Over 1 million tech questions and answers.

Removed backdoor/morat, wsearch, 0access, need to make sure all systems are go

Q: Removed backdoor/morat, wsearch, 0access, need to make sure all systems are go

A friend helped me remove the following from my computer
 
TR/Agent.1016548
BDS/Morat.B.90
wsearch.exe
ZeroAccess Rootkit
 
My router may have also been infected because 2 unknown user accounts were created on my machine, and there were times when multiple users were logged on to the computer.  (I'm the only person who uses this computer.)
 
My friend believes we managed to remove the worst of it, but advised me to get a more expert opinion regarding any residual artifacts.
 
Specific things I'm concerned with are:
 
1.  Removal of the newly created directories the infections caused:  (LocalLow, Roaming, and OICE_15_974FA576_32C1D314_3324) in my AppData directory, and relocation of the folders from my AppData\Local folder that were moved into them.
2.  Verification that all traces of the rogue user accounts have been removed from the registry.
3.  Verification that the Microsoft Security Essentials software and firewall are functioning correctly.
4.  Correction of my user permissions
I have admin rights, but I'm having problems with security settings and being able to run apps and save files outside of my user directory.
 
Thanks, E.
 
Here is my dds.txt file
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.15.2
Run by esims at 20:48:37 on 2014-01-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3977.1375 [GMT -5:00]
.
AV: System Center Endpoint Protection *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: System Center Endpoint Protection *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Microsoft SQL Server\110\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\bin\msmdsrv.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\fdhost.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\CCM\CcmExec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\CCM\RemCtrl\CmRcService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\TechSmith\Jing\Jing.exe
C:\Program Files (x86)\Clipdiary\Clipdiary.exe
C:\Program Files (x86)\Flashnote\Flashnote.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\CCM\SCNotification.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\ipseclog.exe
C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
C:\TFSPT\TfsComProviderSvr.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\nacl64.exe
C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\nacl64.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.myarbys.com/
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
uRun: [Jing] C:\Program Files (x86)\TechSmith\Jing\Jing.exe
uRun: [Clipdiary] C:\Program Files (x86)\Clipdiary\clipdiary.exe
uRun: [Flashnote] C:\Program Files (x86)\Flashnote\flashnote.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
Trusted Zone: wpscm513
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1007
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20}\458656023547574696F6021447C616E64716024416E63656 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20}\7416C6168797F535F5949494F523031333 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20}\960516463507F647 : DHCPNameServer = 8.8.8.8
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20}\960586F6E656 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{358D23FB-9274-468E-AB98-F82F2E171A20}\C416155796E64716 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{DDAD146F-808B-4346-8686-9CB2B87E197A} : NameServer = 172.20.20.211,172.30.50.11
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
LSA: Notification Packages =  scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\esims\AppData\Roaming\Mozilla\Firefox\Profiles\m86o7whf.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\esims\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\esims\AppData\Local\DIRECTV Player\npPlayerPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-7-14 16152]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2013-2-21 22128]
R1 RsFx0201;RsFx0201 Driver;C:\Windows\System32\drivers\RsFx0201.sys [2012-10-19 336880]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 CmRcService;Configuration Manager Remote Control;C:\Windows\CCM\RemCtrl\CmRcService.exe [2013-9-11 577720]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2012-10-24 1043912]
R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2012-10-24 36808]
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [2012-10-9 45960]
R2 DFEPService;Dell Feature Enhancement Pack Service;C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2011-8-24 2279320]
R2 EmbassyService;EmbassyService;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [2012-1-17 218504]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-14 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2012-7-14 189608]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-7-14 161560]
R2 MsDtsServer110;SQL Server Integration Services 11.0;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\MsDtsSrvr.exe [2012-10-19 218608]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-6-18 139616]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2012-10-19 2423792]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-7-14 363800]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2012-1-5 1679872]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-7-14 176096]
R3 cvusbdrv;Dell ControlVault;C:\Windows\System32\drivers\cvusbdrv.sys [2012-10-24 47752]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-2-21 317440]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2012-2-28 25496]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2013-1-3 79240]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2013-1-3 15752]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2012-2-11 49752]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-9-14 366600]
R3 O2MDFRDR;O2MDFRDR;C:\Windows\System32\drivers\o2mdfw7x64.sys [2012-7-14 72808]
R3 O2SDJRDR;O2SDJRDR;C:\Windows\System32\drivers\o2sdjw7x64.sys [2012-7-14 84712]
R3 ST_ACCEL;STMicroelectronics Accelerometer Service;C:\Windows\System32\drivers\ST_ACCEL.sys [2012-7-14 68208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-8 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]
S3 bcbtums;Bluetooth RAM Firmware Download USB Filter;C:\Windows\System32\drivers\bcbtums.sys [2012-7-14 134696]
S3 btwampfl;btwampfl Bluetooth filter driver;C:\Windows\System32\drivers\btwampfl.sys [2012-7-14 615976]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-7-14 39976]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2012-2-28 34232]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-7-14 356120]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-7-14 788760]
S3 lpasvc;Microsoft Policy Platform Local Authority;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 lppsvc;Microsoft Policy Platform Processor;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 O2MDRRDR;O2MDRRDR;C:\Windows\System32\drivers\O2MDRw7x64.sys [2012-7-14 74984]
S3 OracleRemExecServiceV2;OracleRemExecServiceV2;C:\Users\esims\AppData\Local\Temp\\oraremservicev2\RemoteExecService.exe --> C:\Users\esims\AppData\Local\Temp\\oraremservicev2\RemoteExecService.exe [?]
S3 SQL Server Distributed Replay Client;SQL Server Distributed Replay Client;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\DReplayClient\DReplayClient.exe [2012-2-11 137304]
S3 SQL Server Distributed Replay Controller;SQL Server Distributed Replay Controller;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\DReplayController\DReplayController.exe [2012-2-11 342104]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WMSVC;Web Management Service;C:\Windows\System32\inetsrv\WMSvc.exe [2009-7-13 10752]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S3 WvPCR;WvPCR;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [2012-1-16 198144]
S4 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]
S4 MSOLAP$LOCALINSTANCE;SQL Server Analysis Services (LOCALINSTANCE);C:\Program Files\Microsoft SQL Server\MSAS11.LOCALINSTANCE\OLAP\bin\msmdsrv.exe [2012-10-19 72497640]
S4 MSSQL$LOCALINSTANCE;SQL Server (LOCALINSTANCE);C:\Program Files\Microsoft SQL Server\MSSQL11.LOCALINSTANCE\MSSQL\Binn\sqlservr.exe [2012-10-19 191976]
S4 MSSQLFDLauncher$LOCALINSTANCE;SQL Full-text Filter Daemon Launcher (LOCALINSTANCE);C:\Program Files\Microsoft SQL Server\MSSQL11.LOCALINSTANCE\MSSQL\Binn\fdlauncher.exe [2012-2-11 49752]
S4 ReportServer$LOCALINSTANCE;SQL Server Reporting Services (LOCALINSTANCE);C:\Program Files\Microsoft SQL Server\MSRS11.LOCALINSTANCE\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2012-10-19 2423792]
S4 SQLAgent$LOCALINSTANCE;SQL Server Agent (LOCALINSTANCE);C:\Program Files\Microsoft SQL Server\MSSQL11.LOCALINSTANCE\MSSQL\Binn\SQLAGENT.EXE [2012-10-19 612848]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-01-14 00:15:40 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{54BF4499-BF35-4215-BD84-9A7D424D8BB2}\mpengine.dll
2014-01-10 03:53:39 -------- d-----w- C:\Users\esims\AppData\Roaming\SUPERAntiSpyware.com
2014-01-10 03:53:14 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2014-01-10 03:53:14 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2014-01-10 00:35:56 10315576 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-08 23:35:21 -------- d-----w- C:\Windows\ms
2014-01-07 20:27:40 -------- d-----w- C:\Users\esims\AppData\Roaming\Wireshark
2014-01-07 20:24:59 -------- d-----w- C:\Program Files (x86)\WinPcap
2014-01-07 20:23:07 -------- d-----w- C:\Program Files\Wireshark
2014-01-05 03:53:05 -------- d-----w- C:\Users\esims\tcpView
2014-01-05 03:49:21 -------- d-----w- C:\Program Files (x86)\Tweaking.com
2014-01-05 01:39:32 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-05 00:38:54 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys.bak
2014-01-05 00:24:49 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6099D3CF-DE16-42F8-916A-A04313CE5A26}\gapaengine.dll
2014-01-04 22:36:54 -------- d-----w- C:\Users\esims\AppData\Roaming\Malwarebytes
2014-01-04 22:36:33 -------- d-----w- C:\ProgramData\Malwarebytes
2014-01-04 19:46:09 -------- d-----w- C:\RegBackup
2014-01-03 09:12:16 98816 ----a-w- C:\Windows\sed.exe
2014-01-03 09:12:16 256000 ----a-w- C:\Windows\PEV.exe
2014-01-03 09:12:16 208896 ----a-w- C:\Windows\MBR.exe
2014-01-03 08:10:33 -------- d-----w- C:\Windows\ERUNT
2014-01-03 07:47:14 -------- d-----w- C:\AdwCleaner
2014-01-03 06:51:59 35328 ----a-w- C:\Windows\System32\drivers\ndiscap.sys.bak
2014-01-03 06:50:59 491088 ----a-w- C:\Windows\System32\drivers\adp94xx.sys.bak
2014-01-03 06:50:59 339536 ----a-w- C:\Windows\System32\drivers\adpahci.sys.bak
2014-01-03 06:50:59 334208 ----a-w- C:\Windows\System32\drivers\acpi.sys.bak
2014-01-03 06:50:59 12800 ----a-w- C:\Windows\System32\drivers\acpipmi.sys.bak
2014-01-03 06:50:58 68096 ----a-w- C:\Windows\System32\drivers\1394bus.sys.bak
2014-01-03 06:50:58 229888 ----a-w- C:\Windows\System32\drivers\1394ohci.sys.bak
2014-01-01 06:38:54 -------- d-----w- C:\Users\esims\AppData\Roaming\InfraRecorder
2014-01-01 06:37:29 -------- d-----w- C:\Program Files (x86)\InfraRecorder
2013-12-31 07:36:50 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-31 07:11:18 -------- d-----w- C:\Users\esims\AppData\Roaming\Flashnote
2013-12-31 07:10:50 -------- d-----w- C:\Program Files (x86)\Flashnote
2013-12-30 21:20:12 -------- d-----w- C:\Users\esims\AppData\Roaming\Clipdiary
2013-12-30 21:20:03 -------- d-----w- C:\Program Files (x86)\Clipdiary
2013-12-30 17:57:22 -------- d-----w- C:\Windows\pss
2013-12-22 04:31:08 -------- d-----w- C:\FRST
2013-12-21 07:55:39 -------- d-----w- C:\Users\esims\AppData\Local\Diagnostics
2013-12-21 00:22:57 -------- d-----w- C:\Program Files\HitmanPro
2013-12-21 00:19:37 -------- d-----w- C:\ProgramData\HitmanPro
2013-12-19 14:35:21 -------- d-----w- C:\Users\esims\ConsoleApplication1
2013-12-19 09:04:05 -------- d-----w- C:\Users\esims\AppData\Local\SvchostViewer
.
==================== Find3M  ====================
.
2013-12-12 20:12:20 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-12 20:12:20 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-12-12 20:12:09 9293192 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-11-20 12:04:31 267936 ------w- C:\Windows\System32\MpSigStub.exe
2005-04-01 10:26:58 173176 ----a-w- C:\Program Files\TSCC.exe
.
============= FINISH: 20:50:32.49 ===============
 

RELEVANCY SCORE 200
Preferred Solution: Removed backdoor/morat, wsearch, 0access, need to make sure all systems are go

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Removed backdoor/morat, wsearch, 0access, need to make sure all systems are go

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520759 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.Please do this even if you have previously posted logs for us.If you were unable to produce the logs originally please try once more.If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.
Thank you for your patience, and again sorry for the delay.
***************************************************
We need to see some information about what is happening in your machine. Please perform the following scan again: Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.DDS.com Download LinkDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control can be found HERE.As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Read other 6 answers
RELEVANCY SCORE 87.6

One of our Point of Sale computers have been infected with Win32.AVKillsvc.e. This was identified by Spybot S&D. When using SuperAntiSpyware Removal we also found Backdoor.0Access. Both reappear even after being removed when running the spyware removal programs again. Please help. Thank you so much.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by POS at 11:37:11 on 2011-09-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2320 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\2736370052:2068768348.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS ... Read more

A:Win32.AVKillsvc.e and Backdoor.0Access Cannot Be Removed

Just an update. Upon rebooting the computer out of Safe Mode, the computer lost connection to our network and the internet.

Read other 16 answers
RELEVANCY SCORE 64.8

Hello, my computer recently picked up a couple things, including Backdoor.0Access. I believe Malwarebytes or McAfee removed it, but I want to be sure I'm not still infected, if possible. I've done some scans already (ESET, Microsoft Security Scanner, Kaspersky), and sometimes find something and sometimes don't.  I have also lately been having trouble with Firefox: it tells me that java is out of date, recognizing java version 7 when I only have java version 8 installed; cannot run the "see if your plugins are updated" feature in Firefox unless I permanently disable java; can't connect/log in to some websites. That stuff with Firefox was before McAfee caught the infection. Thanks for helping me ensure my computer is safe again.
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-02-2015
Ran by Mark (administrator) on MARK-PC on 16-02-2015 22:55:36
Running from C:\Users\Mark\Desktop
Loaded Profiles: Mark (Available profiles: Mark & Kids)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(Cisco System... Read more

A:Backdoor.0Access -- do I still have it, or something else?

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Your computer is still infected by ZeroAccess.
 
Please download the following file => and save it to the Desktop.NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
 
Regards,
Georgi

Read other 21 answers
RELEVANCY SCORE 64.4

Hey thanks for the response.
And here is the link to the previous topic. Hope this is what you meant. http://www.bleepingcomputer.com/forums/t/507451/infected-backdoor0access-help-with-removal/
 
 
Here is my log from DDS:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Owner at 16:01:55 on 2013-09-11
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8183.1173 [GMT -5:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Ant.com\IE add-on\AntUpdate... Read more

A:Backdoor.0Access Help with Removal

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run.There will be a short delay before the next dialog box comes up. Please just wait a minute or two.When asked if you'd like to "download the latest Avast! virus d... Read more

Read other 17 answers
RELEVANCY SCORE 64.4

Hi, First time poster. You provide a great service. I'm usually able to rid most malware but this one has me by the nads. It redirects my browser, and also prevents me from running any anti-virus software. I ran MBAM in safe mode and it said that it removed 2 instances of BackDoor.0Access, but when I reboot (normal startup) its still there. There is a process running named 1406234768:187654572.exe that I cannot remove.

Windows XP Pro 2002 SP3. Here is my DDS.txt. Attach.txt is....well...attached. GMER ran for a bit and then it shutdown while processing...not sure why (think it was at the point of checking drivers?). I have my machine off the net right now.

Best, Eric
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Estock at 22:50:31 on 2011-09-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.631 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\1406234768:1871654572.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxctcoms.e... Read more

A:Infected with Backdoor.0Access

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Please download DummyCreator.zip and unzip it.Run the tool.Copy and paste the following into the edit box:

C:\WINDOWS\1406234768
Press Create button and post the content of the Result.txt.

Important: Restart the computer.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is... Read more

Read other 20 answers
RELEVANCY SCORE 63.6

I am referred to BC by my IT friend who I call whenever I have computer trouble.
I have a Dell DXP061 Dimension 9200, WinXPPro SP3 32bit, 70GB NTFS HD  – 26.6 GB used/ 46 GB free, CA Internet Security Suite\CA Anti-Virus Plus

My issues began when Microsoft Outlook 2007 gave me errors processing email, followed by a Low Disk Space warning, and finally a warning from my ISP that my computer was sending volumes of email to the point that I was to fix it , disconnect it, or lose my internet service. My friend advised me to shut everything down immediately and leave it until he could have a look.  I did that.
He had only a short time to look into this before being called away and felt he cleaned up the worst of the issues, but suggested I ask you to have a better look to be sure. He found zeroaccess RK in MBR and in Google Updater. Removal appears to be successful, but he has doubts it is totally gone.
He established this account for me and set notifications as requested. I am no PC wizard but I can follow directions, at your convenience.  Thank You
 
 

A:0Access found removed - we think.. wud like 2 be sure

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

Read other 7 answers
RELEVANCY SCORE 63.6

I was sent here from the "Am I infected" forum:
 
http://www.bleepingcomputer.com/forums/t/556321/closed-fake-pop-up-now-cant-access-mbam-or-avg/
 
Because ZEROACCESS appeared in the RKIll log I was told to start a thread here.
 
My DDS.txt is next:
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16584  BrowserJavaVersion: 10.60.2
Run by Derren at 14:28:34 on 2014-11-30
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2012.719 [GMT -8:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Outdated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Outdated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.... Read more

A:ZEROACCESS Backdoor 0access (from "Am I Infected")

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and past... Read more

Read other answers
RELEVANCY SCORE 63.6

I took notice to a google redirect, that is how I knew I was infected. I usually can get rid of any virus but this one has me stumped. It killed my AVG, I was able to run Malwarebytes in safemode,it found and removed the backdoor.0access virus. Now something is keeping me from running Malwarebytes. I installed gmer and run the scan but as soon as it find the problem it shuts down and looses the specific path same as any other virus or malware remover I try. The only thing that finds win32.AVkillsvc.e is Spybot but it won't remove it. I got a dds log and otl log. I tried to run all 3 rkills listed and it still wouldn't allow for Malware to run. I found the specific files that Spybot show are infected but it won't allow me to delete them. I just ran spybot again it found something attached to my HKs of the windows securitycenter/firewall but when I went to view review reports it shut down and now can't find the specific path to run spybot again. It shut down my windowsfirewall. I haven't backed anything up yet. I am not sure if any other data if infected and don't want to carry the infection elsewhere..DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Run by uriah at 12:55:36 on 2011-09-05Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2539 [GMT -4:00].AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Enabled* .============== ... Read more

A:win32.AVkillsvc.e/ backdoor.0access

Well not to be ignorant because I know everyone that works on here are volunteers but honestly it's been over 24 hours with no reply. I didn't even get a reply from the help bot. Well just to update you all I throw one of my old IDE HDs in and slaved out the SATA so I can connect to the internet and download a good copy of Malwarebytes. Between that and Mcafee it found more files infected with backdoor.0access and quarantined them. I am in teh process of running more scans to make sure that nothing else was missed. I will update soon with a final report.EDIT: Please be patient. There are over 130 unanswered topics in this forum at present and the current average wait time to receive help is 5-6 days. ~Budapest

Read other 36 answers
RELEVANCY SCORE 63.6

Hello,
 
Here is my original thread in the Am I infected forum: http://www.bleepingcomputer.com/forums/t/493127/question-regarding-mbar/
 
To sum it up, my pc had been a bit laggy for a couple of days and yesterday I noticed one of those "Microsoft antivirus" fake alert popups. Used the tskmgr to kill it and began scanning with various tools. MBAR detected (backdoor.0Access) and removed it.
 
Kept struggling with the laggyness and tried resetting my browsers as both firefox and IE10 were being affected. Tried resetting my router and that helped for sure.
 
Eventually decided to run RogueKiller and it found some registry entries regarding disable tskmgr and what not and I Deleted them.
 
Been on it for an hour or so seeing how things were going with it when I decided to pop back into the above linked thread to give an update.
 
boopme had stopped by and suggested coming over here.
 
My pc has definitely been running better after the steps I had taken in the above linked thread but I doubt I have done an adequate job of cleansing.
 
 
Here is the DDS.txt log:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.21.2
Run by scott at 13:57:15 on 2013-05-02
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4095.2280 [GMT -7:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {C3CCAC61-52F7-A056-1860-6406566E2578}
SP: BullGuard Antispyware *Enable... Read more

A:Backdoor.0Access detected by MBAR

Could you please post the MBAR logthanksPlease run the followingRefer to the ComboFix User's GuideDownload ComboFix from the following location:Link * IMPORTANT !!! Place ComboFix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Read other 12 answers
RELEVANCY SCORE 63.6

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418483 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

A:Backdoor.0access and Trojan.agent

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 29 answers
RELEVANCY SCORE 63.6

I'm sorry if I posted this in the wrong section.
 
I was running some of my anti-virus and anti-spyware programs because I hadn't done so in a few weeks. I decided to install and run MBAR. It found two items for Backdoor.0Access ...I deleted the entries without doing research before hand on the type of infection that they were. After reading several threads on here, it seems as if I should have consulted here before I deleted the entries? Can someone please assist me with this and confirm if my laptop is still in danger or not?
 
 
From what I can tell (whatever that is worth,) I am not experiencing any blatant computer issues. MBAM and MSE found nothing in their full-scan searches. Additionally, I have not noticed any issues besides simply finding the two Backdoor.0Access entries in MBAR.

A:found Backdoor.0Access with MBAR

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

Read other 34 answers
RELEVANCY SCORE 63.6

Hi
Just found this website, hopefully i'm in the right forum and I thank you guys for helping people with their computer problems. I recently noticed that my internet home page redirects to Yahoo. I scanned with Malwarebytes Anti-Rootkit BETA V1.07.0.1005. The results were C:\Windows\Installer\{25143fb4-71a8-8726-3250-f1f7e4e3e5e7}\@-->[Backdoor.0Access]
 
It says it cleans up and creates a restore point but it doesn't and the malware shows up again on re-scan. 
 
Again, thanks for your time
 
 

A:Infected Backdoor.0access help with removal

Welcome aboard  ZeroAccess rootkit infection requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 1 answers
RELEVANCY SCORE 62.8

Hi! :-)  
 
I would very much like some advice from those more experienced than I, on what I should do now with my system. I was infected about... 3 weeks ago. Have been struggling with getting things back to normal since then.  I *think* all the malware is gone from my system, but the damage isn't, and I would like to avoid reinfection in future. 
 
- I'm running Windows 7, 32 bit.
 
Please bear with me, as I try to organize/condense the past few weeks of painful experience into some readable form. :-) Sorry... an outline format was the best I could manage. (It's much less convoluted than writing out the whole story in prose form...)
 
1) Approx. Jun 28 - I think? - Initial infection occurred, and after a while I became suspicious... 
Peerblock started blocking apparently random outgoing connection attempts.
So, I attempted to scan with MSE (Security Essentials). But it threw an error for some reason. 
Scanned with MBAM instead - twice, once in Safe mode. No threats found.
Scanned with TDSSKiller. One suspicious file (forged) - MpFilter.sys. Wasn't sure what to do about that, or what it meant.
 
2) Jul 3 - Realized something was *really* wrong; found & removed two threats, 
Googling revealed that the above signs are probable symptoms of a trojan infection - so I immediately disconnected from the net! Yeah, I know, it was a bit late....
Uninstalled MSE by hand (including deleting the suspicious MpF... Read more

A:Need advice - I've removed 0Access from my system, but now what?

Lets take a look at these and see ,,,,Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Last....Please download Rkill by Grinler and save it to your desktop.Link 1Link 2Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.Do not reboot the computer, you will need to run the application again.Please Download TDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive)Do not change the default options on scan results.Please download AdwCleaner by Xplode onto your desktop.Close all open... Read more

Read other 15 answers
RELEVANCY SCORE 62.8

I've been working on cleaning up an older Windows XP laptop with the advice in another thread on this site. The machine runs pretty good now after having run Malwarebytes Anti-Malware, Junk Removal Tool, AdwCleaner and tidying some things up with CCleaner. MBAM, JRT and AdwC found hundreds of issues that have now been cleaned. Several needless programs were removed, as well as disabling useless startups and scheduled tasks with CCleaner.
 
I attempted to run an ESET Online Scan, but have been encountering proxy issues with it today, so that has not been done. The MBAM scan log revealed multiple items of "Backdoor.0Access", so I was referred to bring it to this sub-forum.
 
I was advised to create a new topic in this section and I have ran FRST. The contents of the log is as follows, with addition.txt attached.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:14-05-2016
Ran by Administrator (administrator) on NEO-LAPTOP001 (15-05-2016 18:10:40)
Running from C:\Documents and Settings\Administrator\Desktop\Tools
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry... Read more

A:MBAM found several instances of Backdoor.0Access

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to the a new file. start
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset

Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\mswsock.dll"
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-606747145-1935655697-1177238915-500 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL =
FF Extension: SearchNewTab - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\[email protected] [2016-05-15] [not signed]
FF Extension: Download keaePer - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\[email protected] [2016-05-15] [not signed]
S0 cerc6; no ImagePath
S4 IntelIde; no ImagePath
S3 PCTINDIS5; \??\C:\WINDOWS\system32\PCTINDIS5.SYS [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S2 zumbus; system32\DRIVERS\zumbus.sys ... Read more

Read other 0 answers
RELEVANCY SCORE 61.6

I make my living by this computer and now it snagged a Rootkit. This has a very bad reputation so I sure hope a kind and knowledgeable soul will help me get rid of it.
My system:
Dual boot XP and 7. The infection is on the XP side, though I haven't checked the other OS.
I use Zone Alarm Extreme.
 
The infection:
A couple of days ago I ran the usual Windows Update. On this occasion the Malicious Software Removal Tool found an object, I think it was called Win32/sirefef. After restart a window titled "zatray.exe - Ordinal not found" poped up. Coincidentally my Zone Alarm (ZA) icon refused to show up in the notification area. I contacted ZA support who informed me that this was a Windows problem not a ZA problem. I then: 
*Ran mbam but couldn't complete the scan (it became very slow so we stopped it)
*Restarted in Safe Mode and scanned using mbam. This time 5 objects were found, all labelled Rootkit.0Access. Three of them were registry entries (HKCU and HKLM), one was in Application Data for Google and another one was in \program files\google\desktop\install... Pressed the button to remove, then
*Restarted into normal mode. The zatray window no longer appeared and ZA came back to life.
*A rescan with mbam, however still showed one Rootkit.0Access.
*Several more cycles of rescans and restarts failed to remove the Rootkit which appears to reside in HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_*202EETADPUG
I also have an external hard drive which was connected to the in... Read more

A:Rootkit.0Access found by mbam but only partially removed

Hello BugsandWormsYum I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "th... Read more

Read other 30 answers
RELEVANCY SCORE 61.6

Hi,

Thank you for this service. On October 5 2011 I was browsing the internet when AVG antivirus popped up and said threat detected. I didn't write down what it said but it gave a number. I also had popup, very official looking window security or firewall alert saying allow or don't allow access, I think of explorer.exe, I don't know if it was real or not, at the time I thought it was but now thinking it wasn't as although it looked official, I don't remember ever seeing it before. This popped up when I tried to run a program or even from IE. Then I noticed that a google search was redirected to a spammy looking page and I think the address was something like splendidsearchsystem dot com.
I then looked for my AVG in the taskbar and it was gone, also, there was no windows notification in the taskbar that I didn't have antivirus. I ran malwarebytes, it ran for a few seconds then shut down, then I couldn't run it again and the mbam.exe icon went from the normal malwarebytes icon to a blank .exe icon. Same thing happened with AVG icons. None of those blanked icons will run, they give a windows alert Windows cannot access the specified file, you may not have the right permissions. I booted into safemode and managed to reinstall malwarebytes and ran it and it found Backdoor.0Access and managed to remove it. However after rebooting into normal mode, all of the problems still existed. I tried running malwarebytes from here and it shut down after a few se... Read more

A:Infected with Backdoor.0Access, AV programs disabled, Google redirects

Good evening. Please download DummyCreator.zip by Farbar from here and save it to your Desktop - you will then need to unzip it.Right click on the zipped folder and from the menu that appears, click on Extract All...In the "Extraction Wizard" window that opens, click on Next> and in the next window that appears, click on Next> again. In the final window, click on Finish. Double click DummyCreator.exe to run the tool. Copy and paste the following into the edit box:

c:\windows/2744192242 Click the Create button. Make sure you have a copy of Result.txt that should appear once the tool has completed.
Important: Restart the computer and then let me have a copy of Result.txt in your next reply.

Read other 17 answers
RELEVANCY SCORE 61.6

Hello!
 
For the last several times when I ran Malwarebytes, Trojan.Agent.Gen has been found, and I quarantined it each time it was found. At the end of one particular scan, backdoor.0access was listed about 5-7 times along with Trojan.Agent.Gen. By that, I mean that the threats results looked something like this:
Trojan.Agent.Gen
backdoor.0access
backdoor.0access
backdoor.0access
backdoor.0access
backdoor.0access
My laptop has a history of viruses so I'm pretty worried (I was told that it was a zombie once, and someone here helped me to cure it). Lately, Firefox has been taking a while to open, and I reset it after a tab appeared at the bottom of my screen saying, "Firefox seems slow to start..." Not sure if it's related to Trojan.Agent.Gen, but I wanted to mention that just in case. Log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 1.6.0_30
Run by Administrator at 17:13:16 on 2014-05-29
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2037.954 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileD... Read more

A:Trojan.Agent.Gen reappearing in Malwarebytes (plus backdoor.0access appeared 1x)

Hello yesnomaybeidk,

Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post. 1.Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool .Click on the Scan button.AdwCleaner will begin to scan your computer.After the scan has finished...Click on the Clean button.Press OK when asked to close all programs and follow the onscreen prompts.Press OK again to allow A... Read more

Read other 13 answers
RELEVANCY SCORE 54.4

Help.....I have a HP pavilion & pc Dosctor was removed, can I D/L that off the web or would it be on my recovery disks??

A:Systems diagnostics was removed

Is this what you wanted? You need to download the one according to your computer build date. What is the model of the HP? I don't recall HP having a Diagnostic called PC-Doctor  That was a Kingsoft Utility and I believe is no longer supported. I would not recommend using it. HP has it's own diagnostic utility. It can be reached either tapping Esc at boot on some laptops or by tapping F9 if shown on the boot screen. Later models with UEFI use the F2 key to reach diagnostics.
 
http://www8.hp.com/us/en/campaigns/hpsupportassistant/pc-diags.html

Read other 1 answers
RELEVANCY SCORE 53.6

Hello i have installed previous versions of operating systems in the past such as vista and ubuntu, i have removed them as i did not use them.

My question is when i boot up my laptop there still showing up to choose to boot but they dont boot becuase there removed,

does anyone know how i can remove these from my laptop from the boot up section and just use windows 7 as my main priority boot without waiting 30 seconds or what ever it is for it to load automatically?

Any help would be much appriciated,

Regards Paul

A:Removed operating systems and still there when booting

You can remove these entries with BCDedit... BCDEDIT - How to Use

Read other 4 answers
RELEVANCY SCORE 52

(Please pardon my redundancy - I have posted this to the Customer Care Board and Client Service forums - just hoping to correct what I hope was an accidental change in support policy.)
This is not a technical comment but it is a comment about Dell's Technology Support. Recently the support site for laptops, and I presume other areas though I have not checked, was revised to change its structure. In the process many items were removed notably having to do with drivers for older systems. Even if a system is past warranty that does not remove the responsibility for Dell to continue to provide the most recent (even if old) drivers especially since the cost of doing so is trivial. This is especially the case when Dell is the only source for specific drivers. A specific example is a Dell Vostro 3700 laptop which uses the embedded GPU in the CPU as well as outboard nVidia GPU; the hybrid video architecture is such that NVidia provides no driver and re-directs users to Dell's site. In the case of this specific model, most of the drivers that were present a month ago are now gone.
Dell laptops have two things going for them - good products at a good price and a great support site. This has prompted me to continue focusing upon Dell - e.g. two new 5759's in 2017, and to recommend Dell to colleagues and friends. I have had recent occasion to review some very old systems on HP's support site - all relevant drivers continue to be available. I strongly recommend that Dell c... Read more

Read other answers
RELEVANCY SCORE 52

I started to have my web browser redirect to various spam pages. Microsoft security essentials was killed and I cannot start the service. Any help would be appreciated.

Thanks,
Adam

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by aeglap at 21:29:20 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4022.2341 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:&... Read more

A:Malwarebytes reports Trojan.Dropper.BCMiner, Rootkit.0Access, and Rootkit.0Access

Please close this thread. I was planning on buying a SSD drive in the near future so I just moved it up.

Thanks,
Adam

Read other 3 answers
RELEVANCY SCORE 51.2

HI - My other computer is now infected. I ran MBAM in safe mode and got this:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.05.09

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC110658 [administrator]

9/5/2012 3:04:53 PM
mbam-log-2012-09-05 (16-11-11).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407178
Time elapsed: 33 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.LameShield) -> Data: C:\Windows\Temp\temp93.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|sqlldlpl (Trojan.LameShield) -> Data: C:\Users\Owner\AppData\Local\sqlldlpl.exe -> No action taken.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> ... Read more

A:Trojan.LameShield, Trojan.0Access, Heuristics.Shuriken, Rootkit.0Access.64

Hello mattsbach, ! Welcome to BleepingComputer Forums! My name is Georgi and and I will be helping you with your computer problems. Before we begin, please note the following:I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.The logs can take some time to research, so please be patient with me.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received. If you can't understand something don't hesitate to ask.Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Win... Read more

Read other 35 answers
RELEVANCY SCORE 51.2

Long story short, I narrowed it down to a corrupted iehelper.dll file, and the winhbt.exe application.. removed both of the offending files, and all seems right with world again.. Is there anything else I should be looking out for?

A:Just removed a backdoor/trojan..

You can run this just to be sureWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.----------------------------------Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to HighAlso try: right-click on rootrepeal.exe and rename it to tatertot.scr

Read other 1 answers
RELEVANCY SCORE 51.2

Hello,

I picked up the backdoor.Tidserve virus some time ago and have been trying various things to get rid of it, and stumbled on a previous post on here (http://www.bleepingcomputer.com/forums/topic317032.html) that had the same issue. The virus has knocked out my internet access, so I have sideloaded the various applications that the previous post recommended.

So far I have:

Run TDDS Killer
Run TFC
Run MBAM (results log below)
Performed a 'netsh winsock reset'
Run ATF in safe mode
Run SuperAntiSpyware in safe mode (results log below), which uncovered and removed 7 critical threats including:
Heuristic.Agent/Gen-Dropper,
Trojan.Agent/Gen-RoboNanny,
Trojan.Agent/Gen-Sirefef,
Rogue.Agent/Gen-Nullo[DLL].

My internet access is still not working, so I can not get online to perform an ESET scan.

Can anybody help me with what to do next? I basically would like to make sure that my laptop is now clean, and how to get back onto the internet?

Thanks in advance.
MBAM Log
---------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.03.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
[administrator]

08/08/2012 18:35:36
mbam-log-2012-08-08 (18-35-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Obj... Read more

A:backdoor.Tidserve NEARLY removed (I think)

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 30 answers
RELEVANCY SCORE 50.8

Hi, this is just a question before I make any other moves using the Reatog xpe disk. I am unfamiliar with all of the diagnostic tools it came with so...
I just needed to know if the OTL scan I want to run will leave things as is,(not change anything on the C: drive) even if something is still wrong (perhaps with one of my userinit. files/keys). Thank you

A:Will an OTL scan in OTLPE disk make any changes to my Operating Systems?

I have never heard of this tool/program, so I cannot comment. However, If you are uncomfortable doing anything then trust your instincts. What are you trying to do?

Read other 12 answers
RELEVANCY SCORE 50.4

Hello. I recently scanned my computer with Avast, Spybot S&D, and Ad-aware. Avast and Spybot found nothing but Adaware found win32.backdoor.rbot (with a TAI of 10). I used Ad-aware to delete it, restarted and ran another scan and it found nothing. I also downloaded the rbot tool from F-secure and it didn't find anything (after Adaware had removed it).

However, from reading old threads on this site, it seems like that may not be enough. In a similar situation, it was reccommended that the poster download and run the rdrivrem tool and Ewido. I tried downloading rdrivrem.zip (to be proactive and solve this myself) but Avast said it contained "Win32:Trojan-gen {Other}" and stopped the connection and so I was unsure if that was the correct download location.

One other note, I went through the system startup list in Spybot Tools, and one HK_LM entry was blank and Paul Collins list describes it (among other potential ways) as: "Note - this is not the legitimate _svchost.exe_ process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field"

So at this point I am attaching a log from HJT2.0.2 and hope someone can help me ensure I have removed the trojan/IRC worm especially as that relates to the registry.
 

Read other answers
RELEVANCY SCORE 50.4

Last night, I was on some site that I thought was a legitimate site to watch a tv show online, well, I got infected multiple times. Some of the infections were backdoor trojans, and another one had rootkit in its name.

I ran my malwarebytes (which I had already installed on the computer) and found 28 infections, and told me I had to re-start the computer to possibly complete the removal of infections.

So after re-starting, I ran Spybot S&D, and this detected another 6 infections, which removed all but 1, but the last one may be removed by restarting. So after restarting, I ran Spybot S&D again, and it did not have any detections at all. I also ran Mawarebytes again, and my Avira Anti-Vir protection software and found no infections at all.

Today, I ran Spybot S&D again, and found a Zedo cookie. I googled the Zedo cookie and found that this seems to be less harmful than the other stuff I had last night.
Even though I am not detecting any of the viruses I had last night, I am still not convinced that I have safely removed the harmful infections. Some of the other stuff I found online suggested that I will likely have to reformat my computer.

Can someone please inform me if Malwarebytes and Spybot S&D safely remove backdoor trojans, and give me some feedback?

A:Could I really have safely removed a backdoor trojan?

Hello and welcome let's do this.Rerun MBAM (MalwareBytes) like this:Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan (normal mode).After scan click Remove Selected, Post new scan log and Reboot into normal mode.Next run ATF and SAS:Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".From your regular user account..Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the... Read more

Read other 29 answers
RELEVANCY SCORE 50.4

Can someone please help me? I am not a techy minded person and a trojan in my system folder which AVG or MCAFEE cannot remove. It is a BACKDOOR-CVT, in system 32 folder.

This is my logfile

Logfile of HijackThis v1.99.1
Scan saved at 14:59:41, on 17/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svc... Read more

A:Solved: Cannot Removed Trojan Backdoor-cvt

Read other 14 answers
RELEVANCY SCORE 50.4

Hello,

I have a system that seems susceptible to malware reinfections. I disabled System Restore and ran Malwarebytes' Anti-Malware, which detected Backdoor.bot infections. I deleted those, then ran ESET Online Scanner, which detected more Win32/Adware.Virtumonde infections. I have attached both log files for your analysis. Thank you in advance for your help.

Since I haven't heard back from anyone in the AntiVirus, Firewall, Privacy Forum, I reposted here. Hope someone will help.PS. I also ran ATF Cleaner, and then SUPERAntiSpyware in Safe-Mode (WinXP), which detected 97 more threats (Rogue.Component/Trace, Trojan.Agent/Gen-PEC, and many Adware.Tracking cookies).

A:Still infected after MBAM removed Backdoor.bot

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5144

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/18/2010 11:46:57 AM
mbam-log-2010-11-18 (11-46-57).txt

Scan type: Quick scan
Objects scanned: 299679
Time elapsed: 23 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\cscard (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\twain_32\cscard\Csphoto.ds (Backdoor.Bot) -> Quarantined and deleted successfully.


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e2f50eb1e11ed9438528d8c9830ecf64
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antist... Read more

Read other 8 answers
RELEVANCY SCORE 50.4

I seem to have an infection that Malwarebytes calls Backdoor.Agent It tries to remove it but after the suggested reboot it comes back, after running in normal mode and in safe mode. MS Forefront does not detect it.One oddity is that the BIOS start-up screen now has the following as the last line of the screen: 05/15/2009-Bear Lake-6A79OFKOC-00I am running Windows 7 Ultimate X64The relevant part of the Malwarebytes log:Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.Last Sunday, Forefront detected and removed "Exploit:JS/Blacole.N" if that's relevant.Any help would be appreciated.Thanks for the Bleeping Computer.

A:Backdoor.Agent won't stay removed

Hello vesengFirst a note on these backdorr infections.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.To clean it...Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Include a link back to this top... Read more

Read other 3 answers
RELEVANCY SCORE 50

Hi all, AVG found three lovely backdoor trojans yesterday while I was looking for internship coverletter tips (cruel, right?). I do not have the specific trojan names at the moment as I'm on a different computer since mine isn't really functioning anymore. I can try to get the names of the three perpetrators if necessary. I've since run AVG, Malwarebytes, and Spybot in safe and normal mode. All three intially found problem files and removed them. I then scanned with them again and they came up clean. I did notice, however, that when AVG first found the three issues it whitelisted one as it was a "critical " function. I haven't seen the file since, so I'm not sure if it might have been cleaned up by Malwarebytes, which I ran immediately after.Despite having what looks like a clean system, my computer is not running right. Everything freezes and I have to manually shut down within about five minutes of using it in normal mode. I've attached a hijack this log just in case that helps. I might not have done this correctly...I've always been able to clean these things myself so have never used it. I can run whatever else is necessary though!Thanks for your help! -kara-----Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:14:37 PM, on 2/18/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WIND... Read more

A:Removed three backdoor trojans but computer now not functioning well

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Please download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will o... Read more

Read other 15 answers
RELEVANCY SCORE 50

First of all thanks to all the moderators. It is amazing how a dedicated group of people help others solve there problems on a volunteer basis!Unfortunetly some malware made its way onto my Vista system despite running Norton Internet Security 2009. The symptoms was a browser redirect to various sites but only when clicking google search result links. There were no pop-ups. No malware was detected when I did full system scans with by Norton Internet Security, Malwarebytes, or Spyware doctor. However, Drweb-cure it found Backdoor.TDSS.115 and deleted one file in windows\system32\drivers\ovfsh...(many random letters).sys. I ran catchme.exe and it reported several suspect registry entries (see CATCHME-LOG below). I deleted all files and registry entries starting with OVFSTH.. The browser re-directs no longer occur. I ran HijackThis to make sure there is no residual virus. Can somone confirm my system is indeed clean? The HJT log is also posted below.catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-28 20:24:13Windows 6.0.6001 Service Pack 1 NTFSscanning hidden processes ...scanning hidden services & system hive ...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthomddcipbenxrotburcnkbfmxvrxtpqtu]"start"=dword:00000001"type"=dword:00000001"group"="file system""imagepath"=str(2):"\systemroot\system... Read more

A:Is the browser hijack/backdoor completely removed?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

Read other 2 answers
RELEVANCY SCORE 49.6

Good Evening,

The problem started happening yesterday an employee came to me saying that eset was deleting his files off the network share which is connected to the server on a seperate partition. When I looked on his computer all the .docx files were changed over to .exe files eset keeps saying the files are infected with a w32/Pronny.JG.worm. I immediatly disconnected access to the network shares by disconnecting them. After network shares were disconnected I ran a scan with malwarebytes I can post the log file if you would like it found Trojan.ZbotR.Gen, Trojan.0Access, Rootkit.0Access, a lot of the files were loaded in the user directory of the employee they said 2pom/exe, passwords.exe, pron.exe, runme.exe, secret.exe, sexy.exe. I removed all files rebooted. Computer came up everything looked good check taskmgr there were still items running in the process I believe I check msconfig items were still checked. Unchecked all the items. Ran combofix I can post the log file later as well if you request it. Computer rebooted seemed like everything was working fine nice and fast nothing running in the background nothing in the user folder. Plugged setup map drive to network share same exact problem same exact files infected. Well by this time it was late in the evening went to sleep thinking the issue was isolated and only one pc was infected. After 9:30 this morning 2 more pcs became infected from access the network share. I think I'm getting out of my expertise in dealin... Read more

A:Infected With Trojan.ZbotR.Gen, Trojan.0Access, Rootkit.0Access

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/478489 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 49.6

My father ran the Malwarebytes Anti-Malware and found 3 viruses on my computer. Trojan.Dropper.BCMiner, Rootkit.0Access and a Rootkit.0Access.64 I need help removing them and I am not computer smart. Here is a DDS log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by Laura at 19:02:33 on 2012-10-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3996.2039 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21dba265e7e67cda\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C: ... Read more

A:Trojan.Dropper.BCMiner, Rootkit.0Access, Rootkit.0Access.64

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

Read other 3 answers
RELEVANCY SCORE 49.2

Hi,
 
I am running Windows 8.1 on my Acer Aspire laptop.
 
My malwarebytesHome premium detected the Trojan.Agent, Backdoor.Agent.CHGen and Backdoor.Agent.E but after I scanned my PC and not before. I removed them, following this guide from Malwaretips for removing a Trojan.agent:
 
https://malwaretips.com/blogs/trojan-agent-removal/
 
following the steps below:
 
STEP 1: Remove Trojan.Agent Master Boot Record infection with Kaspersky TDSSKillerSTEP 2: Remove Trojan.Agent virus with Malwarebytes Anti-Malware FreeSTEP 3: Remove Trojan.Agent trojan with RogueKillerSTEP 4:  Remove Trojan.Agent infection with HitmanProSTEP 5: Double check for any left over infections with Emsisoft Emergency KitSTEP 6: Remove Trojan.Agent adware with AdwCleaner
 
After following the guide, it appeared to have removed the Trojan Agent and the Backdoor agents mentioned from my laptop. However, I would like to know what the items shown from the RogueKiller log are (i did not remove them, since I have not ascertained if they are safe to do so yet or not). As in accordance with the preparation guide, I have attached the FRST and Addition logs, as well as the RogueKiller log I saved. The Addition file was stated as too big to upload here, so will try to do so in a separate post.
 
Basically the RogueKiller log is stating I have suspicious paths and PUMS from my home page and DNS in the registry as well as. It did also originally show suspicious paths and a VT unkno... Read more

A:Trojan and Backdoor agents removed, but other issues could be apparent?

I can't seem to attach my Addition log file as it still says the file was too big to upload?

Read other 44 answers
RELEVANCY SCORE 49.2

Logfile of Trend Micro HijackThis v2.0.4Scan saved at 4:57:45 AM, on 6/9/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\ctfmon.exeD:\Programs\DAEMON Tools Lite\DTLite.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Webshots\webshots.scrD:\Programs\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\AVG\AVG9\avgnsx.exeD:\Programs\Malwarebytes' Anti-Malware\mbamgui.exeD:\Programs\Hj\Tren... Read more

A:Had a Backdoor.Trojan after I removed it my internet is working too slow

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!If you have since resolved the original problem you were having, we would appreciate you letting us know.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your ... Read more

Read other 19 answers
RELEVANCY SCORE 49.2

However, my mouse keeps getting the spinning circle like it's processing something and I have some weird process running such as 3jnm9v7n and mmc104.exe. Here is a log of my Hijack this:


Code:

Logfile of Trend Micro HijackThis v2.0.4


Scan saved at 8:30:01 AM, on 4/21/2011


Platform: Windows Vista SP2 (WinNT 6.00.1906)


MSIE: Internet Explorer v7.00 (7.00.6002.18005)


Boot mode: Normal





Running processes:


C:\Windows\system32\taskeng.exe


C:\Windows\system32\Dwm.exe


C:\Windows\Explorer.EXE


C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe


C:\WINDOWS\RtHDVCpl.exe


C:\WINDOWS\PixArt\Pac207\Monitor.exe


C:\Program Files\Common Files\Java\Java Update\jusched.exe


C:\WINDOWS\System32\hkcmd.exe


C:\WINDOWS\System32\igfxpers.exe


C:\Windows\system32\schtasks.exe


C:\Program Files\Windows Sidebar\sidebar.exe


C:\WINDOWS\ehome\ehtray.exe


C:\Program Files\Windows Media Player\wmpnscfg.exe


C:\Windows\system32\igfxsrvc.exe


C:\Windows\ehome\ehmsas.exe


C:\Program Files\Common Files\Java\Java Update\jucheck.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Program Files\Mozilla Firefox\plugin-container.exe


C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe


C:\Program Files\Java\jre6\bin\java.exe


C:\Users\Crystal\AppData\Local\Temp\3jnm9v7n.exe


C:\Users\Crystal\AppData\Roaming\Adobe\plugs\mmc104.exe


C:\Windows\system32\rundll32.exe


C:\Users\Crystal\AppData\Roaming\dwm.exe


C:\Users\Crystal\AppData... Read more

A:My computer said it detected backdoor:win32/cycbot.b and said it was removed

Could 023 Arcsoft Daemon be the culprit?

Read other 7 answers
RELEVANCY SCORE 49.2

Hi,

I am running a Windows XP SP3. For the last few days, my Symantec Endpoint keeps catching this "backdoor.tidserv inf!' infection, but doesn't do anything to delete or clean it. This pops up regularly several times a day, more if my computer is idle. I have run MBAM, Spybot and several other scans but nothing seems to work. This just keeps popping up. This one is just totally stuck to my laptop.

Any help in removing this and cleaning my computer is totally appreciated.

Thank you.

A:Symantec catches backdoor.tidserv Inf! but infection not removed

Hello run TDDS Killer Go to this page and Download TDSSKiller.zip to your Desktop.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -vIf TDSSKiller alerts you that the system needs to reboot, please consent.When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.Rerun MBAM (MalwareBytes) like this:Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan (normal mode).After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Read other 4 answers
RELEVANCY SCORE 48.8

Hi there

I have had a raft of infections on my windows XP professional PC the last few days...
Trojan.zeroaccess
Trojan.zeroaccess.A
Trojan.zeroaccess.C
Trojan.midhos
Trojan.winlock.P
SecShieldFraud!gen7
and more I didn't write down

I have Symantec anti-virus and Malware bytes, both of which were up to date and ran the day before this happened.

It's all a bit of a blur but when it first happened, symantec was picking up infection after infection and eventually told me to restart which I did.

From then on my CPU was running at 100%, symantec would not open, google results in IE were clicking through to spam sites, more and more trojans were being discovered by malware bytes. Also I could not run the trojan.zeroaccess removal tool I downloaded

I tried to do a system restore but the only restore point was after the attack. i restarted in safe mode and ran malwarebytes. When I restarted again I was able to run Symantec and malwarebytes again which both got rid of more trojans

The situation now is that my CPU is back to normal and symantec/malware bytes are returning clear scans.
Things seem fine except a couple of red flags.... Google links in IE click through to spam sites sometimes but not always, and all my cookies have disappeared so I have to type in ALL my registration details for each website I visit so I'm worried there's a keylogger in place.

Is there something I can do please to check if there's a keylogger or backdoor in place please?

M... Read more

A:Loads of trojans - seem to have been removed but worried a keylogger/backdoor remains

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 20 answers
RELEVANCY SCORE 48.8

Hello! I want to thank you in advance for your help. I suppose this is just me being paranoid, but considering this is a backdoor.bot that Malwarebytes picked up yesterday, I just want to make sure that it's been completely removed from my laptop, since this is my main computer and I do most everything on here.

I received one of those pop-up messages yesterday that told me it detected some critical processes running on my computer and that it would like to run a scan of my system. I started task manager and ended Firefox to close all windows (including the pop-up). A scan with Microsoft Security Essentials turned up nothing, but when I ran Malwarebytes, it showed that I was infected with the "backdoor.bot". I had MBAM remove the file, then downloaded the trial version of Kaperskey 2011 AV to get a second opinion. Upon restarting and running both Kaperskey and MBAM again, both scans turned up clean. However, I'm still paranoid that my laptop is still compromised.

Any suggestions?

I'm using a Sony VAIO laptop with Windows 7 OS.

Thanks again!

A:MBAM detected and removed backdoor.bot - now seeking verification that it's completely gone

Please post the complete results of your MBAM scan for review (the one which detected the backdoor.bot).To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.Click the Logs Tab at the top.The log will be named by the date of scan in the following format: mbam-log-date(time).txt
-- If you have previously used MBAM, there may be several logs showing in the list.Click on the log name to highlight it.Go to the bottom and click on Open.The log should automatically open in notepad as a text file.Go to Edit and choose Select all.Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.Come back to this thread, click Add Reply, then right-click and choose Paste.Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Logs are saved to the following locations:-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-ddDid you remove Microsoft Security Essentials before installing Kaspersky? Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource managemen... Read more

Read other 7 answers
RELEVANCY SCORE 48.4

Hi, I followed your instructions for removing ne0ks.exe and want to make sure it is gone. I also tried to follow a previous post for cleaning the flash drive (memory stick) and was unsuccessful, so would like help with that. Thanks.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:34:53 PM, on 1/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\system32\spool\dr... Read more

A:Want To Make Sure Removed Ne0ks.exe

Hello writeway,

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.

Regards,

Read other 3 answers
RELEVANCY SCORE 48.4

Hi,
My computer was a little slower than usually so i ran Spybot S&D first and it found nothing. but Then" i ran Ewido Anti-Spyware 4.0 Micro Scanner and it found traces of cool web search" and Adware.BHO so i let it removed the Adaware from my PCc Then i ran Ad-Aware SE Personal and it found traces of Adware and i let it also remove the traces they found ....But i just want to make sure that they will be removed completely because when i look online to get info on "CWS" it says it is really hard to remove and i just want to know if i should try something else too like CWShredder or something to make sure it is gone for good.
Thanks In Advance

A:I Want To Make Sure Cws Is Removed How Do I Completly Get Rid Of It

Run coolwebshredder from trend micro, and download and run SuperAntiSpyware http://www.superantispyware.comhttp://www.intermute.com/spysubtract/cwshr...r_download.html

Read other 2 answers
RELEVANCY SCORE 48.4

Got hit with one of the MoneyPak viruses today and removed it with MalwareBytes and then another trojan with Emisoft Emergency Kit. Computer's still acting less responsive than before though, so I want to be sure I've got everything cleaned out.

I'm running Windows 7 Home Premium on an Acer Aspire. I've been sticking to Safe Mode with Networking as much as possible now until I can be mostly positive I've gotten this thing clean again.

It's been awhile since I last posted here, so I'm not sure what other info you need or if you still do HijackThis logs, or something new now, or what. So just tell me what you need and I'll provide it.

A:Removed MoneyPak, Want to Make Sure Everything's 100%

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.DDS.pifDDS.COMDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results.Please note: You may have to disable any script protection running if the scan fails to run.Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed... Read more

Read other 7 answers
RELEVANCY SCORE 48.4

Original postingHello! I previously posted the following description of the problems that this Windows 7 machine is having. I am unable to access any web page beginning with http: from the machine, however it does allow addresses beginning with https: . I am unable to update to the most recent version of Malwarebytes as well.After multiple Malwarebytes scans & attempts to remove by rebooting, it keeps finding two objects:Trojan.Agent File C:\\Windows\svchost.exeTrojan.Agent Memory Process C:\\Windows\svchost.exe 3276McAfee also keeps detecting and quarantining a trojan:McAfee detected and automatically removed a Trojan from your PC. No further action required.About This TrojanDetected: Generic BackDoor!gf (Trojan)Quarantined From: C:\USERS\LANDONLAPTOP\APPDATA\ROAMING\838A6\lwm.exe McAfee detected and automatically removed a Trojan from your PC. No further action required.About This TrojanDetected: Generic BackDoor!gf (Trojan)Quarantined From: C:\USERS\LANDONLAPTOP\APPDATA\ROAMING\D4B83\5ADEE.exeI have run the programs listed in the preparation guide with the exception of the GMER logs, since it is a 64-bit version. (I am transferring files on a flash drive, since I'm unable to access the site directly from the infected computer.) Thank you so much for any help in getting rid of these!.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.7601.17... Read more

A:Trojan.Agent not removed on reboot, BackDoor, http web pages not displaying

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Remove the proxy settings.In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:60485 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".===If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.===Please DownloadTDSSKiller.zip>>> Double-click on TDSSKiller.exe to run the application.Click on the Start Scan button and wait for the scan and disinfection process to be over.If an infected file is detected, the default action will be Cure, click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.If no reboot is required, click on Report. A log file will appear. Please copy... Read more

Read other 11 answers
RELEVANCY SCORE 48

Ok, my brother got the FBI virus. I have downloaded and ran: Combo fix, RougueKiller and Malwarebytes all from safe mode. I do not get the fbi warning any longer but I want to make sure I really have removed the virus.
How can I check to make sure it is gone?
Thank you so much!
Senna
 

Read other answers
RELEVANCY SCORE 48

http://hjt.thegreatchai.com/?log=5c950aa076f4edb6972aa75b83823f7e

Theres my HJT log. Basically I removed some spyware on my bros PC running vista x32. just want to make sure its clean. thanks.
 

A:Just removed some spyware, want to make sure its kaput

Just a friendly bump
 

Read other 3 answers