Over 1 million tech questions and answers.

Suspected Infection: Bad Server Certificates and Redirects

Q: Suspected Infection: Bad Server Certificates and Redirects

Hello,

I believe my computer has been infected. Starting today, I began receiving messages from my browser (Chrome) stating that "The site's security certificate is signed using a weak signature algorithm!" I tried to navigate to the same sites using Firefox but did not receive this warning. I am however being redirected to obviously troublesome websites. MyWOT is also popping up on nearly all of these redirects. Please advise.

RELEVANCY SCORE 200
Preferred Solution: Suspected Infection: Bad Server Certificates and Redirects

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Suspected Infection: Bad Server Certificates and Redirects

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.====================================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here.Be sure to restart the computer.The log can also be found here:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txtOr at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt=============================================================================Download aswMBR to your desktop.Double click the aswMBR.exe to run it.If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".Click the "Scan" button to start scan.On completion of the scan click "Save log", save it to your desktop and post in your next reply.NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Read other 4 answers
RELEVANCY SCORE 70.8

Hi,

I have a 2 year old Dell Studio laptop with an Intel Core 2 Duo CPU and 4 GB of RAM running Vista Home Premium. Last night, it was infected with the System Repair virus. Malwarebytes has successfully gotten rid of that, but Google is still redirecting all of my searches (the site artcanyon.com keeps coming up, if that sounds familiar to anyone). TDSSKiller isn't detecting anything suspicious, and I don't think GMER is either - though it is a 64-bit system, so I wasn't able to do the full scan.

My logs are below/attached. Please let me know if you need any additional information from me. I have no programming background, though, so the more detail you're willing to provide in explaining what steps I need to take next and how to do them, the better for all of us.

Thank you very much in advance for your assistance. This site's already been a huge help, and I'm hoping that together we can clear up this last annoyance for me!

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Owner at 18:32:24 on 2011-07-13
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.4054.1463 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\sv... Read more

A:Google Redirects - Suspected Rootkit Infection

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 69.2

My laptop is redirecting Google clicks to odd search sites (or antivirus ads). I'm also getting TONS of Vimax ads (not that I'm insecure or anything). A porn site said I was infected with 'troj/rustok-N' and wouldn't allow me to access their video files.

Here's my cut & pasted DDS report, along with the requested attached files (attach.txt and ark.txt). Root Repeal (which I ran in SAFE MODE) would only work on its 'second' Disk setting, not its default (or even 'high') settings.

Many thanks for your assistance!!

DDS (Ver_09-07-30.01) - NTFSx86
Run by BDF at 9:30:44.85 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.97 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\... Read more

A:Suspected Trojan Infection - Redirects Google & Antivirus sites

Hello 4bard,Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. **********************Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"Please download Malwarebytes' Anti-Malware from one of these places:http://download.cnet.com/Malwarebytes-Anti...&tag=buttonhttp://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlhttp://www.besttechie.net/mbam/mbam-setup.exeDouble Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Full Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) ... Read more

Read other 29 answers
RELEVANCY SCORE 56.4

I'm trying to get into paypal but IE AND Firefox are telling me that the security certificate is invalid. Is the certificate server down or is there something wrong in my interent settings?

A:IE 8 security certificates- server down?

Is your date (including the year) and time correct? This was the problem on another computer; the date and time invalidated the certificate.

Read other 3 answers
RELEVANCY SCORE 55.6

Hey all, as most I know a lot about some aspects of computers and there's a lot of stuff I don't know as well.
 
Server certificate issues have been coming up the past couple of years and wanted to learn more about them; like how to be able to discern bogus certs, how to write certs, how to over come cert errors when trying to send mail, etc etc
 
I'm looking for a 'for Dummies' like book focused soley on certs (or covers certs thoroughly); I really don't want an expensive phone book covering the entire Windows OS or Servers in general.
 
Anyone have any suggestions?

A:Beginner's Book for Server Certificates?

Server CertificatesCertificates for dummiesBeginner's Guide to SSL Certificates - Symantec

Read other 2 answers
RELEVANCY SCORE 55.6

Hi All,
I will be deploying ATA 1.6 in our dev environment in the coming weeka and just needing a bit of help clearing up some detail with the "how-to" aspect of certificate generation. The environment I will be installing into is AD based with it's own
CA, so I won't be looking to use the self signed certs (unless someone can give me a good reason otherwise) and am wanting to get the certs provisioned from our own internal CA.
1. IIS certificate is easy, no problems here as I've done quite a few.
2. The Server Authentication template does not seem to be enabled within our environment, so I cannot use the Advanced Certificate Request form from the web portal as I can for the IIS CSR. I looked at generating a Server Authentication Certificate from
the certificates MMC, however I am getting lost under the Certificate Enrollement Policy page as policies configured by my administrator do not include a Server Authentication type.
I am getting the feeling I am going to need to either (a) get the Server Authentication template enabled or (b) generate a certificate template to facilitate this request. In either case I will need detail on what exactly is needed and why to get anything
like this approved. Can anyone help with more detailed/specific instructions on what needs to be done to generate the certificate here?
I guess the other option would be to use our internal CA for the IIS cert (trusted by all in the domain) and then use self signed for the ATA Center... Read more

Read other answers
RELEVANCY SCORE 55.6

I've got a Server 2003 box running a fully working Certificate Authority on about 20 windows machines.. How do I use this CA request properly with a Mac?

I just want it to authenticate via Wireless using Internet Authentication using a RADIUS server via wireless router.

thanks, is this possible?
 

A:Server 2003 Certificates, do they work with Other OS'es?

No, they do not. Working with a Mac is described in detail with the software guidance instructions and Facs.
 

Read other 2 answers
RELEVANCY SCORE 55.6

Hiya

The previous VeriSign 128-bit International (Global) Server Intermediate certification authority certificate expired on January 7, 2004. This may cause problems for clients that try to establish server-authenticated secure socket layer (SSL) connections with Web servers and other SSL/Transport Layer Security (TLS)-enabled applications that do not have up-to-date certificates.

To prevent these problems, Microsoft Internet Information Services (IIS) operators should contact VeriSign to update the intermediate certification authority certificates for servers that use 128-bit SSL to connect to Web sites with the Secure Hypertext Transfer Protocol.
Affected software

Microsoft Internet Information Server
Microsoft Internet Security and Acceleration Server
Microsoft Exchange
Microsoft SQL Server
http://support.microsoft.com/default.aspx?scid=KB;EN-US;834438

Regards

eddie
 

Read other answers
RELEVANCY SCORE 54.8

My company has a client that's running Windows Server 2003 in his office. For legal reasons, we can't support his server for him, only the application that we installed on his server. Server maintenance has to come from his 3rd party people. I'm just curious though.

This application of ours connects to a secure site that our company maintains. Every couple weeks, the application stops logging in to our website and he calls us to get it fixed. We Webex to his server and always see the same error. We found that if we open up IE and enter the web address in the address bar, we get a prompt for the certificate. Our application doesn't have the ability to answer this "Yes", "No", "View Certificate" prompt. So we go through the process of installing the certificate. After that, the app works flawlessly for a couple weeks before he calls us again. It's stopped logging in. After we browse to the site and install the certificate again, everything's fine. He's nice but he's tired of having to call us everytime this expires.

He's the only client out of about 1900 that has this problem. He's also the only one AFAIK that's running our app on Server 2003. I've seen Server 2003 but only have about a week's training experience with it. What kind of settings can I have this guy's support team look for on the system to keep this certificate from disappearing every couple weeks? No one uses t... Read more

Read other answers
RELEVANCY SCORE 54.4

I am trying to replace the auto generated self-signed (Issued to DM, issued by DM) certificates for the HDPM Server and Master Repository.  I am NOT refereeing to FTPS, the HPDM Embedded HTTPS Server, or the Thin Client Agent certs.   I have already setup certs from our own domain internal CA for FTPS in IIS and the Apache Embedded HTTPS server.  These are working fine and Repository tests pass for both protocols.  I have also issues to the Thin Clients from our internal CA just fine. I'm interested in the actual HPDM Server cert and Master repository cert. These are self-generated when the two services start up.  They use a very weak MD5 hash and RSA 1024 key.  I cannot find any documentation around this except for troubleshooting in which you can delete these certs restart the services and they will be regenerated.   Here are the certs\key paths%HPDM Install Path%\MasterRepositoryController\Controller.crt (Repository Cert)%HPDM Install Path%\MasterRepositoryController\Controller.key (Repository Key)%HPDM Install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)%HPDM Install Path%\Server\Bin\hpdmskey.keystore (Both HPDM Server and Repository Certs and Keys)(Not sure the format it is in.  It's not PEM and ok P12 as far as I can tell) There is also %HPDM Install Path%\Server\bin\hpdmcert.key.  Not sure what this is.  Think it?s the HPDM Server key but deleting it does nothing and it is ne... Read more

Read other answers
RELEVANCY SCORE 53.2

I was wondering if it's possible configure a Windows 2019 IIS v10 hosted Web Server to perform OCSP checking of client certificates that are used to authenticate?

It is my understanding that typically the Responder URL that the Web Server contacts in order to validate the client cert is extracted from the AIA attribute in the client certificate. But is it possible to override/supplement this with an additional Responder?


For instance, what if I set up an OCSP Responder in the same domain as the Web Server and associated its revocation configuration with the SUB CA binded to the IIS Site. Now if client certs come in for authentication  and have an unrelated OCSP Responder
in their AIA, can I somehow tell the Web Server to check also the aforementioned Responder that has been stood up in the domain?

A:OCSP Based Validation for Client Certificates Using Responder Defined by Web Server

Per a reply from Mark B. Cooper at PKI Solutions this is indeed possible. You must edit the following GPO in order to override the default behaviour of the web server which is to only check the Responder URL specified in the client certificates' AIA extension.
Default Domain Policy > Computer Configuration >  Policies > Windows Settings > Security Settings > expand Public Key Policies
Once a custom Responder is specified in the CA / SUB CA's revocation properties the above GPO will allow it to check that custom Responder URL first, then ocsp as defined in the AIA extension and then CRLs
Thanks Mark!
EDIT:
Will post reference links once MS verifies my account.

Read other 1 answers
RELEVANCY SCORE 52

I'm running Windows 7 Ultimate 64-bit (so I didn't run GMER). I installed Vipre Antivirus very soon after installing the OS, so I've had it for a while

My son originally saw messages from AV 2012 & Windows Protection 2012 (which we haven't installed) telling him that the computer was infected and he needed to buy their software. Also, my son's account would pop up a message asking which program to use to open the file when we double-clicked on an executable. So, we did a full scan with Vipre.

I thought I had gotten rid of them, but I now think that I just got rid of part of it. I started getting warnings from Vipre about blocking known bad files, so I used Vipre and Malwarebytes' Anti-Malware in safe mode to try and clean things up. They both found several trojans which I had them delete.

This morning, I started getting Vipre messages about bad files again, so I downloaded HiJackThis. I saw the host entries for google and noticed a program called vyes.exe in the default user startup. It wouldn't fix either of those, though. I deleted vyes.exe.

I'm pretty sure we have the google redirect issue. I sometimes get a new tab that goes to a site I've never heard of. (and there are the host entries mentioned by HiJackThis)

Currently, C:\Windows\SysWOW64\ping.exe is running. If I kill it, it will restart after a while. I used Process Monitor to try to figure out what was launching it (svchost.exe) -- while doing t... Read more

A:Google redirects and suspected rootkit

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

Read other 12 answers
RELEVANCY SCORE 51.6

Hi(Great site by the way!)I have a number of problems that I suspect are related and are malware related. I do run AVG AV (free version) and Malwarebytes anti- malware software. Neither are showing any problems currently.Main issues areGoogle seach redirects - I have attached a word file with an exampleCan't run IE or Google Chrome - have also detailed the messages I get in the word fileI suspect these may all be related to some form of malware When I tried to run the Run DDS progam per instructions it delivers a txt file containing the type of text copied belowThis is probably a straightforward issue for you guys but as my username suggests - I know a little but not a lot!Help!DDS.txt file extractMZ?   ?? ? @ ? ? ? ?!?L?!This program cannot be run in DOS mode.$ PE L +?I ?  2 n ?   ? @     p  ?       ?W ? P ? .code @  n  PEC2FO ?.rsrc P  p ? ??cS Pd?5 d?% 3??PECompact2 V?K?? ???oTN<N<T?#??=L34w?l?TS`M6l??[?NP??H?r_0)a??? ???,?f???)|???B??????3]?oKj?v??h???-??P?w4l4????`????? \??3?nf?wp?"ns??e??Xc??Dg?????|?0 O ??E ?? J?&#... Read more

A:Suspected malware; google search redirects

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 18 answers
RELEVANCY SCORE 50.8

Hi all.
 
I have tried looking for the malware with malwarebytes and the miscrosoft windows diagnostic tool. Malwarebytes found three PUP entries, removed them, popups still keep coming.
 
nan.mashfsttest.
usg.spiessummarising.com
 
are the domains blocked by malwarebytes.
 
Windows 7, Chrome 45.0.2454.101 m
 
FRST logs attached. Did not paste them since the site said the post was too long.
 
 
 
 
THANKS.

A:Chrome Popups and redirects, Malware suspected, Windows 7

Greetings kmelikov and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter proble... Read more

Read other 15 answers
RELEVANCY SCORE 50.4

Hello,

When I do Google searches to get a list of links....then click on one of the links.....I almost always get redirected to different websites that are mostly other non Google search engines as opposed to the correct URL. This is very frustrating because I often cannot get to the link I need/want to get information from. I've tried more than one Spyware program (including CA/Computer Associates Anti-Spyware) that is not detecting and removing the problem. I heard that ComboFix from bleeping computer works great for this type of removal and was about to download and run it, however I saw the warning "Do not use Comboflix unless you are specifically asked to by a helper". Therefore I'm creating this post to be sure a helper thinks that Comboflix can work and that I should run it and am asking how to use it safely without damaging my computer but removing whatever is causing the redirects. Any suggestions would be HUGELY appreciated! Thanks much and I look forward to your response.

-Doug

A:suspected Malware causing Google Redirects, need ComboFix helper please

Try to restart your system in Clean boot . To do this disable all the Start up items from MSCONFIG and disable all non Microsoft services.

Then reboot your system in safe mode or in normal mode. Scan your system with any of the Antivirus Such as MalwareByte or SuperAntispyware. To fix the Windows issue, You should register all the DLLs to do this run Dial-a-fix tool. It will resolve your issue .

After that try to run Combo fix or the SmitFrodFix

Read other 2 answers
RELEVANCY SCORE 50.4

Hello,

3 weeks ago, my Windows XP automatic updates has been disabled and my browsers (Firefox and IE)suffer from redirects to pages for Walmart surveys and offers for registry cleaners. Running Spybot/AVG/Malwarebyte's has not been able to correct the issue.

Thank you for any help.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Grace Varghese at 20:47:42.87 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.130 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalS... Read more

A:Suspected malware : Browser redirects/Windows updates disabled

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachme... Read more

Read other 19 answers
RELEVANCY SCORE 50

Hello,
My laptop (running Windows 7 Home Premium) randomly plays what sounds like radio adverts and music. Also, google searches are occasionally redirected to spam websites. I suspect it is a malware infection and it started a few days ago. I have seen other people have posted similar problems that were solved; however, I would not be confident trying to remove the malware myself without expert guidance along the way! Any help would be appreciated. Below are the logs:

HJT log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:40:32 PM, on 18/05/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16483)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Pro... Read more

A:Suspected Malware - Radio plays randomly and google redirects to advertising

Read other 16 answers
RELEVANCY SCORE 49.2

Hi,

I've got SOPHOS Anti-virus on my desktop system (Nlite version of Win XP SP3 2.6Ghz, 2gig Ram) and have been getting things the following messages of items that are quarantined:

- HIPS/ProcMod-005 with the file wisecustomcalla11.exe
- Sus/UnkPack-C with a system file A0142023.EXE

Sophos a few weeks ago detected the W32/Silly-F Win32 worm. I used Sophos to clean it and it hasn't detected it since but my system is running extremely slowly. The internet frequently cuts out despite my laptop running on the internet on the same network without any problems. Other times the loading time on the browser is just extremely slow. I have used SPYBOT Search and Destroy and Adware to scan for any problems. Nothing seems to have helped.

I have also noted in TASK MANAGER that SH4SER~1.EXE has started running in the last week.

The results from a DDS scan are pasted below and the ATTACH.txt and ARK.TXT are in the uploaded folder. I do have a WIN XP boot disk for SP1. I downloaded HIJACK THIS but under your advice on the forums have not used it.



DDS (Ver_10-03-17.01) - NTFSx86

Run by Phil at 16:18:08.25 on 30/04/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1578 [GMT 1:00]



AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}



============== Running Processes ===============



C:\PROGRA~1\ENIGMA~1\SPYH... Read more

A:Suspected infection! Please help.

Hello and welcome to Tech Support Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log Post both the DDS and Attach Logs.

Read other 12 answers
RELEVANCY SCORE 49.2

Dear, I'm logging this case for my dad as a matter of fact. He called me stating his computer was acting strange with several kind of workbar-pop-ups and that he all of a sudden wasn't able anymore to surf on the internet. Now, I know - and you should know this too - that my dad doesn't have a clue about what he's doing on his computer for 95% of the time... He's just looking around on the internet for info, installing programs he will never end up using, etc... He doesn't understand a word of English either and he has developped the nasty habbit to click on "yes" as an answer towards any question that might pop up, whether it is a system question, application question or question which pops up while browsing the internet... I already tried to talk him out of that but without success alas. I ended up having to clean out his computer already on several occasions but so far without any serious harm, just untill now. When he reported the symptoms of this one, I got a bit worried. He told me he had very frequent warnings about virus and malware by an application called Remote Antivirus IS. Strange as he's running Avast... Whenever he tried to "clean" one of the reported files, he would be transferred to a screen where he would need to buy the full application. Whatever he would click on that page, there was no reaction. He was also unable to browse the internet with his IE client. When I arrived, I first executed the steps in the tu... Read more

A:Infection suspected

hi Chuck QSorry for the delay. The logs are a few days old. If you still need help post back.

Read other 1 answers
RELEVANCY SCORE 49.2

A couple of weeks ago I found my machine infected. I was running Forticlient. Now I am running MS Security Essentials and Panda Cloud.I used the Kaspersky Rescue Disk to remove the virus from the computer. Also, I used autoruns to find some bogus drivers that are actually rootkits. Once those were removed all was well. However a couple of weeks later I am starting to have issues again. I ran Combofix and here is the log:ComboFix 10-09-14.04 - Tim 09/15/2010 7:21.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1296 [GMT -4:00]Running from: c:\documents and settings\Tim\Desktop\ComboFix.exeAV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Tim\EULA.txtc:\documents and settings\Tim\fat32format.exec:\documents and settings\Tim\g2mdlhlpx.exec:\windows\_000004_.tmp.dllc:\windows\_000005_.tmp.dll.((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 ))))))))))))))))))))))))))))))).2010-09-14 23:31 . 2010-09-14 23:32 -------- d-----w- c:\program files\Bonjour2010-09-14 10:1... Read more

A:Suspected Infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

Read other 2 answers
RELEVANCY SCORE 49.2

This is the first time I have had this problem and I am pretty sure that it is a LOP infection. I have multiple IEXPLORE.EXE running even after I have it closed. Even when I end the processes of them there is at least one IEXPLORER.EXE that will not shut down. I have done virus, spyware, adaware checks everything and cannot find anything.

I read through the forums (I'm new here ) and I ran the hijackthis application and got the logfile. I was wondering if someone could please take a look at this log file and tell me if I have a lop infection.

Thank you so much in advance!

_____________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 1:34:09 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Progra... Read more

A:Suspected LOP Infection

Hi alexstraz,
Please use the little red triangle at the top of your post & ask a 'mod' to move it to the Security forum. That forum has experts who are qualified to examine those logs and to give advice.

I hope this is of help?
Richard
 

Read other 3 answers
RELEVANCY SCORE 49.2

A week ago my pc refused to boot and startup recovery option found the root cause as 'ci.dll is corrupt'. I tried to recover with all options available, but it didnt help. Finally I had to reinstall Windows.I still suspect I might have an infection, although my Avira antivirus & Spybot S&D don't reveal anything.When I ran HijackThis, it was not able to save a log file(capture2.png) and also gave one warning about unable to write to hosts file(capture1.png). I think this might be due to Spybot protecting the hosts file. But I am unsure.Please check the HijackThis log from my pc(capture3.png). Please help to find out if anything is wrong.Thanks for all your help

A:Suspected infection

Hello meetdenis,From this point on, please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. Download Security Check by screen317 from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt. Please post the contents of that document. Please do not attach it. ************ Download CKScanner from here Save it to your desktop. <=== IMPORTANT Doubleclick CKScanner.exe and click Search For Files. After a very short time, when the cursor hourglass disappears, click Save List To File. A message box will verify that the file is saved. Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply. Please do not attach it.************ Please download Malwarebytes' Anti-Malware from one of these places: http://download.cnet.com/Malwarebytes-Anti...&tag=button http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html http://www.besttechie.net/mbam/mbam-setup.exe Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Full Scan", then click Sca... Read more

Read other 4 answers
RELEVANCY SCORE 49.2

Hi There:

i was downloading a program of cnet and all the add on stuff with the installer has been installed onto my computer .

i have managed to remove most of it (i think) but my computer and the internet has become noticably slower. McAfee and MBAM did not detect anything but superantispyware detected 4 cookies and the ESET online scanner detected: Win32/InstallCore.D variant.

my hotmail is not signing out properly and there are numerous svchost.exe programs running (one taking up over 200,000K) this has been going for sometime but after the install: internet explorer 9 (64bit) keeps closing windows stating there is a malfunctioning or malicious add on.

im not sure if there is an infection but this has recently happned so i am suspicious.

Specs:

Windows 7 Home Premium 64bit
4GB RAM
MBAM
McAfee Total Protection
Quad core processors.

dds will not run on my pc so i cannot include in my post.

A:Suspected Infection

i have ran system restore and the add on problem has gone away.

Read other 1 answers
RELEVANCY SCORE 49.2

I think my pc may have some spyware/adware that may be the cause of some performance issues. Can you help me check and do a clean up. I post a copy of hjt log below.

Thanks.

Imr

Logfile of HijackThis v1.99.1
Scan saved at 12:28:03 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\Program Files\Common Fi... Read more

A:Suspected Infection

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

 

Read other 1 answers
RELEVANCY SCORE 49.2

Logfile of Trend Micro HijackThis v2.0.4Scan saved at 5:10:30 PM, on 8/30/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXEC:\WINDOWS\SYSTEM32\DWRCS.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.ex... Read more

A:Suspected Infection

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 3 answers
RELEVANCY SCORE 49.2

Guys

Last week my pc was infected with a trojan which opened numerous security warning pop-ups0 (sorry, I can't remember what it was called). I restored the machine to a previous point in Safe Mode using System Restore and thought that was the end of it.

However, some programs didn't function correctly (AVG and others) and I then noticed that the date had changed to 2099. I changed the date back and have reinstalled AVG. I then created another Resore Point (all previous ones had disappeared) and did a full system scan, which didn't find anything. But when I rechecked System Restore today, the Restrore Point that I manually created yesterday has vanished.

My HJT log is shown below. I'm hoping that some kind soul can take a look at it for me and advise what steps I need to take:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:58:41, on 12/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.... Read more

A:Suspected infection

Read other 16 answers
RELEVANCY SCORE 49.2

I have been dealing with this problem for about 2 weeks now, and have spent a tremendous amount of time and energy working on it using multiple fixes, so please excuse me that the initial details are now a little fuzzy.

While surfing, suddenly SpyBot informed me of several registry changes. I immediately suspected spyware, so I did an update and scan and found several infected files (Vundo.H is the only one I remember for sure). Although spybot cleaned them, every time I rebooted and ran a scan Vundo.H was back.

I did the Windows online OneCare scan, and downloaded Live OneCare trial version, and Windows Defender. Still no luck. I then downloaded Malwarebytes' anti-malware, and it seemed to take care of it (along with several other infections that spybot hadn't found). All scans using all the software I had said my computer was clean, but windows defender turns itself off periodically (anywhere from 20 minutes to 2 hours) no matter how many times I turn it back on. I've also noticed a significant reduction in performance.

I've since downloaded, installed and run Spyware Blaster as well as Online Armor.

I feel pretty sure that something is still lurking, but none of the scanners find anything. Any help that you could offer would be very much appreciated.

Thank you,
-julio
Here is a copy of my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:51 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Ex... Read more

A:Suspected Infection

Don't hold your breath waiting for help here... a complete waste of time.
 

Read other 1 answers
RELEVANCY SCORE 49.2

For a few days now my pc has been sluggish, with frequent dns failures, very slow downloads. I am running Windows 8 Pro 64-bit (upgraded from Win 7 Pro 64 bit). Below is DDS log fine; attach log is attached. Thanks in advance for any assistanceDDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16442 BrowserJavaVersion: 10.9.2Run by renato at 20:55:26 on 2012-12-03Microsoft Windows 8 Pro 6.2.9200.0.1252.44.2057.18.3071.916 [GMT 0:00].AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}.============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k DcomLaunchC:\WINDOWS\system32\svchost.exe -k RPCSSC:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\dwm.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\System32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkC:\WINDOWS\system32\taskhostex.exeC:\WINDOWS\system32\svchost.exe -k apphostC:\WINDOWS\Microsoft.... Read more

A:Suspected infection

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/477285 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 4 answers
RELEVANCY SCORE 49.2

Hi, i am using a HP notebook. Whenever i start up World of Warcraft, my character model and other character models take ages to load (like 10 minutes). Whenever i want to alt tab from WoW to surf the net, the alt tab takes ages as well, only when i alt tab the 3rd or 4th time does my com 'get used' to my switching. I think this is due to my com being infected by some sort of spyware/virus.

Another thing is whenever i start up my com, theres some error message saying that syssetup.exe cannot start (i can't remember the message all i do rem is an error involving syssetup.exe or something like that). This has been relatively harmless (i think)

One last thing is that whenever i sign into msn i get this Internet Explorer Script Error.

An error has occured on the script of this page!

Line: 2
Char: 29877
Error: 'a' is null and not an object
Code: 0
URL: http://kaw.t.msn.com/en-sg/home.aspx?ver=8.5.1302&did=1

Do you want to continue running scripts on this page?

----------------------------------------------------------------------------------------------------------------------------

Now for my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:24 PM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\syst... Read more

A:Suspected infection

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
 

Read other 1 answers
RELEVANCY SCORE 49.2

Hi,

I don't think this is a massive problem but I suspect my pc is infected with something but not certain with what. I.E. keeps crashing as well as the computer blue screening with various messages from time to time. The latest thing is my anti-virus (Trend Micro's pc-cillin 14) won't update off the 'net. I'm in discussions with their tech support about it but thought I would post a log here to make sure there is nothing untoward lurking on my machine.

Here's looking forward to your reply

Many Thanks
Steve Petch

A:Suspected Infection

Hello petchyWhat registry keys are being found and what is finding them? What OS (Win XP/2000, etc) are you using? Have you performed any anti-spyware scans? If not, start here:Download and scan with Ad-Aware SE Personal 1.06. Setup & Configure as shown here.Download and scan with Spybot S&D 1.4. Setup & Configure as shown here.[DO NOT choose the option to install TeaTimer]Note: If you encounter any error messages while downloading the updates, manually download them from here.If your running Win XP/2000, download and scan with Ewido Anti-Spyware v4.0 in "SAFE MODE".Be sure to print out the Ewido Install and Scan Instructions. Then perform this online Virus scan: Trend Micro Housecall[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]Post back if your still having problems afterwards and I can direct you on how to post a hijackthis log.

Read other 3 answers
RELEVANCY SCORE 49.2

I'm running Windows Vista. I have the latest version of NOD32, Windows Defender and Spybot Search and Destroy. SpyBot keeps stalling when it gets to file 499 baciami and then crawls through entires at a rate of 1 per 10/mins.Hijack this log is below.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:00:08, on 01/03/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Unable to get Internet Explorer version!Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\WINDOWS\System32\rundll32.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\IDT\WDM\sttray.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\DigitalPersona\Bin\DpAgent.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exeC:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exeC:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui... Read more

A:Suspected Infection

Anyone?

Read other 7 answers
RELEVANCY SCORE 49.2

I could use msn and receive files online but i cant surf the inet explorer or its very unstable....my bandwidth is also unstable....then recently my norton anti virus hangs coz of "technical error" and it has nvr happened b4...

A:Suspected Infection

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:10:30 AM, on 2/5/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeD:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\Program Files\Linksys Wir... Read more

Read other 2 answers
RELEVANCY SCORE 49.2

Hello! Recently I have noticed a few small things in one of my logs, now typically I am able to tell whether it is rogue or not, but this time I am not. Now my computer as of late has been pretty slowish with random lag spikes for no real reason and from the logs I can't quite tell if there is anything there that might suggest I have an infection. So I was wondering if you guys could take a quick look at the logs and maybe tell me if there is anything there that would suggest an infection or anything there that doesn't really need to be there at all. Thanks in advance.Current AV = Avast (just checking it out)Typical AV = Nod32 (uninstalled while checking out avast)Avast scan results = cleanSpybot s&d results = cleanIobit 360 security results = cleanwindows advanced care results = cleanwindows advanced care security analyzer "scans windows system to find hijacked settings" = brought my attention to checking it out (few weeks ago it was clean)QUOTELogfile of Advanced SystemCare 3 Security AnalyzerScan saved at 12:49:37, on 15/03/2010Platform: Windows Vista (WinNT 6.0)MSIE: Internet Explorer v7.0 (7.0.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Windows\RtHDVCpl.exeC:\Windows\System32\nvraidservice.exeC:\Acer\Empowering Technology\eDataSecurity&#... Read more

A:suspected infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions... Read more

Read other 11 answers
RELEVANCY SCORE 49.2

I suspect my system is infected with something. There is an unusually named file, $_hpcst$.hpc, in my c:\documents and settings\name\application data folder. I delete the file while in safe mode just to have it reappear after reboot. Is this file a normal system file or does it indicate an infection? Following is my HJT log. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:12 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utili... Read more

A:Help. Infection suspected. HJT log.

bump
 

Read other 1 answers
RELEVANCY SCORE 49.2

DSS Log -

Deckard's System Scanner v20071014.68
Run by Simon L?deking on 2007-10-29 21:59:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2007-10-29 21:00:01 UTC - RP44 - Deckard's System Scanner Restore Point
18: 2007-10-29 20:36:34 UTC - RP43 - Removed Backburner
17: 2007-10-26 10:19:43 UTC - RP42 - System Checkpoint
16: 2007-10-25 10:19:20 UTC - RP41 - Printer Driver Adobe PDF Converter Installed
15: 2007-10-24 14:07:52 UTC - RP40 - Installed Counter-Strike: Source


-- First Restore Point --
1: 2007-10-22 19:55:22 UTC - RP26 - Installed Acer ePower Management


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Simon L?deking.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1036 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WIND... Read more

A:Suspected infection

HJT log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:09 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROG... Read more

Read other 3 answers
RELEVANCY SCORE 49.2

Hi, I've read this post and have done the scan on my computer: Suspected infection <--- read
 
 
Hi, I've done the same thing that you have directed the poster of this post to post. Here are my results, can you tell me what to do? 
 
FRST.txt
 
Addition.txt

Read other answers
RELEVANCY SCORE 49.2

I've been experiencing some problems with windows lately, programs bugging out and whatnot, and I was hoping someone could help me out. I've ran Spybot S&D and it found a few things, all of which has been removed, but I figured I'd give this a shot, since I saw how much help everyone below this thread has received.

Here's my HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 2:34:25 AM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Stardock\wbload.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINNT\Mixer.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINNT\system32\WService.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Fi... Read more

A:Suspected infection, HJT log inc.

Please download WebRoot SpySweeper (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

Click the Free Trial link under "Downloads/SpySweeper" to download the program.

Install it. Once the program is installed, it will open.

It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.

Under What to Sweep please put a check next to the following:

* Sweep Memory
* Sweep Registry
* Sweep Cookies
* Sweep All User Accounts
* Enable Direct Disk Sweeping
* Sweep Contents of Compressed Files
* Sweep for Rootkits

Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.

Click the Start button.

When it's done scanning, click the Next button.

Make sure everything has a check next to it, then click the Next button.

It will remove all of the items found.

Click Session Log in the upper right corner, copy everything in that window.

Click the Summary tab and click Finish.

Perform an ActiveSCan:

http://www.pandasoftware.com/activescan/

Save the report to the desktop.

Post a new HijackThis log and the results of the Spysweeper session log and ActiveScan reports.
 

Read other 3 answers
RELEVANCY SCORE 49.2

I think I'm infected with something (which is really frustrating, since I have McAfee and MalwareBytes, keep them up-to-date and try very hard to be careful, following the advice of this site).

I've had a few blue screen crashes, the McAfee has been disabled (not by me), various files aren't behaving properly (e.g., encrypted files won't de-crypt and archived files won't unarchive). I've disconnected the machine from the internet and am using another machine to send this post.

I'm not sure whether or not I have access to a Windows Install disc, or a Boot CD.

Thanks for your help -

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dave at 11:47:34.37 on Fri 09/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.418 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\j... Read more

A:Suspected Infection

Bump, please.

Thanks.

Read other 12 answers
RELEVANCY SCORE 49.2

Well I have a machine that was infected with a virus. I was able to clean the virus or so I think it is completely cleaned. The problem is that my scans dont seem to find anything yet I still cant do windows updates. The automatic update service is missing in the services. I tried running the fix that MS give on their site to reinstall it but it doesnt work. I also ran Dial-a-fix and it found 2 restrictive registry entries. I removed them. The next day I happened to run it again and it found the two restrictive policies again. This leads me to believe I didnt remove it all. I get permission errors when trying to either repair updates and register the .DLL. One I get is "Dll register server in wuaueng.dll failed Return code: 0x80070005. BITS fails to start also. I also get the 0x80070005 error when trying to register qmgr.dll also. The other seem to register fine. This machine doesnt have much information or programs installed. I ran hijackthis and it created a log. Maybe someone can see if something is wrong in the log. Any help would be nice. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:57:45, on 12/15/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exec:\... Read more

A:Suspected Infection

Hi,My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
CREATERESTOREPOINT
Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedThen please post back here with the following logs: OTL.txt Extra.txtThanks

Read other 2 answers
RELEVANCY SCORE 49.2

I think I might have an infection but not sure what it is. My computer's programs, my desktop icons take forever to load, sometimes they don't and I have to reboot. One of the browsers I use, Chrome recently stopped working and I can't seem to get it to work. I removed and and downloaded it again, the problem just persists. It says something like, Awe snap, something went wrong with this webpage. I have not run my AVG scan in a very very long time, I tried to update it and it said there was no update but I find that hard to believe. There are always updates. I tried to remove it but I failed to do that. I ran malwarebytes and picked up one adaware and removed it, but I don't think that was the little bug causing the problem. If someone could take a peak here and help me I would greatly appreciate it. Recently I have been getting some error pop up saying something about Win32 had to close or something. I can't remember exactly what it said but when I see it again I will try to copy it. It's that error you get when something crashes and it is telling you it has to close and then it gives me the option of sending a report to someone or not. Sorry to be so vague here but I don't know what Win32 is or what it does. I will try to copy it and post it here the next time I see it.I just got this Win32 error again. I can't copy it. The same time this error message popped up another tab opened on my Firefox browser and it says, registry v... Read more

A:Suspected infection, please help.

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

Read other 26 answers
RELEVANCY SCORE 49.2

My daughter has an Asus F3Q Series. Normally she connects to the internet via a Huawei USB Modem. The modem intermittently crashes the notebook although it has been updated with the latest firmware. About 10 days ago the screen resolution droppped to 640X480 on reboot. Although I change it to a higher resolution it goes back to lowest after reboot. Also in Display Properties the theme is now set to Custom (Modified). There's no Custom option left anymore.Next I noticed that only sometimes there's a process in the task bar called HViewer. It can't be accessed or closed.I Googled on Hviewer and on CNet I found a discussion that this might be due to VX2. I downloaded and ran CCleaner. I ran my Symantec Antivirus in Safe Mode. I also downloaded and ran Adaware in Safe Mode (the screen resolution is normal in Safe Mode). Adaware didn't show anything up. I also downloaded and ran Spybot Search and Destroy which identified some potential Malware entries. I removed them. Sorry but I didn't keep a log.So far all of this has been ineffective.I've downloaded and run DDS as per your instructions. The DDS window closes after about 30 seconds. It doesn't open the text files you mentioned. I don't think there's any script blocking on as I got no messages but I'm not technical.Furthermore I've had a look in the registry. In HKEY_CURRENT_USER\Software there's a key consisting of 15 square boxes. Underneath it is an entry called Net4Switch which has two entries called Recent File List and... Read more

A:Suspected VX2 Infection

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instruc... Read more

Read other 6 answers
RELEVANCY SCORE 49.2

My hard drive reads constantly even after sitting idle for hours, even days. I have tried to figure out what could be causing it to work so hard but I can't find anything obvious. Not sure if I am infected with something or what. Below are my scan results and attached is the kaspersky report. Thanks for any help you can give.Deckard's System Scanner v20071014.68Run by Owner on 2008-05-20 13:12:54Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --18: 2008-05-20 17:13:15 UTC - RP147 - Deckard's System Scanner Restore Point17: 2008-05-20 07:14:11 UTC - RP146 - Software Distribution Service 3.016: 2008-05-19 14:46:30 UTC - RP145 - System Checkpoint15: 2008-05-14 22:41:34 UTC - RP144 - Software Distribution Service 3.014: 2008-05-14 09:35:55 UTC - RP143 - System Checkpoint-- First Restore Point -- 1: 2008-04-28 18:45:32 UTC - RP130 - System CheckpointBacked up registry hives.Performed disk cleanup.Total Physical Memory: 254 MiB (512 MiB recommended).-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-05-20 13:33:32Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\sys... Read more

A:Suspected Infection Not Sure What

Hello GT80. to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.If you still would like help, please follow the following instructions: Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will ... Read more

Read other 2 answers
RELEVANCY SCORE 49.2

hi guys wonder if there is any help available due to my pc becomin infected with i think is mailware not too sure what to do ive got my logs done , not too sure what info u guys require but any help would be ace thanks for time in this matter jason

A:Suspected Infection ?

sorry guys i ve been a bit vague about my prob but i really don't know where to begin on it please find attached DDS and GMER logs for u to look at thanks once again for your time.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 13:14:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF74CE818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF74CE7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF74C2A20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF74C32A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF74CE910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF74CE794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF74C32C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ... Read more

Read other 11 answers
RELEVANCY SCORE 48.8

I suspect that I have a rootkit infection causing some redirect behavior. The redirects occur infrequently, but alerted me to the presence of some malware.

I am normally running Symantec Endpoint Protection v11 and Microsoft Security Essentials, and scan periodically, neither have turned up anything beyond a couple tracking cookies. Upon noticing the behavior I ran Kaspersky's boot CD, a couple files were cleaned, but the behavior persisted. Now upon running Kaspersky's TDSSKiller I find that I have a service "SafeBoot.sys" that if quarantined or deleted my machine will not boot properly. Restoring to a previous disk image allows it to boot, but restores the nefarious file.

How am I to proceed?
 

A:Suspected Rootkit infection

Read other 16 answers
RELEVANCY SCORE 48.8

My flat mate has been on my pc and I now have new wallpaper that says SPYWARE INFECTION, I can't get rid of it, please advise.

Cheers

J
 

A:Suspected Vundo Infection, Help

Read other 15 answers
RELEVANCY SCORE 48.8

Hello, I am a poor PC user in distress, and I would be very grateful for any help.Late last night my IE7 began to pop up ads that were clearly not tied to the pages I was loading, and then eventually kept prompting me to download fake anti-spyware. I usually use Firefox but it began to act oddly too... for example I could load the Google/Yahoo homepage but not complete a search.I scanned with Symantec and Adaware, both reported a virtumonde infection. I allowed each program to "fix" the infection. They now both show a clean computer, however, opening IE7 now causes a buffer overrun with crashed explorer.exe, but firefox is work much better. IE doesn't itself crash, but it does continue to pop up and redirect me.I am at my wit's end with this. I have completed the 5 steps so far, and have ran the dss.exe with the newest hijackthis.exe. However it did not give me an extras.txt for some reason. I am posting the main.txt.I am not sure what to do from here. I would be grafeful for any advice. I have loaded the XP restore software into combofix, and will use it if that is the best solution.Thank you in advance.Deckard's System Scanner v20071014.68Run by Apollo on 2008-05-15 20:58:45Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as Apollo.exe) ----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:58, on 2008-05-15Platform: Windows XP SP2 (WinNT 5.... Read more

A:Suspected Virtumonde Infection

Wow, I totally just pwned Vondu. By hand!I tried Combofix and it didn't work, neither did Vondufix. Symantec? Spy Doctor? Adaware? Colossal wastes of time.So, I figured out exactly which DLLs were locked in the system32 because they random names. I put the recently modified DLLS into google's engine and deleted the ones that had absolutely no entries.Obviously this didn't work- I tried to unlock the DLLs, but on the third reappearance, it inserted itself into nine separate processes including the unbreakable winlogon. So, I wrote them down, and used Windows Recovery console to delete the three DLLs and the two INI files in the System32 directory. Then I booted to the desktop and cleared the registry with the search function and cclear. I also isolated every file that appeared within that two-hour window of infection and deleted every non-essential file.Presto- clean machine! Now how much of my student fees are paying for the mandatory Symantec antivirus? I am better off burning that money.

Read other 2 answers