Over 1 million tech questions and answers.

virtumonde and/or system32 possible trojan/virus

Q: virtumonde and/or system32 possible trojan/virus

I went through all five steps, and the only step that I was unable to do was step 2 - Panda Security - said "oops....there's been an error... Don't worry we've taken note and we're working on solution-please try again later" -

I do believe I have either a virtumonde trojan and a system32 trojan.. or both. I am not sure if they are the same type with two different names. My antivirus called it a C:\\windows\system32|~exe. and Spy doctor (which has been uninstalled) called it a trojan.virtumonde. I am not sure what to do at this point, so hopefully I have provided you with the necessary tools to help me when you have the time. I tried to do as much research on removal of these, and it lead me back to you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:36 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mytelus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Cory & Karla Hancar\Local Settings\Temp\Rar$EX03.140\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1149104996453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: __c00514A4 - C:\WINDOWS\system32\__c00514A4.dat
O20 - Winlogon Notify: __c005BBB6 - C:\WINDOWS\system32\__c005BBB6.dat (file missing)
O20 - Winlogon Notify: __c00740CA - C:\WINDOWS\system32\__c00740CA.dat (file missing)
O20 - Winlogon Notify: __c00B3240 - C:\WINDOWS\system32\__c00B3240.dat (file missing)
O20 - Winlogon Notify: __c00DF132 - C:\WINDOWS\
O20 - Winlogon Notify: __c00FFE29 - C:\WINDOWS\system32\__c00FFE29.dat (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10187 bytes


Thanks in advance for your help

Karla Hancar

RELEVANCY SCORE 200
Preferred Solution: virtumonde and/or system32 possible trojan/virus

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: virtumonde and/or system32 possible trojan/virus

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

For XP Home >> http://www.microsoft.com/downloads/d...displaylang=en

For XP Pro >> http://www.microsoft.com/downloads/d...displaylang=en

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
Please click Yes to continue scanning for malware.
When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Go to Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log
Add-Remove Programs.txt

If you have any questions along the way...STOP and ask them before proceeding.

Read other 17 answers
RELEVANCY SCORE 65.6

I have the window that says that I have a virus. I am also getting a ton of pop up ads and windows asking me to scan my machine for viruses. Als0 it seemsthat my key pad isn't working, having words missing letters even though i know i hit the key. I have followed the steps, but it seems that it is getting worse with each step. Also stygate is driving me nuts because I have know idea what programs or requests to accept or deny . Also when I ran the Stinger it did nt quit so I hit cancel when I was positive that it was rescanning again. All help is appreciated-RogerLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:37:41 PM, on 9/29/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Fil... Read more

A:Virtumonde.prx, Trojan: System32\phc3vj0ep09.bmp, Pc Sca

HiPlease Download Malwarebytes' Anti-Malware from Here :-http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlor here :-http://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the application.* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.* If an update is found, it will download and install the latest version.* Once the program has loaded, select "Perform Quick Scan", then click Scan.* The scan may take some time to finish,so please be patient.* When the scan is complete, click OK, then Show Results to view the results.* Make sure that everything is checked, and click Remove Selected.* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.* Copy and Paste the entire report in your next reply.THEN ...Please follow these directions to run Combofix & post a log.http://www.bleepingcomputer.com/combofix/how-to-use-combofixTHEN ...Post a new hijackthis logsteam

Read other 18 answers
RELEVANCY SCORE 57.6

About my computer: I use a laptop with mozilla fox as my internet. I used to get pop-ups from internet explorer which I never use. The pop-ups stopped after I remove some threats w/ IObit. Now I get frequent pop-ups and lags from mozilla. I've had this trojan called Trohan.Win32/Vundo for about 2 weeks now.IObit Security 360 Scan:Yesterday, I downloaded IObit because I needed something that wouldn't freeze/lag during a scan (I normally use comodo but it takes FOREVER and never finishes). So IObit detected about 86 threats and successfully removed them; however, 1 threat couldn't be removed which was Trojan.Win32/Vundo. I got the location which was in c:\windows\system32\yanohide.dll. I tried finding for it but it wasn't there. Also, whenever I try to load my security programs I get a message from from IObit saying that c:\windows\system32\yanohide.dll wants to connect in order for it to run (I blocked it obviously).Spybot S&D:I also tried scanning with spybot S&D but it's been lagging lately and Idk why... I had to stop it halfway since it lagged and stopped. So far it detected MyWeb.MyWebSearch (I'm guessing this is the cause of the pop-ups) and virtumonde.dll. I wasn't able to remove any of these because like I said S&D lagged and stopped. So I had to exit out of it myself..Malwarebytes Scan:Lastly, I tried to run malwarebytes but I kept getting a window that said that a file was missing (I used this bef... Read more

A:Virus/Trojan infections: Trojan.Win32/Vundo, Virtumonde.dll, MyWeb.MyWebSearch, and possibly more (?)

Hello, ViaSarah.My name is aommaster and I will be helping you with your log.If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.ThanksWe need to run RSITDownload random's system information tool (RSIT) by random/random and save it to your desktop.Double click on RSIT.exe.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)In your next reply, please include the following:Log.txtinfo.txt

Read other 54 answers
RELEVANCY SCORE 55.6

Can someone please help me also?
I too need to rid my system of the system32.exe Trojan virus.
Here is my HijackThis logfile.

Logfile of HijackThis v1.97.7
Scan saved at 10:03:47 PM, on 11/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\eAcceleration\download.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\kxmixer.exe
C:\PROGRA~1\Dantz\Retrospect\ComboButton.exe
C:\Program Files\Common Files\eAcceleration\systimer.exe
C:\PROGRA~1\Logitech\MouseWare\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\TextBridge Pro 8.0\Bin\InstantAccess.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\RUNDLL32... Read more

A:system32.exe Trojan virus

Read other 7 answers
RELEVANCY SCORE 55.6

Hi.. this will be my first post so please let me know what additional info is needed. First thank you sooo much for even reading this . Ok my computer problem. Started 2 weeks ago, my AVG resident shield freaked out with messages: C:\\Windows\system32\UACgfagybiwpsoadjh.... etc etc.. a bunch of them. Infection: Virus found Win32/Cryptor. They keep replicating.. onto everything I open from my C drive :\. It deleted my system restore point. When i try to restore my C drive.. an error 404 popped up. I have random internet explorer pop ups linking me to.. Chinese sex history.. fulldot whatever. When i go on safemode to scan for the virus. It shuts down my computer. When i try to run anything attempting to kill the virus. It goes to blue screen. I used systemtec, AVG, Norton. Nothing worked. Whenever i click on scan the whole computer.. it would only scan a portion of the computer. AVG won't remove it. I downloaded Malware remover. It won't open. My firefox links to me random ad sites. My system won't update? When i first got this virus.. it tore down my firewall. I dunno if my firewall is even working at the moment. Thanks so much for helps!!
DDS (Ver_09-05-14.01) - NTFSx86
Run by Sony Owner at 18:42:00.91 on Wed 06/03/2009
Internet Explorer: 7.0.6000.16830 BrowserJavaVersion: 1.6.0_07
Microsoft? Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.2038.953 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated... Read more

A:System32 Virus/Trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 4 answers
RELEVANCY SCORE 54.8

Hello

I must apologise if the information i give is not clear as i am not that great with computers!! The last couple of months i have been having advert pop-ups and an anti spyware software coming up saying that my computer is badly effected, i click off it as i assume it is fake but it tries to download, mcafee has said that it has found and quarantined trojan.gen.s, trojan.gen.t and trojan.gen.s all in the c:/windows/system32. Since this week my mcafee no longer works,my internet explorer isnt working fully and wont let me download anything from the internet. I have a laptop which i have been searching the internet to find help, i downloaded superantispyware which removed quite a lot of adware stuff. I have today came onto here to see if anyone can help please. I have pasted my hijackthis log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:45, on 15/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Microsoft... Read more

Read other answers
RELEVANCY SCORE 54.8

Hi, I believe I have a bad Rootkit virus or trojan as many of my computers settings and programs are either blocked or malfunctiong. MalwareBytes is currently the only program that will anything, which I will delete, but then something new pops up 1-2 days later. I have tried many programs and started a help thread at MajorGeeks.com, but I have been unsuccessful at this point. After using MajorGeeks.com, I discovered this site, and was hoping for a second opinion. Here are some details:Computer - Toshiba Ultrabook, Intel Core 5, Windows 7Programs Previously RanNorton, Norton Power Eraser, Norton Recovery BootSpyBot S&DSmitFraudFixMalwareBytesComboFixTDDS KillerMGToolsHJTCurrent MajorGeeks Thread (Please start at beginning of thread) - MajorGeeks Thread Attached are my current DDS log requested by BC. GMER came up empty, so I didnt attach that log. Also, I attached a screenshot of my latest MalwareBytes quarnatine to show some of the viruses found over the last week. I keep removing, but something new is created every 1-2 days.This has been the worst virus I have experienced and my computer is only 1.5 months old. Please help! I will donate money to the site that is able to fix my issue first!Thanks, Jon

A:Virus / Trojan believe in Rootkit - System32?

Hello and to BleepingComputer,

As your MajorGeeks topic is still open, please choose where you want to be helped; being assisted at two forums simultaneously is not productive, and can cause confusion, as the helpers in both topics are not aware what the other is trying to accomplish.

If you decide to stick with the topic here, please request the MajorGeeks topic to be closed and post back here afterwards.

We are not in a competition here, so offering money to get your issue fixed faster is not going to work. Everyone would like to have their problems fixed as soon as possible, we are a 100% volunteer community and topics will picked up oldest ones first.

Read other 2 answers
RELEVANCY SCORE 54.8

Hello,Within the past 24 hours I somehow caught a bad Trojan virus. I have spent the past 7 hours trying to get rid of it to no avail. I have made small progress, but have not eradicated it completely (and it only seems to come back stronger). After running my AVG scan and a Spybot scan, I then downloaded SDFix and ran that. Because I continued to have problems (and I was recently blessed with the full Yahoo toolbar being installed and numerous annoying popups), I searched online further and discovered HijackThis. I downloaded it and ran it and am now posting the log it produced. Many thanks to anyone who can help me; I am at my wits' end over this. I apologize in advance that I may ask some stupid questions--I'm not as computer-savvy as I'd like to be! Thank you for any help you can provide, it is greatly appreciated! Kind regards,KristyLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:18:40 AM, on 12/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS ... Read more

A:Trojan Virtumonde Virus

Hi ,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then we'll take a look.
Regards,

Rosty.

Read other 2 answers
RELEVANCY SCORE 54.8

It seems that my computer has been infected by the Virtumonde virus. I have gone through all of the recommended adware and spyware steps prior to posting my hijack this log. So here goes:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:05:43 PM, on 11/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\System32\GEARSec.exeC:\Program Files\Citrix\GoToMyPC\g2svc.exeC:\Program Files\Citrix\GoToMyPC\g2comm.exeC:\Program Files\Citrix\GoToMyPC\g2pre.exeC:\... Read more

A:Trojan Virus - Virtumonde?

Apologies for the delay in responding. The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.Please disable Spybot Search and Destroy TeaTimer as it may interfere with what we are trying to accomplishOpen Spybot Search & DestroyIn the Mode menu click Advanced Mode, if not already selected.Select: Yes at the Warning prompt.Expand the Tools menu.Click: ResidentUncheck the Resident TeaTimer (Protection of overall system settings) active.In the File menu click ExitRestart the computer!!~~~~Next, download ComboFix Save to the Desktop <<< Important!!Now, go to Start > Run, and copy/paste the following command in the Open box: "%userprofile%\desktop\combofix.exe" /killall Example:Click:OKFollow the prompts to install ComboFix. Then, type 1 and press Enter to begin the scan.Do not mouse-click the ComboFix window while it runs. It may cause it to stall.When finished, a log, ComboFix.txt, is produced.~~~~Run HijackThis once again to obtain a new log.~~~~Please post the ComboFix.txt, and a new HijackThis log in your reply.

Read other 1 answers
RELEVANCY SCORE 54.8

HiI seem to be having problems with my new computer that I suffered with on my laptop. The last time the technician was able to assist me last time. A few days ago my computer just slowed right down then mozilla went funny (wouldn't load pages) and then internet explorer windows kept popping offering me dubious products. I ran the anti-virus program in safe mode and thought I had got rid of it but it seems to have come back. Can you help? Please find a copy of my DSS log.Many thanksDeckard's System Scanner v20071014.68Run by Patrick on 2008-05-02 20:51:38Computer is in Normal Mode.--------------------------------------------------------------------------------Total Physical Memory: 1022 MiB (1024 MiB recommended).-- HijackThis (run as Patrick.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:51:58, on 02/05/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\System32\smss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\wininit.exeC:\Windows\system32\csrss.exeC:\Windows\system32\services.exeC:\Windows\system32\lsass.exeC:\Windows\system32\lsm.exeC:\Windows\system32\winlogon.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.e... Read more

A:Possible Trojan:virtumonde Virus

Hello! And welcome!I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove either Avast! or Sophos.==============Next, Please download Malwarebytes' Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Double-click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.If you have trouble with the update process, please download the latest updates here.Double-click the mbam-rules.exe file on your desktop and let it update the application.Once the program ... Read more

Read other 15 answers
RELEVANCY SCORE 54.4

Randomly, my AVG antivirus started flagging up several files in my system32 folder as trojan virus'. I immediately sent them all to the virus vault, and thought nothing of it, until it kept finding more and more trojans. I ran a full computer scan, which found 4 more virus', but whilst running the scan, it popped up with atleast 8 more trojans, all located in the system32 folder. Knowing that the system32 folder is where windows runs from, i was loathed to remove the trojans, in fear of deleting an important part of windows. I was then reccommended to post on this site, and have followed the "First Steps". Below i will post the DDS log, and will attach the "attatch log" that you requested. however, after several attempts to do the GMER scan, my computer keeps crashing half way through.
I have also found that, if i look through the details of the trojans my antivirus keeps flagging up, i can find the process that matches them in task manager, and stop the process. This seems to stop the popup's, but obviously, the problem is still there, and with this computer being used for internet banking/purchasing, i'm always concious of the fact that it might be a keylogger virus running behind the trojan popup problem.
Thanks in advance for your reply.

Results of the DDS scan:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Tom at 22:47:14.56 on 07/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252... Read more

A:AVG keeps finding trojan virus' in System32 folder

Hi -

Let's try this version of gmer. Also disable AVG for the duration of the scan.


Download GMER Rootkit Scanner from here to your desktop. Double click the exe file.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



Click the image to enlarge it


In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If gmer still has troubles, just get the log from the initial scan.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click the exe file.
The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a f... Read more

Read other 19 answers
RELEVANCY SCORE 54.4

Hello!
I have aproblem with a Trojan Horse (what AVG detected) or downloader( what Norton Antivirus detected) virus. But both antivirus program could not fix this file (C:/WINNT/system32/suphip87.dll) because" Access to the file was denied." Norton has also detected other files in the same folder that are infected with the same virus that AVG did not detect. Lately my computer has been getting many problems. I really need help !
My computer is Windows XP
 

A:System32 problem. a Trojan Horse virus?

Read other 16 answers
RELEVANCY SCORE 54.4

I lent my computer out to my younger cousins over the weekend and it reappeared this monday morning with a load of problems - ie trojan viruses, virtumonde and i ve no idea what they did. I have McAfee VirusScan Enterprise and it was saying that i had the following problems.

22/09/2007 0:50:22 Estadísticas:
22/09/2007 0:50:22 Archivos analizados: 7436
22/09/2007 0:50:22 Archivos detectados: 0
22/09/2007 0:50:22 Archivos limpiados: 0
22/09/2007 0:50:22 Archivos eliminados: 0
22/09/2007 0:50:22 Archivos migrados: 0
22/09/2007 10:44:11 Versión del motor = 5.2.00
22/09/2007 10:44:11 Versión DAT = 5117
22/09/2007 10:44:11 Número de definiciones de virus en EXTRA.DAT= Ninguno
22/09/2007 10:44:11 Nombres de los virus que puede detectar EXTRA.DAT= Ninguno
22/09/2007 16:54:57 Eliminado(s) RED_NT\MBASE238 we.exe C:\Documents and Settings\MBASE238\Configuración local\Archivos temporales de Internet\Content.IE5\QG4W1IEO\retadpu[1].exe Generic Downloader.k (Troyano)
22/09/2007 16:54:59 Eliminado(s) RED_NT\MBASE238 we.exe C:\WINDOWS\retadpu1000520.exe Generic Downloader.k (Troyano)
22/09/2007 16:55:33 Limpiado(s) RED_NT\MBASE238 Setup.exe C:\Documents and Settings\MBASE238\Configuración local\Temp\GUQF296\vh.exe W32/Virut.gen (Virus)
22/09/2007 16:57:08 Eliminado(s) RED_NT\MBASE238 we.exe C:\Documents and Settings\MBASE238\Configuración local\Archivos temporales de Internet\Content.IE5\6KNLJ5T5\retadpu[1].exe Generic Downloader.k (Troyano)
22/09/2007 16:57:08 Eliminado(s) RED_NT\MB... Read more

A:Solved: Trojan virus and virtumonde

Read other 13 answers
RELEVANCY SCORE 53.6

"Virus identified Packed.Protector.C";"

C:\WINDOWS\system32\drivers\cdrom.sys";

"Object is white-listed (critical/system file that should not be removed)";

"1/23/2010, 10:30:52 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

I have numerous scans with MBAM, each time MBAM touches C:\WINDOWS\system32\drivers\cdrom.sys", AVG sends up a threat notice. MBAM does not flag the file as infected.

When I run AVG it identifies the above "Virus identified Packed.Protector.C";" C:\WINDOWS\system32\drivers\cdrom.sys"; There were two viruses, and AVG was able to remove the first, but not this one.

My kids were downloading something yesterday when this happened.

PLease Help What do I do ? I have read the forums from the HJT Team, and the combofix, I think that I am in the same situation and I can not afford to have my computer hacked.

Read other answers
RELEVANCY SCORE 53.6

I have been battling a virus all day. The only piece that is remaining is in the c:\windows\system32\drivers\cdrom.sys

I have done a stupid thing. I was hoping for more virus support and upgraded from the free version of AVG to the version 9.0. And of course it wants me to reboot.

I am terrified to reboot for fear of extracting the virus.

I am not the computer savvy and would really like to save my hard drive.

Please help?

Reverend Lisa
 

A:Trojan virus-c:\windows\system32\drivers\cdrom.sys

Read other 16 answers
RELEVANCY SCORE 53.6

Well my computer was hit with the xp security 2012 bug. I have been trying to clean it out but my kaspersky anti virus program will not let me delete or quarantine the bad file. So I am following the suggestion on this post: http://forums.techguy.org/virus-other-malware-removal/896647-trojan-virus-c-windows-system32.html

I hope I am doing this right. Any help would be greatly appreciated.
 

A:Trojan virus-c:\windows\system32\drivers\mrxsmb.sys

here is my combofix report:

ComboFix 11-12-17.02 - jimm 12/17/2011 13:57:16.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -6:00]
Running from: c:\documents and settings\jimm\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jimm\Application Data\completescan
c:\documents and settings\jimm\Application Data\install
c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}
c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\chrome\content\_cfg.js
c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\chrome\content\overlay.xul
c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\install.rdf
c:\documents and settings\jimm\Local Settings\Application Data\jqq.exe
C:\Install.exe
c:\windows\$NtUninstallKB37933$\2404632685
c:\windows\$NtUninstallKB37933$\318736082\@
c:\windows\$NtUninstallKB37933$\318736082\bckfg.tmp
c:\windows\$NtUninstallKB37933$\318736082\cfg.ini
c:\windows\$NtUninstallKB37933$\318736082\Desktop.ini
c:\windows\$NtUninstallKB37933$\318736082\keywords
c:\windows\$NtUninstallKB37933$\318736082\kwrd.dll
c:\windows\$NtUninstallKB37933$\318736082\L\lpcjoloj
c:\windows\$NtUninstallKB37933$\318736082\lsflt7.ver
c:\windows\$NtUninstallKB37... Read more

Read other 3 answers
RELEVANCY SCORE 53.6

I see similar problems to mine, but not exactly. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 10:20:04 AM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
C:\WINDOWS\system32\diddrig.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C... Read more

A:virus Trojan.vundo: Windows\system32\ddaba.dll

Read other 16 answers
RELEVANCY SCORE 53.6

I am currently running Windows Vista on my Toshiba laptop and after a normal reboot of the computer was alerted with a BAD IMAGE message (topi.exe) that multiple application extensions within system32 are - "either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support"
I have tried changing the startup programs yet I feel as if i cannot perform all the actions i need to, and cannot disable some programs, as if the virus has more power over the laptop than I do.
This trojan or virus doesnt allow me to sfc scan using the command prompt as it says im not the administrator, or perform many different adminstrative actions although I am obviously the administrator yet it says I need permission to perform these actions. It also continually pops up that WMI host provider has stopped working, and when i try a system restore that stops working as the bad image message keeps coming up. The main problem i am facing is that it will not allow me to use my wifi to connect to any network and the laptop is running very slow, I can however use a ethernet to connect to the internet. I am primarily worried about further unforeseen problems.
I am considering backing up all my information to an external hard drive and restoring the laptop to its original state, but then i would need to restore the os etc.
I do not have the windows vista installa... Read more

A:Windows system32 problem, possibly a virus/trojan. Please help.

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

Read other 1 answers
RELEVANCY SCORE 53.6

I have a trojan virus (c:\windows\system32\gaopdxtsmxikxl.dll) that regenerates everytime I open IE. I have deleted it several times with norton. The information below is form hijackthis, if anyone has a suggestion I would appreciate it. (This is the file that norton says is the trojan-c:\windows\system32\gaopdxtsmxikxl.dll)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:50 AM, on 2/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\MCUI32.EXE
C:\Program Files\Trend Micro\HijackThis\Hi... Read more

A:Trojan virus c:\windows\system32\gaopdxtsmxikxl.dll removal help.

Hello timrivera2 Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a link at the top of each page.
Having problems with spyware and pop-ups? First Steps
http://www.techsupportforum.com/f50/...lp-305963.html

Read other 1 answers
RELEVANCY SCORE 53.6

Hi,I have an old DELL computer with XP that my kids have been using it has become incfected.It was to the point of almost not working and also it would not allow the download of any microsoft updates at all.What I have done so far is:Download an updated Mcafee Virus remover and run this in both normal and safe modeDownlaoded and run AVG Free again in normal and SafeDownloaded and Run Malwarebytes Anti MalwareAlso run the 3 Vundo Removal toolsRun the CCleaner toolRun the Smidfraud removal toolIt had the Vundo Virus on it and around 600 other infections of various types.It is still coming up with a fake trojan message all the time.It has however cleaned alot of it up and now I have updated to the latest Microsoft Updates which it wouldnt do before.Attached are the logs.Any help would be greatly appreciated.ThanksChrisDDS (Ver_09-01-07.01) - NTFSx86 Run by bruce at 9:49:08.06 on Fri 16/01/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.480 [GMT 10:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)AV: McAfee VirusScan *On-access scanning enabled* (Updated)FW: McAfee Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common File... Read more

A:fake Trojan/Vundo Virus/Virtumonde

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scans:Please update Malwarebytes' Anti-Malware and run a full scan and post the logs with the DDS log. * Download DDS by sUBs from one of the following links. Save it to your desktop. ... Read more

Read other 2 answers
RELEVANCY SCORE 53.6

My desktop has a form of the virtumonde virus. I've used various software such as Mcafee, Spybot, ad-aware, AVG, malwarebytes, etc. At least, that's what these have told us. Iobot came up with this:

IObit Security 360

OS:Windows XP
Version:1.0.0.60
Define Version:1183
Time Elapsed:00:05:02
Objects Scanned:58320
Threats Found:2

|Name|Type|Description|ID|
Trojan.FakeAlert, Registry Value, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Smax4, 4-24012
Trojan.Agent, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=10ce1bb4, 4-27918
My computer has been running slower. Our bank account got compromised, but the bank tells us it wasn't from online. Just want to make sure. Thanks for any kind of help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:20 PM, on 9/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Serv... Read more

Read other answers
RELEVANCY SCORE 53.6

Hi all,

Six months ago some nasty virus was downloaded to my system, and I was only able to remove it with the help of ComboFix...or so I thought. My current situation may or may not be caused by the same virus(es), but the symptoms are the same: I keep trying different virus/malware removal tools (Combofix, Tend Micro House Call, Kaspersky online scanner, Avast free edition, Spybot, AdAware, etc.) but the virus/trojan/whatever always reappears (and often seems to change form or rename itself) when I restart and re-scan. Other symptoms have included a couple of .dll errors at startup (one involving a file called oqalogu.dll comes to mind), internet connectivity interruptions, inability of my previous version of AdAware to update properly, and some strange browser behavior.

Thanks for any help you can provide

On to the pseudo-hijack this log!

(NOTE: This current log was generated after an Avast scan found the Win32:CTX virus, though I have not restarted since)

----------------------------------------

DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 17:56:42.29 on Thu 07/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1133 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090716-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchos... Read more

A:Infected with Win32:CTX and/or Virtumonde or other virus/trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 53.6

I Have Tries Malwarebytes But EveryTime It Removes It, It Keeps On Coming Back!! The Are Some Random Programs In The Startup List Such As - "Jebodoma", And They Command Rundll32.exe... Anyway I'm Posting A Log. Any Help Will Be Greatly Appreciated.LOG:Logfile of random's system information tool 1.05 (written by random/random)Run by Fahad at 2008-12-23 15:00:56Microsoft Windows XP Professional Service Pack 2System drive C: has 3 GB (40%) free of 7 GBTotal RAM: 254 MB (33% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:01:14, on 23/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeF:\Malwarebytes' Anti-Malware\mbam.exeF:\Mozilla Firefox\firefox.exeC:\Documents and Settings\Fahad\Desktop\RSIT.exeC:\Program Files\trend micro\Fahad.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/R1 - HKLM\Software\Microsoft�... Read more

A:I Am Infected With Virtumonde And Vundo Virus/Trojan!

As Well As That I Keep On Getting Anti-Virus 2009 Pop-Ups, I've Tried Malware Bytes But Everytime I Reboot, It Keeps On Coming Back!!! I Need Some Help!!

Read other 3 answers
RELEVANCY SCORE 53.6

I really need help. This is the second time one of my computers has been infected with a trojan virus. I'm protected by Norton. The Norton GoBack utility is detecting qstwa.ini2 (C:/Windows/System32) - a file that I believe is being created and deleted every ten seconds.

I have run Spybot Search and Destroy. A couple of problems came up - but it deleted them (all except one). When I ran SB in safemode, it didn't detect that problem. Since then, it hasn't detected it again - and deletes everything it finds.
Aside from that, I ran AVG and surprisingly enough - it didn't detect anything. Currently, I have TheCleaner (it has detected 12 instances of Virtumonde and cleaned them) and VundoFix (cbxyxvv.dll file found) running. I have also read a couple of the threads here and have downloaded HiJackthis, SmitFraud and KillBox.

I just installed HiJack this. The logfile is included below. ANY help will really be appreciated. Thanks again! =)

*************
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:54:19 AM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec... Read more

A:Virtumonde, Trojan Virus and Other Crap Infecting my PC.

Read other 16 answers
RELEVANCY SCORE 53.2

Hey guys first post here.I was recently infected with metajuan and virtumonde.dllSpybot found virtumonde & deleted most of it but froze when trying to remove one dllSo i got vundofix and ran it and it did the same thing but could not delete mljiigh.dll so it rebooted. Every time it reboots it either doesnt show the .dll under files to delte or is unable to remove it and asks me to restart again.I've tried in safemode, I've tried using Norton, Nod32 spyware removal, vundobgone, atfcleaner etc.I also have problems with hardware interrupts taking up 90-100% of my RAM the IRQ for my video card is conflicting with network adapters and other things (might be normal since i dont have many slots) but this started when the vundo appeared so i think its probably related.I currently cannot access my computer in any mode beside Safe Mode w/ or w/o networking, I have 4 bit color in normal mode and all it does is display my desktop without icons and freeze completelyRundll32.exe is also behaving strangely and launching browser helper objects which spybot blocks thankfully. Anyway heres my Hijack This! log (from safemode): Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:11:04 AM, on 2/14/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:... Read more

A:Trojan.metajuan+trojan.virtumonde +virtumonde.dll=good Times

Hi moomoo2u and Welcome to the Bleeping Computer!Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Read other 6 answers
RELEVANCY SCORE 53.2

ive run ad-aware as well as windows defender and they've come up with 3 different viruses. theres win32.trojan.agent
win32/virtumonde.O and
win32/fotomoto
i've tried to remove the viruses with the programs, but they are still there. i tried using vundofix too, but that didnt get rid of it. somebody please help me. log file from HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:53 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Documents and Settings\Leanne Choi\Application Data\WinTouch\WinTouch.exe
C:\Documents and Se... Read more

A:Solved: trojan, virtumonde, and fotomoto virus--hjt post

Read other 16 answers
RELEVANCY SCORE 53.2

Hello,

I am good2go7 (the new kid on the block). I am having major problems removing the Virtumonde/Vundo Trojan Horse Viruse from several Windows XP PC's. I have downloaded the Vundo Removal Tool and ran it on these machines to no avail. All the machines are running Norton Anti-virus with the most current virus definitions updates. In addition to Norton Anti-virus I have tried the following programs with no luck:

1. Spybot Search and Destroy
2. Vundo Removal Tool
3. Microsoft Malicious Software Removal Tool
4. Microsoft Windows Defender
5. Ad-aware SE

Any assistance would be greatly appreciated.

good2go7

A:Removing the Virtumonde/Vundo Trojan Horse Virus

Post deleted - not authorised to provide specific malware removal advice.

Read other 7 answers
RELEVANCY SCORE 52.4

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:00:29 PM, on 11/2/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\SanDisk\Sansa Updater\SansaSvr.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\WINDOWS\system32\SearchIndexer.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\WINDOWS\System32\svcho... Read more

A:Infected with trojan horse.generiII.BIGG virus/ Virtumonde

Hi My name is Extremeboy (or EB for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.If you do not make a reply in 5 days, we will need to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not... Read more

Read other 25 answers
RELEVANCY SCORE 52

Hello

I am in dire need of technical help. My system performance has been very slow.
My virtual memory is always low and the AVG detects the viruses namely
C:/windows/system23/cmcfg3.dll and Trojan Horse Downloader Delf.12.AN but
cannot heal or remove them. I am getting virus detected pop ups whenever I
launch the Internet Explorer. The following process names are infected:
1. C:/Windows/Explorer.exe
2. C:/Program Files/Internet Explorer/Iexplorer.exe

It takes a long time to boot up my system. Everytime it boots up, the time and date
resets to 10 AM 09/05/2020. I believe that there are a lot of applications that are
automatically loaded but I rarely need. Most of the time, I will be getting a message
of low virtual memory and sometimes out of memory. And during shut down, it takes
half an hour or more to complete it.

I am attaching the HJT log of my personal laptop that I ran last 05/15/09. If you need
me to run it again or use the DSS program then kindly inform me. Thank you in advance.

Regards

mhoji

A:Virus Found: C:/windows/system32/cmcfg3.dll and Trojan horse downloader delf.12.an

Hello and welcome to the BleepingComputer.com! In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please post back and let me know if you're still experiencing problems and post the logs from RSIT:Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)regards _temp_

Read other 17 answers
RELEVANCY SCORE 52

Hi Folks,

Hoping can someone can help me please with this virus thing, thanks! I've tried searching for it on Google and found nothing, nothing in the virusvault either.

I jumped in feet first and had already tried Malwarebyte's program which removed part of the Trojan Vundo.H but not this one,

C:\windows\system32\punleisi.dll

although Kaspersky refers to it as Trojan-Clicker.Win32.Delf.cbe?

Anyhows, I am a real noob when it comes to this stuff (hence why I just went cracking away at it myself) and would probably need some serious hand holding
if you guys were to find the time to help.

Thanks for reading!
Bebop13

A:Unknown Virus - Trojan-Clicker.Win32.Delf.cbe (C:\windows\system32\punleisi.dll)

Hello this is a Vundo type infection so Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begi... Read more

Read other 4 answers
RELEVANCY SCORE 50.8

Hi,Been dealing with Trend Micro for a week now without any resolution. They're unable to identify the problem but have been treating it like it's virtumode (using vundofix) without much success. I've tried cleaning both as administrator or in safe mode (running W2K 5.00.2195 with SP4 I believe). Started with my broswer crashing, then dialog boxes popping up when IE launched. They said I had been exposed to Bloodhound virus and then opened up a website like WinFixer does (naturally, they could fix it for the small price of...). Anyway, long story short, As I've spend about 15 hours chasing this problem this week, I've run numerous AV, anti-spyware, and registry cleaner programs. I successfully delted two files today qopnk.dll and tustu.dll. Any help would sure be appreciated.Logfile of HijackThis v1.99.1Scan saved at 11:24:21 PM, on 4/28/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\System32\nvsvc32.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\PROGRA~1\TRENDM~1\I... Read more

A:Elusive Virus: Virtumonde, Trojan.swfdl.a, Exploit.iframe.vulnerability, [email protected]

Hi netcentricusa and Welcome to the Bleeping Computer!Lets try using F-Secure Blacklight and have a closer look.Download and Save Blacklight to your Local Drive C:\Click Start-> Run-> Type in C:\blbeta.exe /expert and click OK to launch Blacklight.Accept the Agreement and Click Next,now click Scan and let Blacklight scan the entire system.You'll see a list of all items found. There will also be a log on your C:\ drive with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"Let me see a HijackThis Start Up log.Open HijackThis and Click the "Open Misc Tools Section" tab.Select Generate StartUpList log and make sure that both Boxes beside it are checked:Put a check by:List all minor sections(Full)andList Empty Sections(Complete)It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.Post those 2 logs in the next reply please.

Read other 3 answers
RELEVANCY SCORE 50.4

Hi, For two weeks now I've been infected with the Trojan Vundo Virus. It was a complete mess, the first day but I used Atribune Vundo fix like the tutorial said I should. The signs that I've been infected by a blackworm and so forth, the obvious signs of vundo were gone. But I used Norton, Trend Micro House Scan, and Panda and discovered there were still more infected files that could not be removed. I have downloaded Webroot Spysweeper, Lavasoft Ad-Ware, Bitdefender, McAfee, and so forth. They didn't work, the results of scans showed nothing or I had to pay to remove the infected files or the program could not remove the infected files or the program removed the infected files but it kept on showing up in the scans. Norton 360 for a while in the scan results, showed nothing but then suddenly started telling me my computer was infected with vundo. I downloaded SuperAntiSpyware, the free verison and there were 83 objects that were either the vundo virus, virtumonde virus, adware, or spyware. I just recently deleted my old verison of Java and updated. The sytem is working alot better but there are still popups and my firewall keeps on detecting/stopping changes being made to this browser toolbar I didn't even ad and so I don't think it's clean yet. I'm at my wit's end, ready to break down. Please help. Thank you.Here's my HijackThis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:09:26 PM, on 12/1/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer... Read more

A:Infected With Trojan Vundo, Virtumonde Virus, Spyware, Adware, Unwanted Browser Toolchanges, Ie Popups, And More!

Hello glassman153,Welcome to Bleeping Computer 1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 29 answers
RELEVANCY SCORE 49.6

I'm pretty new to all this so please bare with me!
I have this virus (i think)! I have ran TrendMicro PC Cillin, Ad-Aware, and Spybot S & D
They all come up clean except for Spybot... It comes up with Virtumonde, then as a file under that is c:\windows\system32\awtsp.dll When i try to clean/delete that file, my screen turns blue with a bunch of words and then proceeds to restart! How can i get rid of this file? And if i delete it with KillBox will my computer still run correctly or what?
Is this file a necessary component for running windows? How can i fix this? Someone Please HELP!!

Thanks
Jewel

Ohh and another question for FYI purposes what is a Hijackthis log and what does it do?
 

A:Virtumonde - c:\windows\system32\awtsp.dll

Welcome to TSG

Ohh and another question for FYI purposes what is a Hijackthis log and what does it do?Click to expand...

It lets use see view certain aspects of your computer, usually where virus's show themselves. But, not always.

Please download HJTInstaller.exee Here
Let it Place Hijackthis in C:\Program Files\Trend Micro\Hijackthis
Let it create a Desktop Icon
Please run Hijackthis after you have run ComboFix. Thanks

===================================

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
Save it to your desktop

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

===================================

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe... Read more

Read other 1 answers
RELEVANCY SCORE 49.2

The file which originally caused my computer to have problems was "crack.exe", I thought it was a CD crack for an old game I don't have the CD for at college - big mistake, and I've been paying for it now for several days despite hours of working to fix it.

While connected to the internet, I still get pop-ups every once in a while to random websites - it was worse when I first "installed" the file. I have used Ad-Aware 2007 as well as Spybot Search & Destroy to try removing the adware/virus. I also did some registry searching and erased any "crack.exe" files that should not be in my registry. I did some other research on this adware/virus and noticed it creates random .dll files, so I also used CurrProcess (cprocess.exe) to try and find any suspect .dlls, but I wasn't sure which to remove & decided against messing around too much. SB S&D keeps finding Virtumonde and core.cache.dsk every time I restart my computer and run the scan. Trying to "fix errors" causes SB to crash. I will appreciate any and all help. Thank you.

Here is my HijackThis log file: (I originally had HJT on my desktop, but I noticed another person had a similar problem & was instructed to change the name of HJT's executable to Hcheck.exe and move it to another folder, so I did the same).

Also, I use a IBM ThinkPad T41.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:46 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01... Read more

A:Virtumonde, WINDOWS\system32\core.cache.dsk

Please download ComboFix
Save to the Desktop <<< Important!!

Close or disable all AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix.

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

Read other 19 answers
RELEVANCY SCORE 49.2

I'm having a problem removing virtumonde. I've run spybot, ad-aware, vundofix, and virtumondebegone, but they haven't been able to remove all of it. When I run vundofix, it keeps saying that C:Windows\system32\mllml.dll is still there. Could you help?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:04:25 PM, on 10/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1�... Read more

A:Virtumonde Removal, C:windows\system32\mllml.dll

Hello sknight142,If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday. If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them. 1. Download this file - combofix.exe to your Desktop. Note: It is important that it is saved directly to your desktop 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply. Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Read other 10 answers
RELEVANCY SCORE 48.4

Alright, so apparently I've just logged on to my other comp, and find that there are two strange boxes flying around my desktop, entitled "Thayet Myo Hacking Day!". I can't seem to open up task manager, and my caps lock keeps going on and off, by itself. So I google it, and I don't find anything helpful or atleast in English, except for this:

http://www.mmgeeks.org/forum/viewtopic.php?f=25&t=1021

I read the only helpful post:


Quote:




Start the system in SAFE mood.

Delete the explorer.exe files in C:\RECYCLER, c:\Windows\Backup and C:\.

Open the Regedit and delete explorer.exe in hkey_local_machine/software/microsoft/windows/current version/run (or) hkey_current_user/software/microsoft/windows/current version/run.

You also need to uninstall the programs if the shortcut to that programs appear as archive icon.




So I reboot my comp, and try to get to Safe Mode. Then this shows up:


Quote:




Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.




I have absolutely no idea what that file is, nor do I know how to fix this. I can't access Windows no more, apparently. I try going to Setup, F8, etc. I look everywhere, trying to find a way out of this. And now, I've come here.

What should I do?

A:"Thayet Myo Hacking Day!" virus/trojan, then <Windows root>\system32\hal.dll missing?

At this point, you have no choice but to insert your Windows install disc and reinstall the OS.

Read other 1 answers
RELEVANCY SCORE 48.4

Alright, so apparently I've just logged on to my other comp, and find that there are two strange boxes flying around my desktop, entitled "Thayet Myo Hacking Day!". I can't seem to open up task manager, and my caps lock keeps going on and off, by itself. So I google it, and I don't find anything helpful or atleast in English, except for this:

http://www.mmgeeks.org/forum/viewtopic.php?f=25&t=1021

I read the only helpful post:

Start the system in SAFE mood.

Delete the explorer.exe files in C:\RECYCLER, c:\Windows\Backup and C:\.

Open the Regedit and delete explorer.exe in hkey_local_machine/software/microsoft/windows/current version/run (or) hkey_current_user/software/microsoft/windows/current version/run.

You also need to uninstall the programs if the shortcut to that programs appear as archive icon.
Click to expand...

So I reboot my comp, and try to get to Safe Mode. Then this shows up:

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.
Click to expand...

I have absolutely no idea what that file is, nor do I know how to fix this. I can't access Windows no more, apparently. I try going to Setup, F8, etc. I look everywhere, trying to find a way out of this. And now, I've come here.

What should I do?
 

A:"Thayet Myo Hacking Day!" virus/trojan, then <Windows root>\system32\hal.dll missing?

Bump
 

Read other 1 answers
RELEVANCY SCORE 48

Hi Mike !

Don't know what happend !! My windows starts normally, after selecting the user, it dispalys ' loading personal settings'.. After that getting an error ' userint.exe application error' . Reference memory problem. Then it shows my desktop without any Task bar/Status bar and all the icons on my desktop are not displayed. i am accessing the explorer through Task manager using Ctrl+Alt+Del ..

Let me know whether this is an virus infection or some problem with windows registry.
thanks
clement

A:Infected with Trojan.Virtumonde/Trojan-Downloader.Agent.OGP, Help me in removing the trojan

Welcome to BCThe process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all obj... Read more

Read other 4 answers
RELEVANCY SCORE 48

REPOST (Please don't hurt me!)

Hi, I'm going to try and be as succint and clear as possible about my issue. Normally I would not bother you wonderful forum gurus, but I can't do this alone.

I'm running XP Pro. V. 2002 with SP3 on a lenovo thinkpad. I was (before the problem started) running Spybot S&D and AVG Free. Like an idiot, I neglected to scan a file (file type=file) before opening, and KABOOM! Antimalware popped up and started giving me warnings, wouldn't let me run my browser, and when I went to open AVG, all windows closed so I hard-booted my laptop (the computer was totally unresponsive and I got scared). I restarted XP normally and Antimalware did its thing again, so I tried removing it through Control Panel, but couldn't find it.

I rebooted into safe mode and ran a command line scan with AVG, which removed some but not all of the "Trojan Horse" files... unfortunately I did not log this info, but I do recall some files being in my "Local Settings\Temp" folder, which were removed, and also it had hijacked explorer.exe, svchost.exe and rundll32.exe, which AVG couldn't fix. I didn't realize that at the time, so I tried restarting Windows normally, and downloaded Malwarebytes' Anti-Malware, ran some scans, and it found a couple of Trojan files but seemed to be able to get rid of them. I ran another scan with Spybot which found "Virtumonde". That's when I knew I was in trouble.
I... Read more

A:Virtumonde keeps rearing its ugly head in Explorer.exe and System32 folder

Closed ,I replied to other thread.

Read other 1 answers
RELEVANCY SCORE 48

Hi, I'm going to try and be as succint and clear as possible about my issue. Normally I would not bother you wonderful forum gurus, but I can't do this alone.I'm running XP Pro. V. 2002 with SP3 on a lenovo thinkpad. I was (before the problem started) running Spybot S&D and AVG Free. Like an idiot, I neglected to scan a file (file type=file) before opening, and KABOOM! Antimalware popped up and started giving me warnings, wouldn't let me run my browser, and when I went to open AVG, all windows closed so I hard-booted my laptop (the computer was totally unresponsive and I got scared). I restarted XP normally and Antimalware did its thing again, so I tried removing it through Control Panel, but couldn't find it. I rebooted into safe mode and ran a command line scan with AVG, which removed some but not all of the "Trojan Horse" files... unfortunately I did not log this info, but I do recall some files being in my "Local Settings\Temp" folder, which were removed, and also it had hijacked explorer.exe, svchost.exe and rundll32.exe, which AVG couldn't fix. I didn't realize that at the time, so I tried restarting Windows normally, and downloaded Malwarebytes' Anti-Malware, ran some scans, and it found a couple of Trojan files but seemed to be able to get rid of them. I ran another scan with Spybot which found "Virtumonde". That's when I knew I was in trouble.I looked up removal instructions for Virtumonde... Read more

A:Virtumonde keeps rearing its ugly head in Explorer.exe and System32 folder

Hello and welcome. I am moving this from XP to the Am I Infected forum.OK,VundoFix is pretty much outdated so we have some better tools to use.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Before you save it rename it to say zztoy.exe alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select t... Read more

Read other 5 answers
RELEVANCY SCORE 47.6

I've had 4-5 viruses on my computer and luckily I've been able to remove them with the help of this site. However, I have one file C:\WINDOWS\system32\ddcyv.dll that can't be taken care of. I've tried Ad-aware, combo-fix, Trojan remover, AVG anti-virus/anti-spyware program, and a few other things I don't remember all. This is my HjT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:43:33 AM, on 12/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:&#... Read more

A:Unable To Remove Virtumonde/malware File C:\windows\system32\ddcyv.dll

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

Read other 1 answers
RELEVANCY SCORE 47.2

hey gang i need some help! i can barely use my laptop as i seem to keep getting infected with vrtumonde and trojan.vundo. i am looking forward to your help in getting rid of this problem. thank you in advance!here is the log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:51:36 PM, on 9/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Acer\Empowering Technology\ePerformance\MemCheck.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\inet... Read more

A:Virtumonde, Virtumonde.pfx, Trojan.vundo Help!

sorry for some reason i didnt see the sticky about bumping, guess i was just being impatient. i will wait patiently for help.

Read other 17 answers
RELEVANCY SCORE 46.8

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

Read other 12 answers
RELEVANCY SCORE 46.4

Hi There!My housemate's laptop has a virus and they asked me to help fix it. By the looks of it they have the "Data Recovery Virus" on their laptop. Ran various virus scans and removed about 200 malicious files, but still no joy. Upon startup several boxes pop up stating:"Failed to save all the components for the file \System32\0000390c. The file is corrupted or unreadable." Each box has a different sys32 file, including ..em32\00004509 and ..em32\0000767d. I've ran spybot and SUPERAntiSpyware, both removed a whole load of crap on the laptop but not the damn virus im after!Also ran Security Check: Results of screen317's Security Check version 0.99.24 Windows 7 x64 (UAC is enabled) Internet Explorer 8 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Norton 360 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: MVPS Hosts File Spybot - Search & Destroy Java™ 6 Update 22 Out of date Java installed! Adobe Flash Player ( 10.3.183.10) Flash Player Out of Date! Mozilla Firefox (x86 en-GB..) ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log```````````` Running a comprehensive virus scan (again) atm, will post SAS results when its done.Any help with this would be greatly appreciated

A:Data recovery virus - Failed to save components for the file \System32\(several system32 files). The file is corrupte...

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 10/27/2011 at 04:10 PM

Application Version : 5.0.1134

Core Rules Database Version : 7856

Trace Rules Database Version: 5668

Scan type : Complete Scan

Total Scan Time : 01:16:31

Operating System Information

Windows 7 Home Premium 64-bit (Build 6.01.7600)

UAC Off - Administrator

Memory items scanned : 306

Memory threats detected : 0

Registry items scanned : 71337

Registry threats detected : 0

File items scanned : 225087

File threats detected : 18

Adware.Agent/Gen-Pinball

C:\PROGRAM FILES (X86)\MOSSYSKY\BIN\1.0.16.0\MOSSYSKYSACB.EXE

C:\Windows\Prefetch\MOSSYSKYSACB.EXE-0EB24479.pf

Trojan.Agent/Gen-FakeAlert[Local]

C:\PROGRAMDATA\1KALMIG2KB7FZP.EXE

Adware.Tracking Cookie

cdn1.image.freeporn.com [ C:\USERS\LISA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FLTEG34J ]

ec.atdmt.com [ C:\USERS\LISA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FLTEG34J ]

files.youporn.com [ C:\USERS\LISA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FLTEG34J ]

ia.media-imdb.com [ C:\USERS\LISA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FLTEG34J ]

s0.2mdn.net [ C:\USERS\LISA\APPDATA\ROAMING&#... Read more

Read other 6 answers
RELEVANCY SCORE 46

when i installed windows 7 any version after installing the drivers a dialog box poped up saying system32.exe has stopped working and many such box appeared at once....then when i got a software called combofix.exe which was a boon to me and ran then in the result it deleted system32/root/system32.exe and system32/root folder too,,,,, then pc worked and no such warning again

my question is
1. is that path which i have mention is not needed
2. was that virus
3, does Ur c drive contains that folder or not please confirm me friends...
4,,,in reality (healthy pc) that path and directory is available or it was only created in my pc and later deleted....is that directory needed or not
4. main strange is that when it is been deleted and pc works well then when i re install any version of win 7 same thing repeated and i have to run the software again,,,why does it reappears in each installation with drive formatting even though it is deleted

plese help me exeperts with the solution that same thing doesn't appear in new installation

A:is system32/root/system32.exe a virus?

You should not use Combofix without the help of a trained person.
Do not use Combofix on your own!!

Read other 9 answers
RELEVANCY SCORE 46

when i install new windows 7 then a dialog box appear saying system32.exe has stopped working and i delete it with combofix. but i read in the forum that it is dangerous to use it. so can i manually delete it or is there any tools less dangerous then combo that can remove it. actually what system32.exe is that appears in every fresh installation of windows 7. cant i delete it permanently going to system32/root/system32.exe.....please help

A:is system32/root/system32.exe a virus?

Now that your ComboFix log is properly posted here, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.To avoid confusion, I am closing this topic.

Read other 1 answers