I was aware of the rootkit, I watched it install drivers as services, open up ports to make remote connections, basically all the bad stuff everyone talks about on here. I also flashed the BIOS to its most current version. It did not help. Laptop Infection: I think my laptop had a simple malware infection. I nuked the drive and re-installed Windows 7 and have not observed anything out of the ordinary. I backup everything important to the cloud, so nuking is no problem for me. Does anyone have some advice for my desktop?   Thanks, rochek

Read other answers
RELEVANCY SCORE 51.6

Well I have come to the conclusion that I have a nasty or multiple nasty rootkits installed on my computer. I have ran rootrepeal, and I need help removing them. I am thanking anyone who takes my case in advance.OS: Windows Vista 32-bit.EDIT: While trying to run rootrepeal in regular windows mode, I got a bluescreen. Details are as followed:PAGE_FAULT_IN_NONPAGED_AREASTOP: 0x00000050 (0x84805BEC,0x00000000,0x824B40D9,0x00000000)I ran it in safe mode with networking with no problems.ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/01/01 15:21
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS
Address: 0x8E483000 Size: 57344 File Visible: - Signed: -
Status: -

Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x8068C000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x82418000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: Afc.sys
Image Path: C:\Windows\system32\drivers\Afc.sys
Address: 0x8E491000 Size: 32768 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8F20B000 Size: 294912 File Visible: - Signed: -
Status: -
... Read more

A:Nasty Rootkit - rootrepeal log

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 12 answers
RELEVANCY SCORE 51.6

Hi,

I am infected with a nasty rootkit. I read the things you should do before you post sticky but I could not complete. Here is a brief description of why:

Have a nasty rootkit it is causing all kinds of havoc.

1. Won't let me run programs, a pop up comes up saying i don't have a firewall/anti virus on and gives me a choice to start a scan or proceed without, if i choose proceed without nothing happens (this happens even for programs like task manager) The scan software it wants me to run is Windows antivirus 2012 but the logo is the 4 color windows shield that is twisted, it looks fake and like a scam.
2. Won't let me surf the web, if i try to load a webpage it says something about not having a firewall on and I can choose to put it on or proceed without, if I choose proceed without it just repeats the question.
3. constant pop ups to run /install their windows antivirus 2012

I ran malwarebytes anti spyware in safe mode (which was hard to do because it seems to be partially working while I am in safe mode) and it found some files (smartmenuinternet files in HKEY...) removed the files successfully and wanted me to restart to complete removal but when i restart it goes back to the same problems I was having.

If I run malwarebytes, remove the files and don't restart I can use my computer again but it has the following problem

Won't let me run programs unless I right click and run as administrator (if i don't do this a window pops up wi... Read more

A:Infected with nasty rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 16 answers
RELEVANCY SCORE 51.6

I've recently been infected with a pretty nasty piece of malware that I believe is a rootkit and I cannot get rid of it at all. Not sure how I got it at all, but I want to get rid of it, and I don't know how. I first noticed when it would redirect me to a site called Happili. It wasn't much of a big deal so I ran a virus scan and it didn't find anything, which is when I started getting worried. Now the rootkit is a big problem for me, as it's blocking my drivers for my CD drive and Daemon tools virtual drives. I've tried many programs such as stinger, TDSSKiller, MBAM etc, but I haven't been able to get rid of it.

SysInfo:
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 8
RAM: 8097 Mb
Graphics Card: Intel(R) HD Graphics Family, -239 Mb
Hard Drives: C: Total - 48310 MB, Free - 9856 MB; F: Total - 953197 MB, Free - 424067 MB;
Motherboard: ASUSTeK Computer INC., P8Z68 DELUXE/GEN3
Antivirus: avast! Antivirus, Updated and Enabled
------------------------------------------------------

HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:16:47 PM, on 4/21/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
C:\Program F... Read more

A:Nasty rootkit please help me remove

Bumping for help.
 

Read other 1 answers
RELEVANCY SCORE 51.6

I have been battling a particularly nasty malware infection for the past couple of months now and I've reached a stopping point.

I can't enter safe mode (blue screen).

I can't re-install Windows (install tells me it doesn't see a hard drive...but obviously I have one, since I'm using said computer right now).

Symptoms:

- Any anti-malware program runs about 3-5 seconds, then stops, with the executable being set "read only" and suddenly in accessible, even with admin privileges.

- Renaming said program paths/executables doesn't work.

- Running said programs from other voumes doesn't work.

Original infection showed AntiVirus Pro 2009. I followed instructions found here and elsewhere and it seemed to go away...then other, similar malware showed up (Windows Police Pro 2010, I believe). Since then, I can't run anything that will either scan or eliminate malware...on-line or on-machine.

Any help would be appreciated.

Running WinXP, SP3

v/r,

FEOS

==================
Win32kDiag log:

Running from: C:\Documents and Settings\Bob\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Bob\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount p... Read more

A:Nasty malware/rootkit...need help

Your system is infected with a new rootkit variant that has become quite pervasive as evidenced by these entries:Mount point destination : \Device\__max++>\^
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will require the use of more powerful tools than we recommend in this forum. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:What danger is presented by rootkits?Rootkits and how to combat themr00tkit Analysis: ... Read more

Read other 7 answers
RELEVANCY SCORE 51.6

Only thing I can post here is this initial log when gmer opens when I attempt to run gmer or dds scan computer hangs and I have to reset it.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-30 15:45:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST3802110A rev.3.AAJ
Running: iexplorer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxadqaod.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEE786BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEE786A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEE7DE398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem ... Read more

A:Nasty Rootkit won't let me run dds,gmer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these stepsDownload and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Under the Custom Scan box paste this in

%TEMP%\smtmp&... Read more

Read other 24 answers
RELEVANCY SCORE 51.6

Hello everyone,

I seem to have contracted a nasty rootkit and virus. I noticed the issue due to link hijacking in IE7. The issue is preventing me from booting to safe mode (it begins the boot, but the PC shuts down while loading drivers, if I recall correctly, at a driver call agp??.sys). Trying to recover to a restore point does not work. Restore points on my machine are currently on.

In addition, I can no longer boot to any of the spware utilities I had installed (Windows Defender, Spybot Search and Destroy, Malware Bytes). It appears the .exe files were deleted. Reinstalling does not work. The programs error and shut down almost immediately. I attempted to deinstall/reinstall the utilities. However that does not work. For example, after deinstalling Spybot and attempting to manually delete the Spybot folder, I get the message, "Cannot delete SpybotSd.exe: Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use."

I run Mcafee (sp) anti-virus and it find nothing.

The bad news: before I found these forums I had already run comobfix based on some info I had found in a Google search. The good news: it did not turn my computer into a brick and my links in IE7 seem to work properly. It found rootkit activity. I am not sure if it cleaned them. I still have that log file and I can upload it if requested.

I do have my XP Home reinstallation CD and the the MS recover console is installed.... Read more

A:Nasty Rootkit Infection

Hello dgnatek,

I will need to see the ComboFix.txt. Kindly post it in your next reply.

Read other 5 answers
RELEVANCY SCORE 51.6

Hello

Our computer has been infected with a nasty rootkit virus which is making life very difficult indeed. It started with one of those fake security alert problems which was fixed with Malwarebytes, but then all of our antivirus/antimalware software stopped running, or we were prevented from loading them - apparently we suddenly did not have the appropriate permission to run the file!
I have since been getting various error messages every time I turn the computer on, and now cannot do anything on the internet which involves logging on to somewhere e.g. accessing googlemail or ebay for example. Our search function has gone doolally as well, very often redirecting me to somewhere completely unrelated.

I have been following instructions given by Garmanma in the 'Am I Infected?' section. I have been unable to run DDS, and he told me to do the Win32kdiag thing, which I did. I hereby attach the log. Please can someone advise me what to do now?!!!!! I'm getting desperate!

Thanks,
Kate.

Log file is located at: C:\Documents and Settings\Alan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : �... Read more

A:Help! Nasty rootkit attack.

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need a little more information before we can begin removing this infection.Download and run a batch file (peek.bat): Download peek.bat from the download link below and save it to your Desktop.Download peek.bat Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.==========

Read other 22 answers
RELEVANCY SCORE 51.6

Hey, i just recovered from a nasty rootkit and I used combofix as a last result to remove the global root/system root virus. I just wanted a professional to look at the log to see if there was anything else I needed to do. Thanks in advance:

ComboFix 09-09-25.01 - JAMBOREE 09/26/2009 23:51.1.2 - NTFSx86
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3034.2166 [GMT -4:00]
Running from: c:\users\JAMBOREE\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1472054972-2085787597-972031204-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
C:\4214289.exe
c:\windows\system32\drivers\gasfkyqxcpdqby.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gasfkyfurtvynt.dll
c:\windows\system32\gasfkymcpoihxf.dll
c:\windows\system32\gasfkynocbibrq.dat
c:\windows\system32\gasfkypvkmqxaf.dat
c:\windows\system32\gasfkytijsfnwb.dll
c:\windows\system32\oem6.inf
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyrbtndxue
-------\Legacy_gasfkyrbtndxue
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((... Read more

Read other answers
RELEVANCY SCORE 51.6

I've recently been infected with a pretty nasty piece of malware that I believe is a rootkit and I cannot get rid of it at all. Not sure how I got it at all, but I want to get rid of it, and I don't know how. I first noticed when it would redirect me to a site called Happili. It wasn't much of a big deal so I ran a virus scan and it didn't find anything, which is when I started getting worried. Now the rootkit is a big problem for me, as it's blocking my drivers for my CD drive and Daemon tools virtual drives. I've tried many programs such as stinger, TDSSKiller, MBAM etc, but I haven't been able to get rid of it.
I am unable to run GMER since I have 64 bit Windows, but I will post my DDS log and attach.txt
By the way, I have two hard drives right now. My C:\ drive is on my 60GB SSD whereas my F:\ drive is an external 1TB hard drive I keep most of my things such as games and steam installed.

DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Vin at 18:17:34 on 2012-04-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8097.4914 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32 ... Read more

A:Nasty rootkit infection

Hello xhydeffx, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a... Read more

Read other 15 answers
RELEVANCY SCORE 51.2

Craeted iamge for T520 Win10 and deployed, clients are trying to install windows updates repeatly when turnrd off, don't complete do to Write filter being on. What is the prefered method of diabling updates on a Win10 image? I would think the base image would have this pre configured?

Read other answers
RELEVANCY SCORE 51.2

I had a problem with Internet Explorer Has Stopped Working. The problem still exists. One of the steps was troubleshooting Windows 7. The troubleshooter showed that Windows Update was not registered. The troubleshooter supposedly fixed the issue. I went to check the settings and Windows Update settings now are to Install updates automatically. It is greyed out and you can't change it. There is a message at the top highlighted in yellow. Some settings are managed by your administrator. The User account is set as administrator and I can't change the setting. It was set to Ceck for updates but let me choose whether to download and install them.

I haven't found anything on this and I would like some suggestions or a fix. Below is my System Information.

Tech Support Guy System Info Utility version 1.0.0.4
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz, Intel64 Family 6 Model 23 Stepping 6
Processor Count: 2
RAM: 5861 Mb
Graphics Card: Intel(R) Q35 Express Chipset Family, 256 Mb
Hard Drives: C: 74 GB (27 GB Free);
Motherboard: LENOVO, LENOVO
Antivirus: Trend Micro Internet Security, Updated: Yes, On-Demand Scanner: Enabled

Bill
 

Read other answers
RELEVANCY SCORE 51.2

What do you guys recommend for this purpose? Anything to avoid?

A:Tool to monitor all your installs applications for updates?

Originally Posted by x509


What do you guys recommend for this purpose? Anything to avoid?



You could try:

PowerShell PackageManagement (OneGet) - Install Apps from Command Line - Windows 10 Forums

I do not use native or 3rd Party software managers, but have been tempted to implement the PowerShell solution. I tried it for a while, but my software collection is not that big. The good thing is that the above solution has most, if not all, of the software I use (it is a canned package, but you can build your own repository and add other software)

Read other 2 answers