Over 1 million tech questions and answers.

Computer had WIN32.TROJANDOWNLOADER.AGENT; cleaned but computer acting even crazier

Q: Computer had WIN32.TROJANDOWNLOADER.AGENT; cleaned but computer acting even crazier

Initially I had noticed that something was up as it started locking up randomly; ran a scan using Ad-Aware Anniversary Edition and it found the machine to be infected with WIN32.TROJANDOWNLOADER.AGENT. So it cleaned it up and... the machine started acting even crazier. A bunch of application profiles (like for Firefox) became corrupt, dragging files from one folder to another did not work (but copy/pasting them did; what the heck), my graphics drivers went haywire, the system refused to download any files (per some security policy) and then Windows found that the registry was amazingly corrupt. Most of these issues have been addressed in one form or another (turns out a fair number of system DLLs were not properly registered); is this just an instance of the cure being worse than the disease? Or did I not get everything cleaned up?One thing that caught my attention is that file indexing was apparently turned on; I know I disabled that for performance reasons when I first set this machine up.I have since run both Bitdefender Online Scanner and TrendMicro Sysclean and they both came up clean.If you're looking in the attached log there is one file that comes up as gibberish (comes up as 3D??????); that is just a Japanese program where the name got mangled in the scanning program.DDS (Ver_09-03-16.01) - NTFSx86 Run by Duppy at 14:20:30.25 on Thu 04/23/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = about:blankmStart Page = about:blankuInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dllEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Steam] "i:\games\steam\steam.exe" -silentuRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exeuRun: [Google Update] "c:\documents and settings\duppy\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorunuRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automountuRun: [Pidgin] c:\program files\pidgin\pidgin.exeuRun: [Fraps] c:\program files\fraps\FRAPS.EXEmRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [CTxfiHlp] CTXFIHLP.EXEmRun: [Flashget] c:\program files\flashget\FlashGet.exe /minmRun: [Copperhead] c:\program files\razer\copperhead\razerhid.exemRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDEmRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /automRun: [WinampAgent] "c:\program files\winamp\winampa.exe"mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrunmRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n GridmRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exemRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [CTHelper] CTHELPER.EXEStartupFolder: c:\docume~1\duppy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeuPolicies-explorer: NoSMMyDocs = 1 (0x1)uPolicies-explorer: NoFavoritesMenu = 1 (0x1)uPolicies-explorer: NoRecycleFiles = 1 (0x1)IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htmIE: &Download with FlashGet - c:\program files\flashget\jc_link.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exeIE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLLDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cabDPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cabDPF: {29BC57E0-018D-46D2-B233-338B779C169C} - hxxp://artclip.jp/pro/components/WebShell_2_1_0_8.cabDPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214564354652DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cabDPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cabDPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15106/CTPID.cabTCP: {6CE04E7A-D433-4462-8BCD-B926DEF76209} = 192.168.1.1TCP: {DB08B591-2E7B-4503-8000-3DBAB212FD57} = 192.168.1.1Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllNotify: avgrsstarter - avgrsstx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\duppy\applic~1\mozilla\firefox\profiles\ggzyio7r.default\FF - component: c:\documents and settings\duppy\application data\mozilla\firefox\profiles\ggzyio7r.default\extensions\[email protected]\components\NetDiag.dllFF - component: c:\program files\avg\avg8\firefox\components\avgssff.dllFF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dllFF - plugin: c:\documents and settings\duppy\application data\mozilla\firefox\profiles\ggzyio7r.default\extensions\[email protected]\plugins\npTVUAx.dllFF - plugin: c:\documents and settings\duppy\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\microsoft\office live\npOLW.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dllFF - plugin: e:\program files\microsoft silverlight\npctrl.dll============= SERVICES / DRIVERS ============================== Created Last 30 ================2009-04-23 14:00 23 a--sh--- c:\windows\system32\edacded0_x.dat2009-04-23 14:00 23 a------- c:\windows\system32\bcdadac7_x.xml2009-04-23 13:59 <DIR> --d----- c:\program files\jv16 PowerTools 20092009-04-23 13:53 <DIR> --d----- c:\program files\Trend Micro2009-04-23 13:47 <DIR> --d----- c:\program files\HealthMonitor2009-04-23 13:30 <DIR> --d----- c:\program files\common files\Creative Labs Shared2009-04-23 13:29 29,772 a------- c:\windows\system32\BMXCtrlState-{00000001

-00000000-00000006-00001102-00000008-10011102}.rfx2009-04-23 13:29 29,772 a------- c:\windows\system32\BMXBkpCtrlState-{00000001-00000000-00000006-00001102-00000008-10011102}.rfx2009-04-23 13:29 11,564 a------- c:\windows\system32\DVCState-{00000001-

00000000-00000006-00001102-00000008-10011102}.rfx2009-04-23 13:29 4,931,933 a------- c:\windows\{00000001-00000000-

00000006-00001102-00000008-10011102}.BAK2009-04-23 13:26 4,931,933 a------- c:\windows\{00000001-00000000-

00000006-00001102-00000008-10011102}.CDF2009-04-23 13:01 7,062 a------- c:\windows\system32\audiopid.vxd2009-04-23 02:22 <DIR> --d----- C:\derp2009-04-23 00:58 <DIR> --d----- c:\documents and settings\duppy\.housecall6.62009-04-22 15:16 15,688 a------- c:\windows\system32\lsdelete.exe2009-04-22 15:07 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-

3E09-4E5E-81B7-FE5819D6772F}2009-04-22 15:07 <DIR> --d----- c:\program files\Lavasoft2009-04-22 13:17 <DIR> --d-h--- c:\windows\PIF2009-04-11 17:44 <DIR> --d----- c:\program files\DScaler2009-04-11 17:38 5,504 ac------ c:\windows\system32\dllcache\mstee.sys2009-04-11 17:38 5,504 a------- c:\windows\system32\drivers\MSTEE.sys2009-04-11 17:33 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll2009-04-11 17:33 53,760 a------- c:\windows\system32\vfwwdm32.dll2009-04-11 17:33 91,136 ac------ c:\windows\system32\dllcache\kswdmcap.ax2009-04-11 17:33 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax2009-04-11 17:33 91,136 a------- c:\windows\system32\kswdmcap.ax2009-04-11 17:33 49,408 a------- c:\windows\system32\stream.sys2009-04-11 17:33 43,008 a------- c:\windows\system32\ksxbar.ax2009-04-11 17:33 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax2009-04-11 17:33 61,952 a------- c:\windows\system32\kstvtune.ax2009-04-11 16:46 <DIR> --d----- c:\program files\WinTV2009-04-08 23:38 <DIR> --d----- c:\program files\Pcsx2_0.9.62009-04-08 12:07 4,178,264 a------- c:\windows\system32\D3DX9_41.dll2009-04-08 12:07 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll2009-04-08 12:07 453,456 a------- c:\windows\system32\d3dx10_41.dll2009-04-08 12:07 517,448 a------- c:\windows\system32\XAudio2_4.dll2009-04-08 12:07 235,352 a------- c:\windows\system32\xactengine3_4.dll2009-04-08 12:07 69,448 a------- c:\windows\system32\XAPOFX1_3.dll2009-04-08 12:07 22,360 a------- c:\windows\system32\X3DAudio1_6.dll2009-04-01 03:00 <DIR> --d----- c:\windows\system32\KB9054742009-03-27 10:03 401,408 a------- c:\windows\system32\nvcuvid.dll==================== Find3M ====================2009-04-23 13:29 444,952 a------- c:\windows\system32\wrap_oal.dll2009-04-23 13:29 109,080 a------- c:\windows\system32\OpenAL32.dll2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll2009-03-04 14:47 15,896 a------- c:\windows\system32\drivers\pfmodnt.sys2009-03-04 14:46 189,464 a------- c:\windows\system32\drivers\haP17v2k.sys2009-03-04 14:46 162,840 a------- c:\windows\system32\drivers\haP16v2k.sys2009-03-04 14:46 798,744 a------- c:\windows\system32\drivers\ha10kx2k.sys2009-03-04 14:46 92,696 a------- c:\windows\system32\drivers\emupia2k.sys2009-03-04 14:46 157,208 a------- c:\windows\system32\drivers\ctsfm2k.sys2009-03-04 14:45 14,360 a------- c:\windows\system32\drivers\ctprxy2k.sys2009-03-04 14:45 127,512 a------- c:\windows\system32\drivers\ctoss2k.sys2009-03-04 14:45 1,395,992 a------- c:\windows\system32\drivers\CTMMFILT.SYS2009-03-04 14:45 18,840 a------- c:\windows\system32\drivers\CTGAME.SYS2009-03-04 14:44 347,080 a------- c:\windows\system32\drivers\ctdvda2k.sys2009-03-04 14:44 528,408 a------- c:\windows\system32\drivers\ctaud2k.sys2009-03-04 14:44 511,000 a------- c:\windows\system32\drivers\ctac32k.sys2009-03-04 14:44 1,366,424 a------- c:\windows\system32\drivers\CT0531FL.SYS2009-03-04 14:42 100,888 a------- c:\windows\system32\drivers\CTERFXFX.sys2009-03-04 14:42 566,296 a------- c:\windows\system32\drivers\CTSBLFX.sys2009-03-04 14:42 555,032 a------- c:\windows\system32\drivers\CTAUDFX.sys2009-03-04 14:42 99,352 a------- c:\windows\system32\drivers\COMMONFX.sys2009-03-04 12:47 43,520 a------- c:\windows\system32\CTBurst.dll2009-03-04 12:47 11,776 a------- c:\windows\system32\inres.dll2009-03-04 12:47 11,776 a------- c:\windows\INRES.DLL2009-03-04 12:47 182,272 a------- c:\windows\system32\ctdvinst.dll2009-03-04 12:47 86,528 a------- c:\windows\system32\ctcoinst.dll2009-03-04 12:46 10,752 a------- c:\windows\system32\a3d.dll2009-03-04 12:46 11,776 a------- c:\windows\system32\ac3api.dll2009-03-04 12:45 38,400 a------- c:\windows\system32\readreg.exe2009-03-04 12:45 37,888 a------- c:\windows\system32\psconv.exe2009-03-04 12:45 19,456 a------- c:\windows\system32\CtHelper.exe2009-03-04 12:45 8,704 a------- c:\windows\system32\ctagent.dll2009-03-04 12:45 45,568 a------- c:\windows\system32\ctspkhlp.dll2009-03-04 12:45 56,832 a------- c:\windows\system32\CTpcmcia.dll2009-03-04 12:45 12,800 a------- c:\windows\system32\ctmmep.dll2009-03-04 12:45 9,216 a------- c:\windows\system32\ctpres.dll2009-03-04 12:45 9,216 a------- c:\windows\CTPRES.DLL2009-03-04 12:45 32,768 a------- c:\windows\system32\ctthxcal.dll2009-03-04 12:44 131,072 a------- c:\windows\system32\ctdcifce.dll2009-03-04 12:44 41,472 a------- c:\windows\system32\ctscal.dll2009-03-04 12:44 330,752 a------- c:\windows\system32\ctdc0001.dll2009-03-04 12:44 227,840 a------- c:\windows\system32\ctdc0000.dll2009-03-04 12:44 10,240 a------- c:\windows\system32\ctdcres.dll2009-03-04 12:44 10,240 a------- c:\windows\CTDCRES.DLL2009-03-04 12:33 386,852 a------- c:\windows\system32\ctdnlstr.dat2009-03-04 12:33 51,787 a------- c:\windows\system32\ctdlang.dat2009-03-04 12:33 196,096 a------- c:\windows\system32\ctemupia.dll2009-03-04 12:30 176,128 a------- c:\windows\system32\ct_oal.dll2009-03-04 12:30 46,592 a------- c:\windows\system32\ctasio.dll2009-03-04 12:30 49,152 a------- c:\windows\system32\ctdproxy.dll2009-03-04 12:29 69,632 a------- c:\windows\system32\ctosuser.dll2009-03-04 12:29 6,144 a------- c:\windows\system32\sfman32.dll2009-03-04 12:29 125,952 a------- c:\windows\system32\sfms32.dll2009-03-04 12:28 13,312 a------- c:\windows\system32\regplib.exe2009-03-04 12:28 64,512 a------- c:\windows\system32\piaproxy.dll2009-03-04 12:28 149,838 a------- c:\windows\system32\ctbas2w.dat2009-03-04 12:26 274,587 a------- c:\windows\system32\ctsbas2w.dat2009-03-04 12:26 241,084 a------- c:\windows\system32\CTSBASW.DAT2009-03-04 12:26 115,166 a------- c:\windows\system32\CTBASICW.DAT2009-03-04 12:25 313,207 a------- c:\windows\system32\ctstatic.dat2009-03-04 12:25 53,932 a------- c:\windows\system32\ctdaught.dat2009-03-04 12:25 5,120 a------- c:\windows\system32\enlocstr.exe2009-03-04 12:25 10,240 a------- c:\windows\system32\killapps.exe2009-03-04 12:25 28,672 a------- c:\windows\system32\MIDIDEF.EXE2009-03-04 12:25 33,792 a------- c:\windows\system32\devreg.dll2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll2009-02-20 11:09 78,336 -------- c:\windows\system32\ieencode.dll2009-02-13 14:50 87,712 a------- c:\windows\system32\ctpxst32.exe2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys2009-02-07 19:22 22,328 a------- c:\docume~1\duppy\applic~1\PnkBstrK.sys2009-02-07 19:22 107,832 a------- c:\windows\system32\PnkBstrB.exe2009-02-07 19:22 2,246,144 a------- c:\windows\system32\pbsvc.exe2009-02-07 19:22 66,872 a------- c:\windows\system32\PnkBstrA.exe2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe2009-02-04 08:49 10,520 a------- c:\windows\system32\avgrsstx.dll2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll2008-11-25 02:43 32,768 a--sh--- c:\windows\temp\cookies\index.dat2008-11-25 02:43 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat2008-11-26 02:44 3,670,016 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat============= FINISH: 14:21:20.20 ===============

RELEVANCY SCORE 200
Preferred Solution: Computer had WIN32.TROJANDOWNLOADER.AGENT; cleaned but computer acting even crazier

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Computer had WIN32.TROJANDOWNLOADER.AGENT; cleaned but computer acting even crazier

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERER,K

Read other 2 answers
RELEVANCY SCORE 94

PLEASE NOTE: This is a DIFFERENT computer than the one I am currently working on with Agent ST

Because I was paranoid about this one, I ran an ESET Online scan to check my computer and it reported at several different trojans:

Win32/Toolbar.Zugo
2 variants of Win32/InstallCore.D
JS/Agent.NDJ
Win32/TrojanDownloader.Tracur.F
Java/Agent.DU
and probably a few more.

I am not sure exactly how many because I inadvertently closed Internet Explorer before the scan completed.

I did not set ESET to remove anything that was found, I was just scanning.

So, here I am,,,,needing help for yet another computer in my house.

It seems to be running fine but since this is the one I use for working at home, communicating with clients, online banking, etc. I need to be sure it's clean.

I am a web developer so I am very familiar with Windows,etc. however, virus removal is not my expertise so I need to ask for help.

Here is the contents of the DDS.log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
Run by Dona at 15:35:19 on 2012-02-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2232 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k nets... Read more

A:Need help with trojans..Win32/Toolbar.Zugo, Win32/InstallCore.D, JS/Agent.NDJ, Win32/TrojanDownloader.Tracur, Java/Agent.DU and...

Hi Dona!Peek a boo! Guess who?Can you try and zip up the GMER log file for me to review?---------------------Can you see if ESET Online Scanner dropped a log file in this location?Browse to this location: C:\Program Files\ESET\ESET Online Scanner\It should be named: log.txt if it was saved. If it is, please post that for me.---------------------You seem to have 2 versions of Skype installed. One of them seems to be a bit outdated.Lets remove that one now.You can go to the Control Panel and click on Add/Remove Programs and remove this one: Skype™ 4.1---------------------You're version of Firefox is also outdated by two versions. Open up Firefox and go to the Help menu click on About Firefox.It should check for updates, and download the updates that are required. Once it's completed downloading the update it'll present you with a button that says Apply Update. Please click on that. It will close Firefox and then apply the update to your computer.---------------------Please run these scans for me as well: Malwarebytes' Anti-Malware I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings: Open Malwarebytes' Anti-MalwareSelect the Update tabClick Check for UpdatesAfter the update have been completed, Select the Scanner tab.Select Perform quick scan, then click on ScanLeave the default options as it is and click on Start ScanWhen done, you will be pro... Read more

Read other 14 answers
RELEVANCY SCORE 89.2

Hi everyone. I find this forum very informative and quite interesting. I'm glad I found it. I do need help in getting rid of these that my scans have found. I use Spybot, Ad-Aware, and AVG on a Windows XP home edition. The Spybot and Ad-Aware found: Win32.backdoor.agent and Win32.trojandownloader.agent. Unfortunately, the AVG did not see these. Any help would be appreciated. The HJT log is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:36 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Photoshop Album Starter Ed... Read more

A:Solved: Scans detected Win32.backdoor.agent & Win32.trojandownloader.agent Please help

Read other 16 answers
RELEVANCY SCORE 81.6

I did my best to follow the pre-posting instructions and there's still the same issues as before.Please help me fix this.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:40:00 AM, on 1/31/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Sygate\SPF\smc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\fpsuqsiw.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\System32\svch... Read more

A:Win32.trojan.agent, Win32.trojandownloader.zlob, Pe_trats.a

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

Read other 19 answers
RELEVANCY SCORE 81.6

My computer is infected with Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent. I've been trying to remove them with Ad-Aware but they re-install themselves. I've downloaded numorous other malware removers but the malware seems to disrupt / won't allow them to install or work. This includes the root repeal program mentioned in the preparation guide. When I attempt to run root repeal I get the following error:

04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)
04:03:06: DeviceIoControl Error! Error Code = 0x1e7
04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)

The most annoying thing that is happening is when I go to google something, it will redirect me to somewhere else or will throw random pop-ups at me every now and then. Also, I tried to reformat / re-install a fresh copy of Windows Vista but it seems this piece of malware makes it impossible to boot from disk.

Thank you in advance for your assistance!

Attached below is my dds.txt log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Jeff at 3:59:19.84 on Fri 08/28/2009
Internet Explorer: 7.0.6000.16890
Microsoft? Windows Vista???? Home Premium 6.0.6000.0.1252.1.1033.18.2046.1362 [GMT 9:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\... Read more

A:Infected With Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 81.2

hey... my command prompt is like showing like symbols and letters... and like near the bottom it will have words.. like if i type in "cmd" the ip stuff dont show up instead a whole page of random things pop up and some are symbol like and no its not the font... also i think i deleted some kind of folder that allows me to remove and add things to the computer... now i cant open certain folders or i cant download anything... help... thnx

A:command prompt is acting weird after we cleaned the computer

What do you mean by cleaned the computer?

Read other 13 answers
RELEVANCY SCORE 81.2

(DDS log below)I re-installed my AV after running without it for a while and found that I had quite a few bad things going on picked up by Nod32 including (see attachment for more detail):Win32/Olmarik.ZCJava/TrojanDownloader.Agent.NBEa variant of Win32/Olmarik.UL trojanWin32/Cimag.CL trojanI also get multiple outbound connection attempts which are at least partially being blocked by Nod32 to weird .cc .cn and a few .com domain urls, this happens after performing a google search. Also getting some browser redirects going on and homepage changes.I tried setting nod32 to pre-release updates and performing a full scan, this picked up the above and removed them, but after a reboot there are still things going on. Before reading the steps on this site, I ran the latest ComboFix twice which picked up a rootkit in intelide.sys both times, but appears to come back each time. While I disabled nod32 when I ran ComboFix, it re-enabled upon reboot automatically, not sure if that matters.I've also been getting a startup delay of around 1 minute after logon, in this time, nothing appears to be going on (no apparent CPU or disk activity), but wireless, AV and other startup items do not run. Then a minute later, everthing fires up.I've tried running GMER several times but this keeps giving me a BSOD with IRQL_NOT_LESS_OR_EQUALLast scan with nod32 came up clean but still getting outbound connections and browser redirects.Looking to sort this out once and for all!DDS (Ver_10-03-17.... Read more

A:WinXP rootkit? problem + Win32/Olmarik.ZC Java/TrojanDownloader.Agent.NBE a variant of Win32/Olmarik.UL trojan Win32/Cimag.CL t...

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.----------------------------------------------Please download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perfor... Read more

Read other 14 answers
RELEVANCY SCORE 80.8

I've been having problems staying online, I've changed modems but it doses not help what so ever, I assumed it was the modem because the internet light and DSL lights kept going red and on and off at random times....

Umm when I turn on my computer and access the administer account before seeing my descktop icons I see a blue screen and then my wall paper appears... I dunno if that's normal....

My AdWare antivirus keeps telling me I cannot removes the viruses above, I've tried many things without any actual change in this annoying process... of getting DCed and Re-Connecting)

(Are these problems related??)

Any help would be appreciated, and thank you in advance ^_^

DDS (Ver_09-03-16.01) - NTFSx86
Run by David Luna at 15:57:56.07 on Sun 03/29/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.397 [GMT -5:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *disabled*
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.e... Read more

A:Win32.TrojanDownloader.Agent Win32.Worm.Autorun

Bump

Read other 4 answers
RELEVANCY SCORE 79.6

I can not keep more than 2 things open at any time and that is including the start up menu bar. I have just recently redone my whole computer to the factory settings and now i am having an even worse problem, which includes my drives not installing correctly! now all the past problems i have had are similar but not part of the same problem.

Windows Vista (TM) Home Basic* , (6.0.6000)
Processor: x86
Processor Speed: 3191 MHZ
Intel(R) 82945G Express Chipset Family
Video BIOS: 1295
1280 by 720 True Color (60 Hz)

malwarebytes found this:
Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 6.0.6000

4/26/2009 1:25:23 AM
mbam-log-2009-04-26 (01-25-23).txt

Scan type: Quick Scan
Objects scanned: 64241
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{6c51f7e9-8542-4f25-a30f-2060157752e1} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9d573d0e-663c-435f-bf31-2c4497373c41} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typel... Read more

Read other answers
RELEVANCY SCORE 79.6

Adaware finally spotted the trojan when i updated the definition files, i suspect it has been there a while do to unusual net activity. Adaware says it has cleaned the infection but i still notice unusal badwidth activity and system performance issues!Thanks in advanceLogfile of Trend Micro HijackThis v2.0.2Scan saved at 00:44:07, on 13/12/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\snmp.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\inetsrv\inetinfo.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\RunDll32.exeC:\WINNT\system32\RUNDLL32.EXEC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINNT\StartupMonitor.exeC:\Program Files\Desktop Side... Read more

A:Win32.trojandownloader.agent

Welcome to BC

Sorry for the delay, the forum has been extremely busy lately.

Since its been a few days, please post a fresh Hijackthis log. Thanks.

Read other 1 answers
RELEVANCY SCORE 79.6

Hello, I'm currently on a DELL Laptop. I use this laptop for my work, etc. I recently opened an e-mail from a notificator I registered with promising me my vacation. Unfortunately, it was phony and I clicked on the link before noticing it wasn't a valid web address. Soon enough, millions of pop-ups filled the screen and my laptop was booting up so slow. I contacted a DELL tech support and I spent so much money and time and they told me to upgrade my memory and buy a McAffe product. My problem still isn't fixed so I'm posting here, hoping that everything will be resolved! Thanks in advance!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:53:49 AM, on 3/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee ... Read more

A:Win32.trojandownloader.agent

Hello KameronWelcome to BleepingComputer ========================Download ComboFix from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall

Read other 19 answers
RELEVANCY SCORE 79.6

I dont know how to get rid of it. Ive tried other spyware programs but it keeps coming back. Its in my hkey_local_machine\software\ptssa if that helps.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Softw... Read more

A:TrojanDownloader.win32.agent.li????

Read other 9 answers
RELEVANCY SCORE 79.6

I cannot remove TrojanDownloader.Win32.Agent.bc!!

please help ...

Logfile of HijackThis v1.99.1
Scan saved at 4:03:22 PM, on 07/03/2005
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appty32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\GetRight\getright.exe
C:\PROGRA~1\GetRight\getright.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and ... Read more

A:TrojanDownloader.Win32.Agent.bc

Hi poorguy


Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it

Download CWShredder.exe from here (do not run it yet, we'll get to it in a later step):[LIST]Cwshredder.exe But do not run it yet

download AboutBuster from one of these sites.
http://www.besttechie.net/tools/AboutBuster.zip
http://www.majorgeeks.com/download4289.html
http://www.malwarebytes.biz/AboutBuster.zip
http://www.atribune.org/downloads/AboutBuster.zip
http://www.snapfiles.com/dlnow/rdir.dll?id=108281

After you download it unzip all files from the zip folder to a folder or your desktop.
update it don't run it yet

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

second

please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Cwshredder

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")

next run

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask yo... Read more

Read other 4 answers
RELEVANCY SCORE 79.6

hi i hope i can get some help
my internet explorer gets hijacxked to blank
i ran spybotbut it found nothing bazooka found no spyware
ad-aware found win32trojanloader and i removed it but ity keeps coming back.
i think these also have something to do with it, www.7days.com, www.lookfor.ccl, and www.onlysex.ws
can someone help me get rid of this
thank you
 

A:win32.trojandownloader.agent.al

Closing duplicate, please reply here:

http://forums.techguy.org/showthread.php?t=335463

eddie
 

Read other 1 answers
RELEVANCY SCORE 79.6

I found this virus using Adaware, but was unable to remove it. I donwloaded SuperAntiSpyware and it found even more.

I deleted the ones it found, restarted my computer and I am still receiving popups.

Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:40 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.E... Read more

A:win32.trojandownloader.agent HELP

Read other 9 answers
RELEVANCY SCORE 79.6

Hi I keep trying to delete this file from Ad-Aware but it keeps returning after reboot.Ad-Aware logs are Ad-Aware SE Build 1.06r1Logfile Created on:Tuesday, February 20, 2007 2:35:37 PMCreated with Ad-Aware SE Personal, free for private use.Using definitions file:SE1R154 19.02.2007???????????????????????????????????????????????????References detected during the scan:???????????????????????????????????????MRU List(TAC index:0):1 total referencesWin32.TrojanDownloader.Agent.am(TAC index:10):5 total references???????????????????????????????????????Ad-Aware SE Settings===========================Set : Search for negligible risk entriesSet : Safe mode (always request confirmation)Set : Scan active processesSet : Scan registrySet : Deep-scan registrySet : Scan my IE Favorites for banned URLsSet : Scan my Hosts fileExtended Ad-Aware SE Settings===========================Set : Unload recognized processes & modules during scanSet : Scan registry for all users instead of current user onlySet : Always try to unload modules before deletionSet : During removal, unload Explorer and IE if necessarySet : Let Windows remove files in use at next rebootSet : Delete quarantined objects after restoringSet : Include basic Ad-Aware settings in log fileSet : Include additional Ad-Aware settings in log fileSet : Include reference summary in log fileSet : Include alternate data stream details in log fileSet : Play sound at scan completion if scan locates critical objects2-20-2007 2:35:37 PM - Scan ... Read more

A:Win32.trojandownloader.agent.am

Welcome to BC GMP Please move HijackThis to a permanent folder on the hard drive such as C:\HJT. Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools. Go to:C:\HJT\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post that log into your next reply.

Read other 10 answers
RELEVANCY SCORE 78.8

So my computer got hit with that, I tried using malwarebytes but it would not load. I did a system restore and malwarebytes works. However, I can only load to desktop on safe mode. When I try to load to desktop in normal mode, I get a spool.exe error, memory could not be written. I don't have the exact error messages as I have my main comp doing a full system malwarebytes scan in safe mode at the moment.

I tried looking up fixes for the spool error but most of them referred to problems caused by a printer. I do not even have a printer installed on my other computer. I also read that the spool error could be caused by malware or viruses.

Please help!

A:Problems with win32.trojandownloader.agent

My full system malwarebytes scan came up with the following infections.

Rootkit.Agent

Read other 2 answers
RELEVANCY SCORE 77.6

Hello,
My Ad Aware detected the Win32.TrojanDownloader.Agent after i did a scan. I deleted it, reboot my pc and ran another ad aware scan afterwards and it came up again.

I followed the instructions and steps that were given to somebody else who was having a similar problem on this forum up to the point where the moderator asks for the "NEW COMBOFIX and HIJACKTHIS LOGS"
(Here is the link to the thread that i followed step by step up to the point where the moderator asks for the new log files..."http://forums.techguy.org/malware-removal-hijackthis-logs/650711-scans-detected-win32-backdoor-agent.html"

So to recap...So far i've...updated java & deleted the old versions, downloaded and ran ComboFix. I also wanted to add that as I was writing this thread my Avast Anti Virus popped up and warned me of 3 new trojans...never seen it before...I hit the delete option on all. I will also include a log of what Avast Anti Virus found as well.

Thanks in advance...here are my log files:

ComboFix 07-11-08.1 - Administrator 2007-11-15 16:24:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Program Files\... Read more

Read other answers
RELEVANCY SCORE 77.6

NOD32 keeps popping up saying it's found:

Win32/TrojanDownloader.Small trojan
Win32/Agent.BCK trojan
Win32/BHO.G trojan

I've done full scans with NOD32 and SptSweeper with no help.
System Restore was also no help.
Maybe someone here can help me out

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:35 AM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
... Read more

A:Solved: Win32/Agent.BCK BHO.G & TrojanDownloader.Small

Read other 12 answers
RELEVANCY SCORE 77.6

I use ad-adawar se personal to scan my computer.... and there is few critical objects and there is two name that is Adware.MyToolBar & Win32. TrojanDownloader.Agent....what do i do now????

A:Adware.mytoolbar & Win32. Trojandownloader.agent

Hi : FIRST try using the Ad-Aware program to "quarantine" those "critical objects". The guidelines on doing that are found by clicking "Help" on the left-hand side of the "start-up" screen, then double LEFT-clicking on the "Using Ad-Aware SE" topic, then double LEFT-clicking on the "What is the quarantine?" topic and following the "instructions" there . Since "TrojanDownloader.Agent" is a very bad piece of spyware, Ad-Aware might NOT be able to "handle" it . IF this happens, the use of the "HijackThis" program will be required, then you should download HijackThis (? Merijn) from: http://www.thespykiller.co.uk/files/HJTsetup.exe . Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools. At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation. Then you would post a "log" from running the program on a Support Forum, such as on this forum, to have their Experts "review" the Findings and offer solutions .

Read other 1 answers
RELEVANCY SCORE 77.6

DDS (Ver_10-03-17.01) - NTFSx86 Run by JAGNA PNP at 9:21:36.10 on Sat 04/03/2010Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.735.286 [GMT 8:00]AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\FsUsbExService.ExeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Rainlendar2\Rainlendar2.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Skype\Plugin Manager ... Read more

A:Win32\TrojanDownloader.Agent.NXY trojan (drsb.exe)

Hi,Ever wondered how you got infected? I see you are using a hacked version of Eset (NOD32) to bypass registration. Illegal software or their hacks/cracks are ALWAYS a source of malware and as long as you continue with this trend, you'll always get infected as well.Anyway, * Please download Malwarebytes' Anti-Malware from HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK... Read more

Read other 27 answers
RELEVANCY SCORE 77.6

I have already read the FAQ and run the latest versions of Spybot and AdAware in safe mode. Every time I run AdAware it catches Win32.TrojanDownloader.Agent malware, removes it, but as soon as I boot up again it's back. I have run Spybot just once and it did not catch that virus but did catch three called Win32This malware continuously pops up a fake Windows Security Alert that says: "Windows has detected an Internet attack attempt...Somebody's trying to infect your PC with spyware or harmful viruses. run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware remover for total protection." After half a minute or so, Internet Explorer then opens on its own at either the site http://yourprivacyguard.com or http://safenavweb.com. I disabled access to IE to try to stop that or it will open lots of IE windows.The virus changed my desktop background picture (or pasted a picture over my background? I could not click any icons) to a .gif that says "Your privacy is in danger, download spyware remover for total protection" or something along those lines.The virus adds three shortcut windows to my desktop which reappear the instant I reboot. They are labeled Error Cleaner, Privacy Protector, and Spyware &...Protection. All three are shortcuts to http://viruswebprotect.com/shandler.phpThe last symptom so far is that the virus will cause the task explorer.exe to take up 100% of my CPU Usage... Read more

A:Nasty Malware - Win32.trojandownloader.agent

Hi chinasteiners and Welcome to the Bleeping Computer!Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall

Read other 17 answers
RELEVANCY SCORE 77.6

Hi, I was told on another website to come here and ask about the virus infections on my pc. I'm using Windows XP Home Edition Service Package 2.

Last night when I was just browsing the internet Windows Firewall popped up asking if I wanted to keep blocking some features of 'svchost.exe' unsure what to do I went 'keep blocking'. I was told it was a vital part of Windows so I though it was infected.

My PC restarted a few minutes later, when it turned on a little icon in the bottom left corner that was red with a white X was telling me this

'Your computer is infected! Windows has detected spyware infection! It is recommended to use special antispyware tools to pervent [sic] data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!'.

These viruses have changed my homepage to Google with huge fonts and all links keep redirecting me to random sites. I tried using the Malware tool with windows, but that failed and sometimes when I turn my PC on I have a black screen and my cursor so I have to keep restarting it. The virus also makes AVG 8.0 Free crash when it starts scanning.

When I scanned in Safe Mode last night, this was the log was:

AVG 8.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2008 AVG Technologies
Program version 8.0.145, engine 8.0.0
Virus Database: Version 270.8.1/1732 2008-10-18

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mic... Read more

A:Computer Infected, TrojanDownloader:Win32/Renos etc!

Hello and welcome to TSF.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Read other 8 answers
RELEVANCY SCORE 76.8

Hey so i have a virus that Adaware cannot remove. I have been reading other posts so i downloaded and ran HijackThis and will post the log, also i dont know if this is helping for this perticular item but i ran Combo-Fix and i will post that log aswell. Any help will be greatly appreciated.

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:58 PM, on 17/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\FarStone\Rest... Read more

A:[SOLVED] Win32.Trojandownloader.Agent virus problem

Thanks for the help, PLEASE CLOSE THIS POST, I SOLVED THE PROBLEM MYSELF

Read other 1 answers
RELEVANCY SCORE 76.8

I would appreciate any help with this issue. This is my kids' pc as you will be able to tell from the logs. Strange behavior, sudden reboots, recovery from serious error on reboot. Help Please!I ran ad-aware and it was coming up with 3 win32.trojandownoader.agent as followsc:\windows\web\default.fttreg value software\microsoft\windows\current version\run "kernal fault"c:\windows\mrofinus572.exe - i can find this file but not the first oneI also found IE host R3 when running revo uninstaller, but not sure if I should uninstall yet.When I ran DSS it only produced the extra.txt. It did not produce main.txt. When DSS finished running it would give me an error message stating that it can't find c:\deckard\system scanner\main.txt. Would you like to create the file. ***EDIT**** Now able to produce main.txt, realized my McAfee virus scan was deleted it because it said it had a trojan in it.I also ran Kaspersky online and it came up with 17 infected. Some of them are .exe files which have me very scared.The only thing I can post is the extra.txt and a hijackthis log that was produced when running hijackthis as standalone. Hope it's enough, if you need anything else please let me know. Total newbie with this stuff and afraid to do anything that might harm computer more.MAIN.TXTDeckard's System Scanner v20071014.68Run by ***nert on 2008-06-22 12:01:13Computer is in Normal Mode.------------------------------... Read more

A:Win32.trojandownloader.agent Malware--system Is Crawling!

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\SYSTEM32\imagehlp.exe
C:\WINDOWS\SYSTEM32\gdi32083.exe
C:\WINDOWS\SYSTEM32\secur329.exe
C:\WINDOWS\qc6l4fmq.exe
C:\WINDOWS\mrofinu572.exe
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.===================You are running an older version of Java. This can be a security risk so let's get you the latest version.Upgrading Java:Download the latest version of Java Runtime Environment (JRE) 6 Update 6.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click t... Read more

Read other 14 answers
RELEVANCY SCORE 75.6

Somehow or another I got win32.trojandownloader.zlob malware on my computer. It was located in C:\Programfiles\Applications

I did a scan after going through the 5 steps before posting and it didn't show up anymore, but i'm not sure if its gone for sure.
Either way my computer is really slow; i think it installed spyware on my computer and that is what's slowing it down.

Yesterday before I got through with the 5 steps before posting, a little pop up bubble on the taskbar of my computer said something about there being a lot of spyware on my computer and to click the bubble to fix the problem. I right clicked on the icon to see what it was and it sent me to a Antispycheck website. My computer considered that a restricted site, so I'm assuming it has something to do with this trojan.

Another weird thing that seems to be happening, is that when I click on link in google search (such as I was trying to get into the Ohio State University website) it opens a new internet explorer window and uses a random search engine to search for whatever the link is i clicked on (it searched Ohio State on search17.info .com). In order to get into the link that i want, i have to right click on it and specifically click open.

I'd definitely appreciate some help with this.


I have attached my Panda ActiveScan log

Here's my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:19 PM, on 8/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet... Read more

A:win32.trojandownloader.zlob malware~ Spyware slowing down computer

BUMP, please

Read other 11 answers
RELEVANCY SCORE 75.2

Finally hit by malware and all my own fault.

After running a program I should have checked first, my laptop slowed down to a crawl and started showing popups every few minutes. Norton diagnosed a Win32.TrojanDownloader.Agent but with an out of date virus file.

When I tried to run AdAware it was deleted ! After I downloaded AdAware again and ran it the popups seemed to have disappeared. However various programs were running now and then and my laptop was extremely slow.

Following the 5 steps described in the Forum, Panda onlne scanner found 2 viruses, 75 spywares and 3 rootkits !

The first time I ran DSS it created both main.txt and extra.txt but from there on it only creates main.txt.

I am sending the first main.txt log file with the extra.txt attached.

If there's any other info that you'd need please ask.

Thanks in advance.

Deckard's System Scanner v20070905.67
Run by Δημήτρης on 2007-10-03 00:50:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-10-02 21:50:13 UTC - RP237 - Deckard's System Scanner Restore Point
1: 2007-10-02 21:35:29 UTC - RP236 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Percentage of Mem... Read more

A:Constant popups gone, but PC full of spyware (Win32.TrojanDownloader.Agent found)

It dont look to bad....


Please download Combofix from HERE

http://www.techsupportforum.com/sect...s/ComboFix.exe

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Read other 8 answers
RELEVANCY SCORE 72

eSets found and removed several Trojans. Just wanted to make sure the system is actually clean. The eSet log is below as well as the DDS scan. Thanks for your help. Carl

eSet Log:

C:\Users\Carl\AppData\Local\cjcwyim.exe probably a variant of Win32/TrojanDownloader.Agent.RIJ trojan cleaned by deleting - quarantined
C:\Users\Carl\AppData\Local\qjsngankgyvd.exe probably a variant of Win32/TrojanDownloader.Agent.RIJ trojan cleaned by deleting - quarantined
F:\Users\Carl\Downloads\03_Audio_W7NP7220.exe Win32/Bifrose.NTA trojan cleaned by deleting - quarantined
F:\Users\Carl\Downloads\Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined
H:\Users\Carl\AppData\Local\cjcwyim.exe probably a variant of Win32/TrojanDownloader.Agent.RIJ trojan cleaned by deleting - quarantined
H:\Users\Carl\AppData\Local\qjsngankgyvd.exe probably a variant of Win32/TrojanDownloader.Agent.RIJ trojan cleaned by deleting - quarantined

DDS Scan:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2
Run by Carl at 13:22:57 on 2012-12-08
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8183.4093 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E683... Read more

A:Win32/Bifrose.NTA trojan and Win32/TrojanDownloader.Agent.RIJ trojan

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

Read other 8 answers
RELEVANCY SCORE 71.6

KASPERSKY ONLINE SCANNER 7 REPORTSaturday, November 29, 2008Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Friday, November 28, 2008 18:35:48Records in database: 1424124Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\Scan statisticsFiles scanned 94300Threat name 4Infected objects 4Suspicious objects 0Duration of the scan 02:45:29File name Threat name Threats countC:\Documents and Settings\All Users\Application Data\FreeApp.exe Infected: Trojan.Win32.Agent.arng 1 C:\Qoobox\Quarantine\C\Program Files\tinyproxy\tinyproxy.exe.vir Infected: Trojan-Proxy.Win32.Agent.bcw 1 C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe Infected: IRC-Worm.Win32.Small.x 1 C:\WINDOWS\bolivar24.exe Infected: Backdoor.Win32.Agent.ubx 1 The selected area was scanned.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of random's system information tool 1.04 (written by random/random... Read more

A:Infected: Trojan.Win32.Agent.arng, Trojan-Proxy.Win32.Agent.bcw, IRC-Worm.Win32.Small.x, Backdoor.Win32.Agent.ubx

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any scr... Read more

Read other 4 answers
RELEVANCY SCORE 70.8

a friend of mine isnt that computer oriented and was on my computer and clicked on everything that popped up pretty much. ever since then my homepage has been coming up as blank and have been getting a little bubble at the bottom of my screen saying that i have spyware on my pc along with a numerous amount of pop ups (which i never got before, at all) and i did the scans described in my description and still no luck removing them. never had this kind of problem before at least of this im a very big noob when it comes to this so bear with me thanks in advance for any tips or ideas!!!!!!Logfile of HijackThis v1.99.1Scan saved at 8:49:22 PM, on 7/13/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exec:\program files\cox\applications\app\CurtainsSysSvcNt.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Cox\Applications\app\Prism.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system3... Read more

A:Infected With Trojan.win32.startpage.adh, Trojandownloader.win32.zlob.ci, Trojandownloader.win32.zlob.mo, Spywarequake 2.0, Sea...

Hello Gnome86,Welcome to BC. I am sorry to be the bearer of bad news, but you have several infections, the most important of which is a worm, SDBOT.BWV, with backdoor and keylogging capabilities, evidenced by these entries :O4 - HKLM\..\Run: [System Kernal Support] system.exeO4 - HKLM\..\RunServices: [System Kernal Support] system.exeO4 - HKCU\..\Run: [System Kernal Support] system.exe I would recommend you to disconnect this PC from the Internet immediately. If this computer is used for any sensitive transaction like banking or other financial transactions or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would also be wise to contact those same institutions to alert them to the possibility of identity theft. Though it is identified and can be killed, because of it's backdoor functionality, it is very likely that your computer is compromised and there is no way to be sure that it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:Here are some informative links to help you decide:When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063 How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 Securi... Read more

Read other 10 answers
RELEVANCY SCORE 70.8

The virus redirects me to another webpage whenever I click on a Google result. The virus also pops up a bogus icon in my system tray that tells me to update my virus software and do a scan.

I have used an updated version of avast to scan the system but it has not been able to pick up the virus. I hvae posted an HJT log below. Please help...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1014 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:... Read more

A:Computer infected by Win32.Agent.FRG

See if this helps...



Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe

Reboot................

======================

Please download the OTMoveIt by OldTimer

Save it to your desktop.

Please double-click OTMoveIt.exe to run it

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\system32\rpcc.exe




Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Read other 8 answers
RELEVANCY SCORE 70.8

I have Trojan win32.agent.adb on my computer. I have tried removing it with spybot, but on restarting, and scanning with spybot, it appreas again. My computer has froze a few times, minutes after starting it and it is running a bit slower. I am running windows vista, keeping up to date with updates. There is no error message, except when i ran spybot in normal mode, program errors occurs and it even got closed during the scan but i haven't got those messages nor malfunctions of spybot in the last few scans. I would appreciate any assistance with the matter
 

Read other answers
RELEVANCY SCORE 70.8

I have the Win32/Agent.AY virus on my computer. Please tell me how to rid my life of it! You guys rocked last time!

A:Win32/Agent.AY on work computer

Hi and welcome to TSF

Please go into Windows Explorer, click on C:\ > File > New Folder and call it HJK, or another name of your choice. Go to this site and download Hijack This. Install the program into the folder you created then run it. Click Scan. Save the log file to Notepad, then copy and post it back here. Make sure to include the System information at the top of the log as well.

I do not subscribe to threads, so please PM me the link once you have posted your log

Read other 5 answers
RELEVANCY SCORE 70

Scanned with Adaware, Spybot and Malware bytes. Both found stuff and removed. Only Spybot finds anything now, it's always Win32.Agent.svc. Files that keep replicating in my temp folder named svchost.exe in strangely named folders like lblt.tmp. Links from google send me to other websites.DDS (Ver_10-03-17.01) - NTFSx86 Run by Jacob Moore at 21:56:05.04 on Thu 07/01/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.911 [GMT -5:00]SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\AUDIODG.EXEC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\spoolsv.exeC:... Read more

A:Spybot says Win32.Agent.svc I say bleeping computer.

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.I order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is ... Read more

Read other 4 answers
RELEVANCY SCORE 69.2

Hello,
I keep receiving a pop up message message which I assume is fake "Windows Security Alert" "Name: Trojan-Keylogger.WIN32.Agent." it gives me the option to click a button if I want to "Enable Protection". At first my computer seemed to be running hard so I opened up the task manager to see what was running and QTTask.exe was running and I could not end task. I tried downloading a couple of anti-virus software packages and I was able to remove some infected files in safe mode, but it has not resolved my problem. Currently the pop up message continues but the QTTask.exe is no longer running. I now have internet access and the computer is working a little faster. Please help I have no idea what I am doing.
Thank you!

StartupList report, 7/6/2009, 10:26:26 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16850)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.ex... Read more

Read other answers
RELEVANCY SCORE 69.2

i've tried everything I know but its not workin.MY computer is infected with a Trojan-Dropper.Win32.Agent.dgo (whatever that is). I'm not all that good with computers..Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:32:30 AM, on 1/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\bcmntray.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.ex... Read more

A:Help! Trojan-dropper.win32.agent.dgo Computer Too Slow

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are absolutely snowed under with logs.If you still require help,please post a new Hijackthis log into your next reply.

Read other 1 answers
RELEVANCY SCORE 69.2

First of all, thank you so much for taking the time to help me.
 
Every single game I play online will have some kind of strange problem.
 
Games for example:
 
RED ORCHESTRA 2:
I get a 'Speed hack deteced' and im stuck in one spot for a couple of seconds, after it happens a few times I get session banned. (This happens in every server)
 
HALF LIFE'S Sven co-op:
I will play normal for like 1-3 min and then I will get stuck a couple of times in one spot for a couple of seconds, kinda like a time out, eventually I get kicked for reason:
''You have been disconnected from server. Reason: Reliable channel overflow.' (This also happens in every server)
 
And other games:
I'll play normaly for like 1-3 min and then I'll get stuck in one spot, I can see my player animated running forward but he is stuck in the same position for a couple of seconds, some games don't kick me and just let me continue playing even though the time out thing will occur every 1-3 min.
 
My ping shows normal when this time out happens in every game, it dosent seem to spike or jump.
 
Things ive done to try to resolve the issue:
 
I have called my ISP to see if it was a connectivity issue, they tell me my connection is fine. I am using Cable internet directly connected to my tower.
 
I've ran Windows Microsoft security Essentials: Nothing found
I've ran Malwarebytes malware remover: Nothing found
I've ran Hitman pro: It found some tracking cookies and removed them
... Read more

A:Found Trojan:Win32/Meredrop, I removed it but computer is still acting strange.

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Nothing suspicious was found on your DDS log.Lets continue.--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.... Read more

Read other 8 answers
RELEVANCY SCORE 68.4

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Maria Fernanda at 21:13:46 on 2011-10-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2386 [GMT -5:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\... Read more

A:Win32.Agent.hvge, Kaspersky tries to disinfect and computer shutsdown.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421512 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 68.4

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:39:07 AM, on 10/1/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\spool\drivers\w32x86\... Read more

A:Computer Infected With Win32: Tiny-if Agent-lap Vundo-gen49

Welcome to the BleepingComputer HijackThis Logs and Analysis forum sdianneodom My name is Richie and i'll be helping you to fix your problems.Download HostsXpert 3.8: http://www.funkytoad.com/download/HostsXpert.zip1. Extract the zip file to your desktop or a permanent folder on your hard drive.2. Open the folder and double-click on the Hoster.exe3. Press "Restore Microsofts Original Hosts File" 4. Press "OK" and exit the program.Go to: C:\WINDOWS\System32\drivers\etc\HOSTS.1) Right-click on the HOSTS file2) Click Properties3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.4) Click Apply/OK.If you have previously downloaded ComboFix,please delete that version and download it again from below. Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on Combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.Now go to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post th... Read more

Read other 1 answers
RELEVANCY SCORE 64.8

Went though steps to clean my computer of a Trojan today. ESET scan came back clear. Then I took the advice and began downloading programs to protect myself when I downloaded COMODO free firewall, it did a scan for Malware and found 5 files that were a threat.

One containing the the words 'combofix' and another 'win32' which initially in my alert from windows security center saying 'Win32.Backdoor.DNM'. I chose to remove these files and my computer and restart for the firewall to install and changes to be made. When my computer rebooted I had a message from the firewall saying 'svchost.exe' is trying to connect to the internet, which was also one of the virus's that were ment to be removed when I ran Combofix.

My other thread was closed as I thought my troubles were over. Help would again be much appreciated.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Frankie at 0:51:03.03 on 04/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.510.126 [GMT 0:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C... Read more

A:Cleaned my computer with staff help today. Scan still found virus on my computer.

Check your PM inbox. Personally, I don't care for Comodo, and the only firewall I use is my router's hardware firewall and Windows XP's. Too many people don't know how to respond to the notifications from firewalls. I don't care for Comodo's detections, and it's overly intrusive.

If you installed this before you uninstalled ComboFix, that would explain why you were getting some hits from Comodo. It incorrectly sees parts of ComboFix as a threat. Also, there might be some quarantined files left behind if you installed this before uninstalling ComboFix.

Regarding svchost.exe, as long as it's in system32, that's fine

http://forums.comodo.com/frequently_...-t14464.0.html

I see no active infection.

Read other 1 answers
RELEVANCY SCORE 64.8

Had the day from hell with my computer, antivirus stopped working and my computer got infected. On safe mode with networking, I ran malwarebyte a couple times, cleaned most all of it out. When rebooting to windows, computer became super slow, like 5 minutes to open a window, etc. I had to force reboot a few times. But then I started getting a screen that demanded a reboot disk. Only one I have is. a windows vista disc. I had windows 7. It won't let me even get that blue startup screen where I can push f keys.
Can anyone give me some advice, or do I need to just get a new hard drive.

A:computer infected , cleaned, bsod, freezing, now computer wants boot disk

Welcme,
The problem isn't the hard drive, it's that you are still infected.
I'm going to ask a moderator to move this thread into Am I Infected so that you can work with one of the expert volunteers there to get your system cleaned correctly.
 
Dick

Read other 7 answers
RELEVANCY SCORE 64.4

I had recently gotten help from one of the forum admins/tech support, Broni, to remove a powerful and horrible virus that kept playing ads in the background.

but now that its been removed, all my sound is not working on my PC. Rebooting the pc doesnt produce sound, clicking things doesnt produce sound, my headset doesnt produce sound, my microphone doesnt produce sound or transmit it, and videos, along with music on the pc doesnt produce sound.

It seems that all sound has stopped functioning I could use some help!
 

A:No audio at all from computer/headset/microphone after having computer cleaned of virus

Go to your computer manufacturers website, go to the support/download/driver page.

Select which operating system you have.

Go to the audio section, and download the file , run the EXE, restart your machine and sound should work.

It's probably a driver issue..
 

Read other 2 answers
RELEVANCY SCORE 64

I believe I was infected last night when a website somehow redirected me to liteautogreatest{dot}cn.I'm running XP Home SP3 and the ZoneAlarm Internet Security Suite (just updated earlier today).ZoneAlarm continually finds a couple of problems and hibernates them but they do not go completely away after a reboot.The ZoneAlarm active monitor scan shows the following...Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNB.tmp on 4/20/2009 13:29:22Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNA.tmp on 4/20/2009 13:23:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN9.tmp on 4/20/2009 13:17:40Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN8.tmp on 4/20/2009 13:14:30Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN7.tmp on 4/20/2009 13:07:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN6.tmp on 4/20/2009 13:02:40Rootkit.Win32.Agent.ikz was found in C:\WINDOWS\system32\drivers\systemntmi.sys on 4/20/2009 12:57:48Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\T... Read more

A:Infected with Rootkit.Win32.Agent.ikz, Trojan-Dropper.Win32.Agent.amzh, Trojans? Malware?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.alternate download linkThen download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, re... Read more

Read other 3 answers
RELEVANCY SCORE 63.2

I saw these in my NOD32 AV Threat log. The ones I saw at first were the 8/30/2007 ones. I thought the infection had been contained and eliminated, but then I later received the 8/31/2007 ones and saw that ZoneAlarm was asking me for authorization for alot of programs it should have had authororized before such as both my Seamonkey and IE web browsers, even NOD was asking for permission to connect. I denied all but didn't tick the always remember option so I'd see when it would ask again. I tried to run the NOD standalone scanner on my system and it said "NOD32 Checking CRC of NOD32.EXE: file is corrupted, possibly due to infection." Now I was getting VERY nervous. I hadn't downloaded anything recently, I mainly use the system to check emails and play an online game. So I confronted my friend that had been over earlier and he said that he had downloaded a file via bittorrent and the the AV windows had popped up, but since it said quarantined/deleted he thought nothing of it and kept on going.

After some Google searches I came accross this forum and I'm hoping I can find some help here. I've downloaded DSS.exe already aswell as done the PandaAV scan, but NEITHER can finish it's scanning, they crash towards the end and I receive no logs :(. However DSS did download HijackThis and I ran it and did get a successful log there. I did find one line in particular that caught my attention due to the fact that it had such a weird name.

O20 - Winlogon Notify... Read more

A:High CPU usage: Win32/TrojanDownloader.Small.EQN and Win32/TrojanDownloader.Small.NRS

I've tried DSS and Panda again, Panda quits out IE completely near the middle after finding 2 infections and several files, DSS crashes towards the end. I'll try running it again and seeing if I find at what point this occurs. There are no log files in the Deckard directory. However Kaspersky's online scanner seems to work. I've looked up in the selfhelp thread stickied on this forum, but the VundoFix finds no files to remove. Also I am not getting any popups that this virus/trojan is supposed to have. Should I not use this system until I hear of a fix? I feel that the files infected list will only get worse the longer it runs. The in Zonealarm the file size of iexplore.exe file size is 621k, while on a friend's system it's 610k. While both systems have the same patches applied from MS, one is has a hyperthreading cpu, so I don't know if MS installs different versions for multicpu hardware.

Friday, August 31, 2007 17:16:16
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/09/2007
Kaspersky Anti-Virus database records: 401550
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Memory
Scan Statistics
Total number of scanned objects 1593
Number of viruses found 2
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 00:01:01... Read more

Read other 13 answers
RELEVANCY SCORE 63.2

I have an F-Secure internet security software suite on this computer, and it is up-to-date and functioning. I also have MalwareBytes (free) installed and have been running it regularly, and I use the ESET Online Scanner as well. The OS is Windows XP, and it is up-to-date.About three weeks ago I cleaned around three trojans from this computer using MBAM and the online scanner. A few days ago, Adware.Win32.WebHancer.x was found by F-Secure, and is currently quarantined. Today, several instances of the two Trojan-Spy programs were found and quarantined by F-Secure; they infect system files and system restore files. I already looked up information on cleaning the system restore files by stopping and restarting system restore (and scanning inbetween). I deleted the quarantined files.All of the Spy-Trojan's found are infecting in C:\hp\recovery\wizard\fscommand\. The file names are:AppRecoveryLink_ret.exeCDLogic_ret.exeCreatorLink_ret.exeRestoreLink_ret.exeRTCDLink_ret.exeRunLink_ret.exeSysRecoveryLink_ret.exeWizardLink_ret.exeThe Adware infected a .dll file, and I was advised not to delete it.CDLogic_ret.exe is Agent.bdzz; the rest are Agent.beafI have run my antivirus, MBAM, and the online scanner again and they picked up nothing. Also, the Adware and Trojan-Spy's were all found during MBAM scans, but F-Secure picked them up.I have attached a HiJackThis log and a DDS log; GMER froze my computer partway through the scan when I used it. I have ran a... Read more

A:Infected with Trojan-Spy.Win32.Agent.bdzz, Trojan-Spy.Win32.Agent.beaf, and Adware.Win32.WebHancer.x

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 62.8

Hi, as I've seen a post earlier about this problem, I wanted to post to inquire about the same problem I have, which the "trojan-Downloader.Win32.Agent Variant" warning shows up when I try to open World of Warcraft, I've used Norton Anti Virus to scan but for some reason I found nothing.

As in the previous post it mentioned downloading hijickthis and posting the findings..I was wondering if anyone could assist me with this and the steps... much appreciated.

Regards,
Nick
 

A:Trojan-Downloader.Win32.Agent Variantder-win32-agent-variant.html

Here is the hijackthis log as follows, please assit on the next steps. thanks
Logfile of HijackThis v1.99.1
Scan saved at 1:44:31 AM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program... Read more

Read other 3 answers