Over 1 million tech questions and answers.

Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Q: Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello Bleeping!
A few days ago I removed Norton AV and installed MSSE. MSSE detected Trojan Dropper: Win32/Sirefef.B and Rogue:Win32/FakeRean. For the past two full system scans MSSE has detected and removed the dropper, and the last scan (last night) detected the Fake Rean. The MSSE removals don't appear to be effective against the dropper. Another peculiar thing, when I installed MSSE a few days ago, it told me my firewall was not up, but when I go into MS Security Center it says that the firewall is "ON". Not sure if perhaps the Norton AV removal maybe wasn't complete and that I am getting "false positives", or if something is really there. My logs are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by Eric at 16:37:09 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2216 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Netropa\OSD.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080207
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\2.0.0.16\coIEPlg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\2.0.0.16\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208020441859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FBEDF011-0443-48F2-8874-74C0DDAC314C} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eric\application data\mozilla\firefox\profiles\6cs4x2qg.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
R1 ccSet_NST;Norton Safe Web Lite Settings Manager;c:\windows\system32\drivers\nst\0200000.010\ccSetx86.sys [2012-1-12 132744]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2012-1-14 67584]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-27 652360]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\2.0.0.16\ccSvcHst.exe [2012-1-12 138760]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [2008-4-25 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [2008-4-25 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [2008-4-25 9024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-27 20464]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-7-4 18560]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [2009-9-26 39552]
S4 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S4 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
.
=============== Created Last 30 ================
.
2012-02-09 06:40:36 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-02-09 06:40:25 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a4b7afe4-7144-4794-87e7-79df9342ff34}\mpengine.dll
2012-02-09 00:14:55 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-09 00:13:07 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-30 01:23:19 -------- d-----w- c:\program files\SpywareBlaster
2012-01-30 01:18:02 -------- d-----w- c:\documents and settings\eric\application data\WinPatrol
2012-01-30 01:17:54 -------- d-----w- c:\program files\BillP Studios
2012-01-30 01:17:54 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-01-30 01:08:17 -------- d-----w- c:\program files\iPod
2012-01-30 01:08:14 -------- d-----w- c:\program files\iTunes
2012-01-30 01:08:14 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-01-30 01:05:14 -------- d-----w- c:\program files\Bonjour
2012-01-28 03:06:49 -------- d-----w- c:\program files\ESET
2012-01-27 22:33:09 388096 ------r- c:\documents and settings\eric\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-27 22:33:08 -------- d-----w- c:\program files\Trend Micro
2012-01-27 22:05:53 -------- d-----w- c:\documents and settings\eric\application data\Malwarebytes
2012-01-27 22:05:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-27 22:05:37 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-27 22:05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-27 21:57:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-26 22:19:08 -------- d-sha-r- C:\cmdcons
2012-01-17 03:41:18 -------- d-----w- c:\documents and settings\eric\application data\Systweak
2012-01-15 07:20:49 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-01-15 07:20:48 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 07:18:05 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-01-15 07:17:07 60416 ------w- c:\windows\system32\dllcache\packager.exe
2012-01-15 07:09:46 -------- d-----w- c:\windows\ie8updates
2012-01-15 07:09:08 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-15 07:09:06 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-15 07:09:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-15 06:16:06 -------- d-----w- c:\documents and settings\eric\local settings\application data\FixItCenter
2012-01-15 06:13:49 -------- d-----w- c:\windows\MATS
2012-01-15 06:13:48 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-01-15 05:33:02 -------- d-sh--w- c:\documents and settings\eric\PrivacIE
2012-01-15 03:32:40 -------- d-----w- c:\program files\iolo
2012-01-15 03:32:40 -------- d-----w- c:\documents and settings\all users\application data\iolo
2012-01-15 03:32:39 -------- d-----w- c:\documents and settings\eric\application data\iolo
2012-01-15 01:59:42 -------- d-----w- c:\documents and settings\eric\application data\ElevatedDiagnostics
2012-01-14 14:52:12 -------- d-----w- c:\documents and settings\eric\local settings\application data\Safe mirror
2012-01-14 14:51:32 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-14 13:41:15 -------- d-----w- C:\sh4ldr
2012-01-14 13:41:15 -------- d-----w- c:\program files\Enigma Software Group
2012-01-14 05:54:32 -------- d-----w- C:\BEER
2012-01-14 05:53:26 -------- d-----w- C:\Shooting & Hunting Related
2012-01-14 05:52:13 -------- d-----w- C:\PREP
2012-01-14 05:38:10 -------- d-----w- C:\PICTURES
2012-01-14 05:11:59 -------- d-----w- C:\Pron
2012-01-14 04:23:58 -------- d-sh--w- c:\documents and settings\eric\IECompatCache
2012-01-14 00:28:39 -------- d-----w- c:\documents and settings\eric\local settings\application data\NPE
2012-01-13 03:29:38 132744 ------r- c:\windows\system32\drivers\nst\0200000.010\ccSetx86.sys
2012-01-13 03:29:35 -------- d-----w- c:\windows\system32\drivers\nst\0200000.010
2012-01-13 03:29:35 -------- d-----w- c:\windows\system32\drivers\NST
2012-01-13 03:29:34 -------- d-----w- c:\program files\Norton Safe Web Lite
2012-01-13 03:01:16 -------- d-----w- c:\program files\NortonInstaller
2012-01-11 16:28:43 -------- d-----w- c:\documents and settings\eric\local settings\application data\Symantec
.
==================== Find3M ====================
.
2012-01-30 01:13:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-27 21:56:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-25 21:57:19 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ------w- c:\windows\system32\schannel.dll
.
============= FINISH: 16:38:18.96 ===============

I could not completely run the GMER. I get an error message and it freezes. The error message says: Windows was unable to save all the data for the file\Device\HarddiskVolume2\Windows\System32\Config\AppEvent.Evt. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere. A partial log is attached.

RELEVANCY SCORE 200
Preferred Solution: Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stallNote 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the following
Log from Combofixlet me know of any problems you may have had
How is the computer doing now?Gringo

Read other 18 answers
RELEVANCY SCORE 128

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 124.4

I have been clearing a computer from numerous infections. I uninstalled the outdated (since 2006) McAfee AV. I have installed Microsoft Security Essentials, MBAM, and SuperAntiSpyware. I used this combination as well as several online scanners to remove over 150 infections. Every time I run a scan with SAS, the log comes back with the following infections:Trojan.Dropper/SVCHost-FakeC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SVCHOST.EXETrojan.Agent/Gen-FakeAlertC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEC:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXEMicrosoft Security Essentials pops up during the scan with the following infection:Trojan Downloader: Win32/Unruy.D C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5FFFA500B1B}\SMSS.EXE I created a new restore point and deleted all previous points, yet these infections still remain. I was receiving help from another moderator who had me try several things before directing me here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/318510/cannot-remove-trojan/ ~ OB I am posting the DDS log, GMER log, and attaching the attach.txt file. Thank you in advance for any and all help you can provide. DDS (Ver_10-03-17.01) - NTFSx86 Run by Phillips at 14:21:21.10 on Tue 05/25/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.796 [GMT -4:00]AV: Microsoft Security Essentials *... Read more

A:Infected with: Trojan.Dropper/SVCHost-Fake,Trojan.Agent/Gen-FakeAlert, & Trojan Downloader: Win32/Unruy.D.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 19 answers
RELEVANCY SCORE 116

Fool that I am, I tried to torrent a program (I know, I know), and now my browser (Chrome) redirects to 'www.trovi.com.' I read the comments for the torrent file a little closer, find somebody's antivirus pinged 'trojan Dropper Win32/Sirefef.B'. 
 
I followed Microsoft's removal instructions to no avail. I've updated and run Microsoft Security Essentials, Microsoft Safety Scanner and Malwarebytes, none of them pick this thing up. Please help!

A:Virus! Maybe trojan Dropper Win32/Sirefef.B. Please help!

Hello and welcome ZRRDownload TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....ADW CleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.Click on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.After reviewing the log, click on the Clean button.Press OK when asked to close all programs and follow the onscreen prompts.Press OK again to allow AdwCleaner to restart the computer and complete the removal process.After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.Copy a... Read more

Read other 11 answers
RELEVANCY SCORE 114.8

Hi, my father got a trojan dropper win32/sirefef.b virus the other day.
so far the internet connection is knocked out, it shows all 0's for ip address, in network connections the message is there, saying " connecting"
also, the windows firewall is disabled and wont enable.
Remote Procedure Call,RPC, locator is stopped in services and wont restart.

ok, some new info here so i will edit in.
i did a r-click on my computer, then manage, services apps, then services, found the RPC locator disabled, so i set to automatic and started, it did fine. rebooted, but still find the following problems:

however, DHCP client was on auto but wont start. when i try to start i get
error 1075, the dependency service does not exist or is marked for deletion.
windows firewall/internet connection sharing is on auto but wont start. when i try to start i get
error 10050 socket operation encountered dead network.

would the windows repair feature on a windows install disk get it back up and running?
or is it time to reinstall?

question? i found in the services, something called "remote registry" which allows a remote user to alter the registry, how convenient. it was set to automatic. i set it to disable. not sure if that is the first thing a hacker would change if trying to gain access. am i correct that it should be set to disable unless you have a bonified remote assist in progress?

A:trojan dropper win32/sirefef.b , no internet connection

can i have some help, please?

Read other 1 answers
RELEVANCY SCORE 114

After start the laptop, (hidden) host.exe is consuming a lot of resources until crash. I can see and kill it with procesexplorer from Sysinternals.
I can't activate Windows Firewall, Malwarebytes show an error at coomputer start up and more...

When I start GMER it shows an error, it is attached.

Here the logs of DDS and GMER:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_23
Run by sebastian at 16:41:18 on 2012-03-19
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.54.1033.18.2925.1107 [GMT -3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Program Files\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.ex... Read more

A:trojan-Dropper.win32.injector.ciwr | trojan.win32.agent2.faav | Virus.Win32.ZAccess.q

Hello sebamobile, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.

Read other 14 answers
RELEVANCY SCORE 110.4

My eset Smart Security found "Win32/Olmarik trojan" but is unable to remove it. I have noticed that my google searches are often re-directed. Superantispyware reports this trojan: trojan.dropper/svchost-fake (C:\\Windows\Temp\CPLJ.Temp\SVCHOST.exe). I have tried using adaware, spybot search and destroy,Superantispyware, a-squared, malaware, activescan, and eset smart security. None of them have worked. DDS (Ver_10-03-17.01) - NTFSx86 Run by Jonathan at 14:55:11.60 on Tue 03/23/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3582.1972 [GMT -4:00]SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\rundll32.exeC:\Windows\system32\WUDFHost.... Read more

A:win32/olmarik - trojan.dropper/svchost-fake

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

Read other 10 answers
RELEVANCY SCORE 109.6

Got infected with some malware through an email.  Ran multiple scans of Microsoft Security Essentials, which did nothing and then ran Malwarebytes several times and it eventually said that Win32/Zbot was gone.  The computer was still not operating properly....lots of popups with popup blocker on and just generally slowly and poorly.  I was unable to open any of my Adobe PDF files, but reloaded Adobe reader and that now appears okay.  Word documents are fine too.  Even though the scans say I'm not infected another window opened up and said I was infected with Rootkit.Sirefef.Spy and Trojan. Fake AV.  I then ran Malwarebytes' Beta Rootkit tool and it said that my computer was clean also.  I don't believe it is because I'm having all sorts of slow downs, popups and the like.  Any help or suggestions would be appreciated.
 

A:Win32/Zbot removed, now Rootkit.Sirefef.Spy and Trojan.Fake AV

Hello wahoo, lets also do these and see.Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Download TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....ADW CleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right... Read more

Read other 1 answers
RELEVANCY SCORE 109.2

I believe I was infected last night when a website somehow redirected me to liteautogreatest{dot}cn.I'm running XP Home SP3 and the ZoneAlarm Internet Security Suite (just updated earlier today).ZoneAlarm continually finds a couple of problems and hibernates them but they do not go completely away after a reboot.The ZoneAlarm active monitor scan shows the following...Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNB.tmp on 4/20/2009 13:29:22Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNA.tmp on 4/20/2009 13:23:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN9.tmp on 4/20/2009 13:17:40Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN8.tmp on 4/20/2009 13:14:30Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN7.tmp on 4/20/2009 13:07:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN6.tmp on 4/20/2009 13:02:40Rootkit.Win32.Agent.ikz was found in C:\WINDOWS\system32\drivers\systemntmi.sys on 4/20/2009 12:57:48Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\T... Read more

A:Infected with Rootkit.Win32.Agent.ikz, Trojan-Dropper.Win32.Agent.amzh, Trojans? Malware?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.alternate download linkThen download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, re... Read more

Read other 3 answers
RELEVANCY SCORE 109.2

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 108.8

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 106.8

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

A:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 30 answers
RELEVANCY SCORE 106.8

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

A:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

Read other 4 answers
RELEVANCY SCORE 104.4

Hello,
I've made several attempts to clear a trojan/virus infection from my computer using previous posts on this forum, but have been unsuccessful. It started with an alert popup from Windows Security Essentials saying that it detected threats (which I tried to remove using that program - it would say it was clean for a while and then pop up again) and my yahoo and google searches redirecting to invalid pages. I followed directions from another post and went into safe mode and used TDSS Killer, Malwarebytes and Super Anti-spyware - all three programs found threats, removed them, and now come up clean when I run them. I have rebooted after each scan and removal. However, the Windows Security Essentials is still popping up showing threats detected. When I click on the details screen it shows "trojan:win32/sirefef.S, trojan:win64/sirefef.E, and trojan:win64/sirefef.D" as the threats. The yahoo/google searches are no longer redirecting, but the internet is running much slower than usual. I would really appreciate any help that you could offer in removing them! Thanks in advance.
Below is the dds text and the attach and ark texts are attached.
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Michele at 11:47:12 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.183 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA... Read more

A:Infected with Trojan:win32/sirefef.s

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

Read other 13 answers
RELEVANCY SCORE 104.4

Hello,

I followed the instructions posted for removing the so-called Windows XP Security 2012 virus last week. However, other viruses seem to have taken its place. ESET is continuously blocking attacks, and when it performs a scan, it claims there to be a threat in the memory ( a variant of Win32/sirefef.DT trojan) that cannot be cleaned.

I followed the instructions in the preparation guide, but could not actually run the dds.scr scan -- when I double-click the icon, the window blinks and disappears. Further, I tried running GMER scan twice. The first time, the scan aborted after about 5 minutes - the entire program simply closed down. The second time was going very well, but about 5 hours into the scan, I got the "WARNING! about rootkit activity" message. I clicked OK, and the log up to that point disappeared entirely before the scan was finished, and before I could save/copy it.

Other symptoms I am now experiencing is an occasional Google redirect, and subsequent connectivity problems.

Thanks in advance for all of your help.

A:Infected with Win32/Sirefef.DT trojan, among others

Hi,Please do the following:Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logsNEXTPlease download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Read other 64 answers
RELEVANCY SCORE 104.4

Do not know how to remove.
DDS scan files attached.
Thank you!

A:Infected with Trojan:win32/sirefef.AB

Hello sltmfla I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

Read other 32 answers
RELEVANCY SCORE 104.4

Several months back my mother's netbook was infected with ZeroAccess. I was able to clean that off and it ran fine for awhile. Then all the icons on the desktop disappeared again, there is no network (wired or wireless) and after every reboot Microsoft Security Essentials detects and quarantines an instance of Trojan:Win32/Sirefef.AH. Nothing else has been detected in the past month.

I followed the prep guide but DDS would freeze the whole computer after display 50 #'s. So, sorry no DDS.txt or Attach.txt.

GMER finished and the ark.txt file is attached. However, there was a problem running GMER. I got the following error:

LoadDriver ( "C:\DOCUME~1\Lou\LOCALS~1\Temp\uxloakow.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
Also, when the GMER window opened, only Services, Registry, Files and ADS could be selected.

A:Infected with Trojan:Win32/Sirefef.AH

Hi,Please run the following:Please download Unhide.exe to your desktop:Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the hidden attributes from all the files on your system. Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.NEXTDownload OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /rp /s
DRIVES
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logs

Read other 22 answers
RELEVANCY SCORE 104.4

Hi, need some help and here are the requested logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Bobbie at 0:06:17 on 2011-12-08
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3061.1616 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.e... Read more

A:Infected with Trojan.Win32.Sirefef.a / p other

Someone can close, delete, ignore or handle this however you normally do when you get no response as I have decided to back up and restore system to original condition. I think it is just too far gone. Thanks!

Read other 2 answers
RELEVANCY SCORE 104.4

http://www.bleepingcomputer.com/forums/topic455847.html/page__gopid__2722494#entry2722494

After following the instructions in the above post, I still believe to be infected. Per the last instructions in that post, I ran DDS and GMER along with sysinternals to view the running processes in more detail. Attached are the reports.

Something to point out again is that everytime I load Kaspersky, CPU usage is high and 2 svchost.exe processes are associated with Kaspersky that normally don't show in another healthy computer that I have at home. Systernals private bytes column went as high as 1GB so I don't know if this means that my data was compromised or not. Please refer to screenshot to illustrate my point.

Thanks.

A:Infected with Win32/sirefef.ev trojan

Hi consigliere,My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster. It appears you've already run Combofix. Please post the Combofix log located at C:\Combofix.txt in your next post.

Read other 36 answers
RELEVANCY SCORE 104

I need help! First noticed problems about 5 days ago when I tried to remove program through the add/remove utility. Since then I have been through your suggestions, ie adaware, house call, etc. Those program will run either a full scan or partial, but then when I try to delete, quarantine, etc., the program freezes up and won't complete. I got enough of a scan once to see that I was infected with win32 trojan dropper, but can't remove it.I can't seem to download any program, ie Adobe Reader as it stops and says a registration key can't be located or accessed.Also, on start up, I am always getting an error box that reads "nudge has caused an error in nudge.exe. will now close" However "NUDGE" is something different each time. I'm at a loss. If there is anything else I can do, any help is appreciated. Logfile of HijackThis v1.99.1Scan saved at 9:37:16 PM, on 5/31/2006Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\RESTORE\STMGR.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\SYSTEM\STIMON.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\P... Read more

A:Infected With Win32 Trojan Dropper

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you.

I see you use msconfig to control your startup items. However I need to see all of those items in order to determine our best course of action. Please run msconfig and enable all startup items. Then reboot your computer and post a new hijackthis log.

Read other 12 answers
RELEVANCY SCORE 103.2

Hi everyone. Hope you won't mind helping me with this issue.

Yesterday, upon start up of my laptop (Windows Vista Home Edition OS), I was informed by Avast that I had some sort of a trojan infection and that it would proceed to quarantine them to the virus chest. After the reboot and scan, it had shown that the virus was removed but another scan done by MBAM revealed that the infected object was still there. I was told by MBAM that it was the following file C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) but I can't seem to find it anywhere. An Avast scan stated the following had been removed/placed in virus chest but each subsequent scan by MBAM still reveals the Desktop.ini to be infected.

C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n
C:\Windows\Installer\...\[email protected]
Win32:Sirefef-PL[Rtk]
Win32:Malware-gen

At one point, Avast stated that one of my music software exe files for FL Studio.exe was a virus even though upon scanning by both Avast and MBAM, it was not. I'm not sure what is the cause of some false positives or how to remove this virus. My Google Chrome browser gets periodically automatically redirected to this address http://83.133.127.55/ whenever I click on a link in Yahoo or Google.

Also, whenever I try to access google.com on Chrome, I receive the following message:

The site's security certificate ... Read more

A:Infected with Trojan.0access and Win32:Sirefef-PL[Rtk]

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Boot Menu:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Repair your computer menu item.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Choose your language settings, and then click Next.Click Repair your computer.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolScan your computer's memory for errors.Command Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter.Note: Replace letter e with the drive letter of your ... Read more

Read other 17 answers
RELEVANCY SCORE 103.2

Hi, I have an acer aspire 3690 running Windows xp and I have been infected with the Win32/sirefef.EZ trojan virus. I have tried ESET, Malwarebytes, and TDSS rootkit to try and remove it but no luck. I have searched for a solution to this particular problem in many different forums but none of the solutions I have seen have worked for me. Thanks in advance for any help.

A:Infected with Win32/Sirefef.EZ trojan variant

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 1 answers
RELEVANCY SCORE 103.2

Anti-virus keeps asking to reboot system to clean files that are "locked or in use." Rebooting does not remove or clean files, and reboot message returns. Anti-virus scan shows red flags for the following: Operating memory ? services.exe(640) - a variant of Win32/Sirefef.EV trojan - unable to clean; and, Operating memory ? C:\Windows\assembly\GAC\Desktop.ini - a variant of Win32/Sirefef.EZ trojan - deleted (after the next restart) [2].DDS (Ver_2012-10-14.05) - NTFS_x86 Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 10.7.2Run by Give at 18:06:33 on 2012-10-15Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2036.952 [GMT -6:00].AV: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}SP: COMODO Defense+ *Enabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}SP: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: COMODO Defense+ *Enabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Windows\system32�... Read more

A:Infected with a Variant of Win32/Sirefef.EV - Trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

Read other 25 answers
RELEVANCY SCORE 103.2

I've been infected with viruses.I realized it when I've been redirected to another website(CC Search)by Google after Google search. After searching about this CC Search, I decided to install anti-virus to remove some viruses.I've tried installing KasperSky but it seemed that it couldn't start. While downloading other Anti-Virus software, my internet connection was "cut-off" half-way. This happens too when I am download other programs too.It was then I started downloading using FreeDownloadManager so I could pause the download and continue after rebooting my computer and my internet connection was back.(The connection remains for about 5minutes after starting download) Therefore I restarted for 3-4 times before successfully downloading the anti-virus(HitMan and Spyware Doctor) and TDSS killer. Although infections were found and removed, after rebooting my computer, Windows Defender found this virus trojan, Win32/Sirefef.O.Windows Defender prompted me to remove it and after clicking "Remove All", an error occurred:Error encountered:Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support. Category:TrojanDescription:This program is dangerous and executes commands from an attacker.Advice:Remove this software immediately... Read more

A:Infected with viruses. (Trojan:Win32/Sirefef.O)

With the information you have provided I believe you will need help from the malware removal team. Please make sure that you read the information about getting started first.Then start a new thread HERE and include or required logs.Including a link to this thread will be helpful. Good luck and be patient. Help is on the way!

Read other 1 answers
RELEVANCY SCORE 103.2

Hello,

I started noticing problems with my PC when I received the Vista Anti-Virus 2012 window popping up.
I was aware this was a virus so I ran Malwarebytes and was able to remove this from the PC.

Then I started noticing that whenever I would search for something in Google and I'd click
a link on the listing, I would be re-directed to another shady looking website.

It continually did this with multiple websites I tried visiting so I ran some more scans.

I ran the ESET Online scanner and this is when the Win32/Sirefef.DA Trojan was Identified amongst
a few other viruses. The scan picked up two instances of the Win32/Sirefef.DA Trojan and was unable
to remove both of them but was able to remove everything else.

The machine is still infected so if someone wouldn't mind
taking a look at my logs and helping me get this fixed I'd greatly appreciate it.

Here's the DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_26
Run by Sheri A at 8:22:26 on 2011-12-22
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2039.724 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\... Read more

A:Win32/Sirefef.DA Trojan Infected Computer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 21 answers
RELEVANCY SCORE 102.8

Anti-virus, antispyware software generated the following:
Malicious code found in file C:\Documents and Settings\my name\Local Settings\Temporary Internet Files\Content.IE5\WPPXAPHN\install[1].0.
Infection: Trojan-Dropper.win32.Small.bdf
Action: failed
A search for this file results in 0 files, maybe because it's hidden? My antivirus software is Security Shield 2008 & I am trying to get tech support from them but at this point to no avail. I can't get this thing removed. Any help is appreciated.

A:Infected by Trojan-Dropper.win32.Small.bdf

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 102.8

I've run Kaspersky's Online scanner and it came up with "C:\Downloads\setup.exe Infected: Trojan-Dropper.Win32.Joiner.faand C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s I think the first is the one I want to remove so all you good people out there how does one go about this. Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Home Edition (build 2600) SP 3.0Architecture: X86; Language: EnglishCPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4200+Percentage of Memory in Use: 46%Physical Memory (total/avail): 1023.48 MiB / 543.2 MiBPagefile Memory (total/avail): 2461.88 MiB / 1427.32 MiBVirtual Memory (total/avail): 2047.88 MiB / 1911.85 MiBC: is Fixed (NTFS) - 229.36 GiB total, 171.42 GiB free. D: is CDROM (No Media)\\.\PHYSICALDRIVE0 - Maxtor 6L250S0 - 233.76 GiB - 2 partitions \PARTITION0 - Unknown - 4.4 GiB \PARTITION1 (bootable) - Installable File System - 229.36 GiB - C:-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All U... Read more

A:Infected With Trojan-dropper.win32.joiner.fa

Hello Saunaman I will be handling your log to help you get cleaned up. Sorry that it took us so long to get back to you, but as you can see we're stumped with the amout of logs.Please download the latest copy of HijackThis from Trend Micro and save it to your desktop.Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis.Read through the License Agreement presented to you on the next screen and click on I Accept.Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and double click on the HijackThis shortcut created there.Select Do a system scan and save a logfile.Close HijackThis.Note: Do not click on the AnalyzeThis button.Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows.Please post HijackThis log back here

Read other 2 answers
RELEVANCY SCORE 102.8

My laptop has recently stated playing up, it began with troubles with my audio in that any sounds was muffled or distorted for about 30sec than would come good for a few minutes than periodically stuff up. I ran a scan with Zone Alarm and it found the trojan listed in the topic title above and that it was found here - d:\windows\system32\2402c8\937518.exe. The laptop has since been slowing down to a crawl and the cpu% always appears high. I have tried scanning in safe mode, won't find the file and have tried deleting and quarantining file also but it reappears on restart. Have tried Spybot but that didn't seem to help either, I have also tried searching for the file to manually remove but it doesn't appear i nthe search. Please help.Kind RegardsDDS (Ver_10-03-17.01) - NTFSx86 Run by Julian at 11:12:29.79 on Sun 04/07/2010Internet Explorer: 6.0.2900.2180Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2047.1183 [GMT 10:00]AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============D:\WINDOWS\system32\nvsvc32.exeD:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeD:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeD:\WINDOWS\system32\ZoneLabs\vsmon.exeD:\WINDOWS... Read more

A:Infected with Trojan-Dropper.Win32.Flystud.yi

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 23 answers
RELEVANCY SCORE 102.8

Avast continually blocks the following threats: - Win32:Malware-gen - WIn32:Downloader-PKU [Trj] - Win32:DNSChanger-VJ [Trj]Avast scans and detects Win32:Sirefef-PL [Rtk], cannot remove it though.Malwarebytes scan detects BCminer, quarantines it, though never seems to get rid of BCminer. Other issues of possible note: - Windows Firewall not running 0x80070424 - Backup & Restore - last backup did not complete successfully - server execution failed - 0x80080005Ran both DDS and GMER (GMER did not have all the options available as per the preparation guide, and did not log anything when the scan was complete). .DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Family-pc at 12:37:05 on 2012-08-05Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.16383.13888 [GMT -4:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\sy... Read more

A:Win32:Sirefef-PL, Win32:Malware-gen, WIn32:Downloader-PKU [Trj], Win32:DNSChanger-VJ [Trj], BCMiner need help

Hello Njals, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

Read other 21 answers
RELEVANCY SCORE 102

I believe that I have been infected by the following Virus: Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR. They were all removed by either Zone Alarm Anti-Spyware and SuperAntiSpyware. However, I continue to have the symptoms: sporadic hijack of my keyboard so keystrokes are exected in what appears to be a random fashion. I say it's random because most of the time what's typed by the virus doesn't make any sese.I was working with FAX in the ZoneAlarm user forum who recomended the malware removal tools and suggested I post my Hijackthis log if all else failed. All else has failed. Following is the log. Thanks for your help.
 hijackthis.log   16.26KB
  17 downloadsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:13:46 PM, on 6/28/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files (x86)\WinZip\WZQKPICK.EXEC:\Program Files (x86)\WordWeb\wweb32.exeC:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exeC:\Program Files (x86)\HPQ\HP Connection Manager 2�... Read more

A:Infection by Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a... Read more

Read other 26 answers
RELEVANCY SCORE 102

Malware removal helpers: Thanks so much for taking the time to look at this, I really appreciate your generosity in helping us...Here's how this problem unfolded:1) I think started because of sticking my USB Flash drive into a public computer (I've learned my lesson now...)2) I found that many of my folders, especially ones with pictures or music in them, had become .exe files. They still look liked folders, but a folder called Dave's Stuff before would now be Dave's Stuff.exe, etc. And when I enabled the "Show hidden files and folders" I could then see the real original folders. I (moronincally) clicked on one of the exe folders by mistake...3) I scanned with Ad-Aware, Spybot S&D and Malware Bytes' Anti-Maleware. I also used ATFCleaner and then ran a safe mode scan with SUPERAntiSpyware. Various different problems were found each time and I removed them. Here are some of the problem files logged:From ad-aware (Quarantine screenshot attached):Win32.Trojan.AgentWin32.Trojan.VBWin32.Worm.VBFrom SUPERAntiSpyware:Rogue.Component/Tracefrom Malware Bytes' log:Memory Processes Infected:C:\Zita.exe (Email.Worm) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft... Read more

A:Infected with Win32.Trojan.VB & Rogue.Component/Trace

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 23 answers
RELEVANCY SCORE 102

I was at a hotel a few weeks ago, and afterwards firefox kept redirecting me to ad sites. I ran Microsoft Security Essentials and detected and removed (partially?) a program called Nimda, but the redirects continued. None of my security software indicated any other problem, and the redirects seemed to be to fairly harmless sites, so I figured I'd wait for my programmer brother to get home for thanksgiving to fix the issue. Today, firefox redirected to a site with the words "please wait, loading." I immediately closed out but my computer was already infected. A program called "privacy.exe" in taskmanager started up- it's your typical faux-security program that prompts you to "clean your computer" presumably by downloading all kinds of other awful crap. This particular program kept closing down taskmanager after a couple seconds every time I tried to open it, automatically closed security essentials, closed all my other background programs, and wouldn't let me open hijackthis or firefox. I restarted in safe mode and ran security essentials, which found and removed something called "VirTool:JS/Obfuscator.CE," then restarted normally, but the situation hadn't changed. After some trying, I was able to open taskmanager and manually shut down "privacy.exe" before it shut me out, and that's as far as I've gotten. Keep in mind when reading my DDS log that I shut this program down already, because it prevents me ... Read more

A:Infected with unknown trojan/malware, has infected pc with rogue:win32/fakerean, VirTool:JS/Obfuscator.CE, and others so far

Hi,BitTorrentAbove listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.Please visit this webpage for download links, and instructions for running ComboFix tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully first.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew dds log.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Read other 2 answers
RELEVANCY SCORE 102

Hy there

My eset Nod 32 antivirus 4 detected Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS
I tried to remove them with Kaspersky removal tool, Malwarebytes anti-malware, SPYBOT
All Failed to delete this file C:\WINDOWS\assembly\GAC_MSIL\desktop.ini wich is a Win32/Sirefef.CH trojan
The other Win32/Rootkit.Agent.NUS trojan is in operating memory
My pc symptoms are: 1. can't acces a direct link....i have to press 3-4 times the Enter Key in browser..then page will load.
2. Pc is moving slow

A:infected by Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS

HiPlease do the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
Only if Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)NEXTDownload ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Wind... Read more

Read other 14 answers
RELEVANCY SCORE 101.2

HelloMy son has managed to get Trojan(s) on his laptop... Windows XP Pro SP2I deleted temporary files, cleared cookies, turned off system restore and ran Norton, A-Squared free, SpyBot 1.6 and Ad-aware SE Personal 2008Norton claims to have dealt with trojan.zlob and A-Squared found and cleared the trojan-dropperIs there anything else I need to worry about please? If so please can you help me to remove it? I have reached my level of understanding and am not technical enough to understand the Hijackthis log.Many thanksLin=================The Hijackthis log follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:52:45, on 15/08/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1... Read more

A:Infected With Trojan.zlob - Trojan-dropper.win32.agent.rvv

Hi elsiegee40Please make sure you have system restore turned on again ... actually you should NOT have turned it off, you now have NO restore points to fall back upon. despite what Norton & others may say, you should not turn restore off (purge system restore) until your computer is clean ... even an infected restore point is better than none at all.Your hijackthis log is clean, but that doesn't mean your computer is, from experience I doubt Norton has removed all the malware ...Download Deckard's System Scanner (formerly Comboscan) to your Desktop.Note: You must be logged onto an account with administrator privileges.1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.5. Then do the same with extra.txtNote: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txtPlease remember to post both txt files ...Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.THEN ..Please Download Malwarebytes' Anti-Malware from Here :-http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlor here :-http://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the appl... Read more

Read other 6 answers
RELEVANCY SCORE 100.8

Hello, i am having trouble removing viruses and malware, i tried removing it my self but it keeps coming back.Problems That I am havingWhen I boot The System every thing runs smoothly until I get to the blue screen where windows is applying my settings. That's when the command prompt appears with netsh.exe typed in it, then it disappears and i just get a blue screen and windows fails to load. When I boot the system in safe mode a highlighted message appears and "ask which OS system I want to load", not sure why it does that since I only have one operating system. While in Safe mode I get a "look for porn" installation wizard. I try to fix everything I can while in safe mode including manually deleting infected files. Once I have everything I think is fixed I run bazooka, trojan remover and spybot, everything seems to be fixed until I reboot the system. Once I reboot the system windows loads but the infections are still there. I've had hijackthis fix several items like msoupdater.exe, svchost(documents), userinit.exe but i can't get rid of it. Also while online doing virus scans the IE browser gets directed somewhere else, firefox seemed to work fine though.Thanks in advanced for any help I get.DSS LogDeckard's System Scanner v20071014.68Run by clay on 2008-06-15 21:56:11Computer is in Normal Mode.--------------------------------------------------------------------------------Backed up registry hives.Performed disk cleanup.-- HijackThis (run as clay.exe) --... Read more

A:Infected Trojan-dropper.win32, Virtumonde, Ntos.exe And Other Viruses

Hello black star and welcome to BC. Let's see what we can find. Please follow the steps below in order:Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Close ALL Internet browsers (very important).Click the Empty Selected button.Click Exit on the Main menu to close the program.Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - BotCheck
File - Additi... Read more

Read other 24 answers
RELEVANCY SCORE 100.4

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 100.4

I started getting fake Windows Security Essentials pop ups every time I attempted to open Chrome, saying that WSE had detected a potential threat. I ran task manager and found that hotfix.exe was running, which I ended and was able to use my browsers again. I ran Malwarebytes, cleaned the problems and restarted. The popups have now stopped, but internet explorer opens randomly with ads and MSE is going nuts with reports of Win32/Renos.LX, Win32/Renos.JS and Win32/FakeYak. Malwarebytes has been reporting Trojan.FakeAlert, Trojan.Downloader and Trojan.Dropper. No matter how many times I remove said threats, they are always there after a restart. DDS (Ver_10-10-31.01) - NTFS_AMD64 Run by Bryony at 21:17:56.29 on 31/10/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3958.2188 [GMT 0:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\... Read more

A:Trojan Downloader: Win32/Renos.LX, Win32/Renos.JS, Rogue: Win32/FakeYak

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 100

While browsing, out of no where, Live Security Platinum (i never installed this) popped up. It closed all running apps so i restarted PC and run scan using MSR. It detected Win32/Sirefef but was unable to delete it and promoted that "Windows has encountered a critical problem and will restart in one minute". I restarted PC in safemode, disabled MSE service and scanned PC using Mcafee and it detected Trojan.Zeroaccess viruses and was unable to delete one of the file. I installed Malware Bytes and scanned and it also detected Trojan.Zeroaccess.

Now i am able to boot in normal mode (no "Windows has encountered a critical problem and will restart in one minute" message) but PC has become slow. Need to disinfects any thing remaining, need help in doing so
Thanks

A:Infected with Win32/Sirefef, Trojan.Zeroaccess, Live Secutiy Platinum

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 6 answers
RELEVANCY SCORE 99.2

Hi... I'm having a terrible time with my desktop computer. MSE detected a trojan sirefef.P virus 3 days ago. After that detection, when I did a Yahoo search, I was being redirected to random ad sites (finesearchsystem dot com, star dot feedsmixer dot org, etc....) I have run MSE, Spybot S&D, Malwarebytes, Kaspersky, and Security Task Manager. All have found some sort of malware, but the sirefef keeps popping back up. In addition, I am unable to turn on my windows firewall as there is an error code 0x80070424. The thing that concerns me the most is that MSE in its history log shows that it allowed the sirefef.P and zbot which means they made all kinds of settings changes and are probably embedded deep in my computer. What steps can I take to remedy this? I have been on another forum, but have not been able to open a topic. I found some instruction on some things I could run to get diagnostic info, but haven't been able to post it. Thanks

A:trojan win32/sirefef.P and PWS Win32/zbot

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 3 answers
RELEVANCY SCORE 99.2

I am running Windows 7 on my laptop and was infected by this nasty virus somehow.
It took out the desktop, which I was finally able to get back. It has also changed security settings where I can not download anything. So the links in the removal tutorial do not work for me.
It has done something to my outlook, when I open outlook I get an error message "outlook could not create the workfile. check the temp environment variable", I click okay and outlook loads, when I click the send / recieve button yet another error "you don't have appropriate permission to perform this operation".

Now, if I click the start button and click on programs, the list populates but when the actual programs are clicked it shows "empty".
There are many folders under c:/ that access is denied.... I have tried running cmd.exe and using the ATTRIB -S -H /S /D with no luck....access denied is what I see scrolling across that screen until it is done.

Any help would be appreciated

A:Infected with trojan win32 fake.sysdef

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 17 answers
RELEVANCY SCORE 98.8

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 98

I'm sorry. I accidentally posted this 20 times! I didn't realize it was going through.This weekend around April 18 I picked up a nasty trojan/virus/malware. I run Windows XP with service pack 3 and all recent updates. I have Windows Defender and Symantec Antivirus. It caused my Firefox browser (ver 3.6.3) to be redirected to sites like Directdr.com about every fourth time or so I open a new tab. Then Firefox suddenly quit and the XP security tool 2010 started up, popping up warnings and scanning my computer. I tried the Virus, Spyware, & Malware Removal Guide titled: How to remove XP Security Tool 2010, XP Defender Pro, and Vista Security Tool 2010. Malwarebytes found and removed alot of junk but every time it needed to restart, the computer always locked up on the Windows Logoff screen (it took a while to get to this screen also), I then had to do a hard shut down. On restart I would delete the files in the Malwarebytes Quarantine tab but after using Firefox I would start to get redirected every so often again and then it would quit again and start up the XP security tool 2010, XP Antivirus or XP Defender, the name would change but it would looked the same. It turned off my Windows firewall and antivirus in the Security Center. Windows defender does not seem to detect it. Symantic antivirus has caught several trojans but it is still around. I've tried Malwarebytes 3 times and it still comes back. It also can be started when I download images in Thunderbir... Read more

A:Infected with Win32/FakeRean, Fake antivirus, Trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

Read other 16 answers
RELEVANCY SCORE 97.6

Hi,
 
I tried the search but couldn’t find any threads about Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN. I apologise in advance if this is not the place to post this.
 
I’m running an old Hp Pavilion using Windows XP. Yesterday my computer was attacked by a virus that disabled Microsoft Security Essentials, breaking the desktop shortcut and making it unusable. I found that using a trial version of hitmanPro that the virus disables and redirects Microsoft Security Essentials’s files. However because the trial period was over I was unable to repair it.  I performed a system restore in safe mode. The restore “failed” but it partially “fixed” Microsoft Security Essentials. Immediately after, I ran a quick scan using Malwarebytes in safe mode with networking. It found a vendor called Rootkit.0Access that it was unable to remove, even after a few repeated quick scans. I downloaded and attempted to use the the Malwarebytes Anti-Rootkit tool but was unable to get it to work. I then searched the internet about the file and found that TDSS Killer could help. After running TDSS Killer and restarting in normal mode it managed to fix the issue and Microsoft Security Essentials notified that the computer was infected and gave the option to clean. After cleaning it gave the option to restart the computer. After restarting it found and two files called Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN under the "All detecte... Read more

A:Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN files

Hello moe, please run these next. Try all from Normal mode unless you cannot run them, then use safe mode with networking.Please download Rkill by Grinler and save it to your desktop.Link 1Link 2Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know....Run TDSS againDownload TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....Last run ESET.Hold down Control and click o... Read more

Read other 4 answers
RELEVANCY SCORE 97.2

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

A:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

Read other 27 answers
RELEVANCY SCORE 96

I have an F-Secure internet security software suite on this computer, and it is up-to-date and functioning. I also have MalwareBytes (free) installed and have been running it regularly, and I use the ESET Online Scanner as well. The OS is Windows XP, and it is up-to-date.About three weeks ago I cleaned around three trojans from this computer using MBAM and the online scanner. A few days ago, Adware.Win32.WebHancer.x was found by F-Secure, and is currently quarantined. Today, several instances of the two Trojan-Spy programs were found and quarantined by F-Secure; they infect system files and system restore files. I already looked up information on cleaning the system restore files by stopping and restarting system restore (and scanning inbetween). I deleted the quarantined files.All of the Spy-Trojan's found are infecting in C:\hp\recovery\wizard\fscommand\. The file names are:AppRecoveryLink_ret.exeCDLogic_ret.exeCreatorLink_ret.exeRestoreLink_ret.exeRTCDLink_ret.exeRunLink_ret.exeSysRecoveryLink_ret.exeWizardLink_ret.exeThe Adware infected a .dll file, and I was advised not to delete it.CDLogic_ret.exe is Agent.bdzz; the rest are Agent.beafI have run my antivirus, MBAM, and the online scanner again and they picked up nothing. Also, the Adware and Trojan-Spy's were all found during MBAM scans, but F-Secure picked them up.I have attached a HiJackThis log and a DDS log; GMER froze my computer partway through the scan when I used it. I have ran a... Read more

A:Infected with Trojan-Spy.Win32.Agent.bdzz, Trojan-Spy.Win32.Agent.beaf, and Adware.Win32.WebHancer.x

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 95.6

Would really appreciate some help, since am at wits end. I had IE7 installed on my PC and it started spontaneously shutting down yesterday. It opens up fine, and even navigates to a couple of pages, but then shuts down. I have not been able to figure out if there is a pattern to the kinds of pages that make it shut down (definitely cannot go to Windows Update page).Here are some new environmental things that have been happening over the last few days:1. A game called Runescape has been played by a visiting nephew. Said nephew has also watched Loonytunes on my PC2. I installed Kaspersky AV 6.0 two days ago. My old AV software (Norton) had expired 3 days prior to installation of Kaspersky. When I ran Kaspersky yesterday, it told me that the following things had been discovered and fixed: Exploit.Java.ByteVerify, Trojan-Dropper.Java.Small.c., Win32.NetSky.aa, Trojan-Downloader.Win32.Zlob.cz, Trojan-Downloader.Win32.Zlob.cy, Win32.LovGate.w, Explot.html.mht, Trojan-Dropper.Win32.Mudrop.ao3. However, Kaspersky ran again last night, and this morning I saw that there were a number of trojans and viruses that needed to be cleaned (mostly the same as the ones above, except Trojan-Spy.HTML.Sunfraud.c and Net-Worm.Win32.Mytob.dn).Here are some of the things I have done since yesterday, which have made no difference:1. Rolled back IE7 to IE62. Tried a variety of anti-spyware softwares and the only one that turned up something was on Spyware Doctor (PS Guard). However, PS Guard has not ... Read more

A:Exploit.java.byteverify, Trojan-dropper.java.small.c, Win32.netsky.aa, Net-worm.win32.mytob.dn, Etc.

Hello GMS and welcome to the BC HijackThis forum. Let's strt with a little cleanup. Please follow the steps below in order.Step #1If Norton has expired then go to the Control Panel->Add/Remove Programs and uninstall all Symantec/Norton products. If it has expired then it isn't performing any useful function to still be installed, and running 2 AV's can easily cause file access issues.Step #2Download ATF CleanerDouble-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Step #3Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)Now close ALL open windows ... Read more

Read other 3 answers