Over 1 million tech questions and answers.

Blackmailer trojan spread by emailing JS Script

Q: Blackmailer trojan spread by emailing JS Script

A new blackmailer variant email with new transmission characters was captured by Antiy Threat Situational Awareness System on December 2, 2015, which was guided by a JS script in compressed package rather than spread by sending binary file load directly.

Antiy PTA group has made an analysis of related incidents and samples. This sample is TeslaCrypt 2.x, a variant of TeslaCrypt. A zip file near to the mail is unzipped to a JS script. After JS script is executed, it will download TeslaCrypt2.x to run, traverse computer files and encrypt 186 kinds of suffix format files, including documents, pictures, audio and etc. After the encryption, it will open blackmailer?s homepage to blackmail and ask for 500 USD to decrypt within a specified time. If overdue, 1000 USD is needed. As TeslaCrypt2. X variant changing the way of key calculation with the ECDH algorithm, hackers and victims can negotiate a key without sharing any secret. TeslaCrypt decryption tool released by Cisco [1] has been unable to decrypt.

Social work email spread
TeslaCrypt2.x spreads by sending plenty of emails, one screenshot of an email is as follows:

It uses ?Hello? to address rather than a specific name. The text body is ?Please check the attachment, E-mail documents will be mailed to you and this electronic version is sent to you for your convenience ?. In order to show the importance of this email, blackmailer emphasizes that the mail is sending by a traditional way.Thus, the recipient may regard it as an important one and check the attachment.

E-mail attachment is invoice_06796407.zip, unzipped as INVOICE_main_BD3847636213. js file which is a downloader used to download TeslaCrypt 2. X and execute.

Analysis of sample
3.1 JS script file:
Virus name Torjan/ js .Downloader.gen
Original file name INVOICE_main_BD3847636213. js
MD5 0352ACD36FEDD29E12ACEB0068C66B49
Size 6.48KB (6,644 bytes)
Interpretive language Jscript
VT first update time 2015-12-02
VT detect result 23/52
INVOICE_main_BD3847636213. js adopts transformed encryption to avoid antivirus detection, which can self-decrypted by Eval function to obtain clear code. When user double-clicks this JS file, it will download executable files from three network addresses orderly to the Temp directory and execute them. If downloads and runs successfully in the first address, the following two addresses will not download. The network address is divided by space:


The content contrast of relevant code before and after decryption is as follows:

Sample analysis of corresponding blackmailer
This variant is similar to previous malicious act in Tesla report and can take another security team IsightPartners?s report for reference [2]. After the samples being executed, it will AES256 encrypt the document, save the recovery file required information to the registry and text files and sends related information to Tor server controlled by hacker.

Virus name Trojan/Win32.ransomware.gen
Original file name 76.exe
MD5 449C43E250D075D6F19FACB0B51F4796
Processor framework X86-32
Size 391.0 KB (400,384 bytes)
Format BinExecute/Microsoft.EXE[:X86]
Time 2015:12:03 06:19:51+01:00
Digital signature NO
Shell NO
Compiled language Microsoft Visual C++ 9.0
VT first update time 2015-12-03
VT detect result 25/52
Samples uses junk instruction and debugging techniques and starts by hanging to read their own data and rewrite to a new hang after decryption process, and determines whether their own path is the specified Application Data file path. If not, it will move to this directory and modify the file name as a random five letters -a.exe, (such as mghsd-a.exe). With creating a fixed mutex value ?78456214324124?, PTA found it adopted bcedit disabled security mode and recovery mode in dynamic analysis environment. It creates a startup in the registry:


Then, it creates multiple working threats, analysis of some key threats is as follows:

(1) Delete volume shadow copy in system?exe delete shadows /all /Quiet

(2) Start threat traverse process path, if the path concludes any string of Taskmgr?procexp?regedit?msconfig?ex, end related process. Thus, CMD, task manager and process check tools cannot open and thus cannot check and end malicious sample process.

(3) Another thread is mainly used to connect to the Internet to report information to hackers controlling server, the connected URLs mainly include:

Visit myexternalip.com/raw to acquire outer network IP information of victim host.

Submit information by visiting following network addresses:

Table3?1 Domain names of visiting network

Domain names IP

Most files are Get request connection PHP files, parameter formats of the request and data of one request are as follows:

Sub=%s&key=%s&dh=%s&addr=%s&size=%lld&version=%s& amp;OS=%ld&ID=%d&gate=%s&ip=%s& inst_id=%X%X%X%X%X%X%X%X?the data that actually sent is as below:

(4) Another thread is the malicious core function that encrypts specific suffix file:

First, get all disk information on local system. If it is a local disk and network disk, traverse all disk files. When the file name contains recove, . VVV, release directly. If not, detect file extension. If the extension name matches with any of the following one, it starts to maliciously encrypt files:

.r3d .css .fsh .lvl .p12 .rim .vcf.3fr .csv .gdb .m2 .p7b .rofl .vdf.7z .d3dbsp .gho .m3u .p7c .rtf .vfs0.accdb .das .hkdb .m4a .pak .rw2 .vpk.ai .dazip .hkx .map .pdd .rwl .vpp_pc.apk .db0 .hplg .mcmeta .pdf .sav .vtf.arch00 .dba .hvpl .mdb .pef .sb .w3x.arw .dbf .ibank .mdbackup .pem .sid .wb2.asset .dcr .icxs .mddata .pfx .sidd .wma.avi .der .indd .mdf .pkpass .sidn .wmo.bar .desc .itdb .mef .png .sie .wmv.bay .dmp .itl .menu .ppt .sis .wotreplay.bc6 .dng .itm .mlx .pptm .slm .wpd.bc7 .doc .iwd .mov .pptx .snx .wps.big .docm .iwi .mp4 .psd .sql .x3f.bik .docx .jpe .mpqge .psk .sr2 .xf.bkf .dwg .jpeg .mrwref .pst .srf .xlk.bkp .dxg .jpg .ncf .ptx .srw .xls.blob .epk . JS .nrw .py.sum .xlsb.bsa .eps .kdb .ntl .qdf .svg .xlsm.cas .erf .kdc .odb .qic .syncdb .xlsx.cdr .esm .kf .odc .raf .t12 .xxx.cer .ff .layout .odm .rar .t13 .zip.cfr .flv .lbf .odp .raw .tax .ztmp.cr2 .forge .litemod .ods .rb .tor.crt .fos .lrf .odt .re4 .txt.crw .fpk .ltx .orf .rgss3a .upk

Related encryption process and encryption file formats can take Kappa analysis for reference which mainly adopts ECDH algorithm to encrypt the key [3]. Cisco Tesla decryption tool [2] can decrypt Tesla early varieties, the early varieties can save the key to file ?key.bat?. And key generation and save of Tesla2.x variants have changed and will be stored in the registry

HKCU\HKEY_CURRENT_USER\Software \HKEY_CURRENT_USER\Software\7CE14F27E7D3E895? 7CE14F27E7D3E895 is personal identification code, every user is different, which is used by hackers to identify the user on the server. Information stored in the registry is the same as recover_file_*.txt

The encrypted data covers the source file and then modifies the file name. In addition to infect local computer, it will try to enumerate computers in a network and infect encrypted files. When all encryption is completed, it will generate recover_file_ *. txt in the My Documents directory, its content is as follows:

And then, it generates Howto_RESTORE_FILES in the following three formats in user desktop and opens which is used to remind users:

Finally, it will pop up a warning page to prompt blackmailer homepage visiting and key encrypted. And the keys can be got by visiting blackmailer server.

To get the key to decrypt files, you have to pay 500 USD. If payment is overdue, you have to pay 1000 USD.

Tesla2.x network framework analysis
Antiy technicians found that blackmailer network sever hides in Tor network to avoid tracking. Clicking the page that blackmailer provided is as follows: inputing identification number can prevent automated traverse and query of victim information.

After correlating data, the servers that the following URL point to are the same, which are servers of Tesla (2) x blackmailer variants and the information that queried by the same ID in these three websites is also the same.




Victim IP120.72.5.187, the data that two URLs returned is the same.

If the reported server of blackmailer is blocked by network security equipment, it cannot receive the encrypted information reported, and the query by personal code in this page will prompt login unsuccessful. In order to be able to provide decryption services, blackmailer has designed a function, that is, save recover_file_xxxxx. txt file upload in ?My Documents? folder and then the encrypted information can be got. The diagram is below:

Through a correlation of network framework, a decrypted URL program is found, that is hxxp://psbc532jm8c.hsh73cu37n1.net/decrypt.zip MD5?AE3E2206ACB24A60FF583F2CF0C77E59

It also contains PDB information in C:\wrk\decrypt\decrypt\Release\decrypt.pdb. It can be got that public and private key encryption and decryption algorithm of OpenSSL ECDH is used, which also shows that it adopts ECDH key to encrypt files.

Blackmailer can spread executable PE load through email packaged software by double extension, SCR extension skills, etc. In this campaign, it uses JS format?s disguise to avoid detection and prevention of antivirus software. At the same time, Tesla 2. x blackmailer adopts ECDH encryption algorithm and puts user data in danger, rather than previous reverse get key to decrypt files.

From a past monitoring, we found that the victims of blackmailer malware are from the original individual users widely to business users, or even servers. Antiy has strengthened its detection and defense ability of blackmailer Trojan in its PTD system and IEP system.

As the increasing danger of data security threats, enterprise users also need to defense blind area through competency-based products and effectively improve network security awareness, build defense in depth system, and get threat information through threat information platforms timely to reduce further proliferation of risk.

TeslaCrypt2.x MD5

























Thank you all for reading

Thanks to: AN ANALYSIS REPORT OF BLACKMAILER TROJAN SPREAD BY EMAILING JS SCRIPT - Antiy Labs | The Next Generation Anti-Virus Engine Innovator

Read other answers
Preferred Solution: Blackmailer trojan spread by emailing JS Script

I recommend downloading and running Outlook PST Repair. It's a PST repair tool that I've used it in the past to recover emails, contacts, tasks and notes from corrupt Outlook files that are damaged or inaccessible. Supports Outlook 2000, 2002, 2003, 2007, 2010 and 2013.

You can download it direct from this link http://goo.gl/1bjhSi. (This link will automatically start a download of Outlook PST Repair that you can save to your computer.)


I was told my router was vulnerable a code into the firmware was injected and every device compromised A camera was recording me personally when watching adult content is this possible please ? My phone is I phone 7 plus my tablet is android Hawei

A:Email from blackmailer

This is a very common and well known scam. You don't need to worry about it.
They send this email to thousands of people hoping somebody falls for it so they can extract the victim's hard earned money.
The email can be safely ignored

Here's an article about the scam :

Read other 1 answers

btcar popup, trojan.agent.apmc, trojan.script.14303, trojan.fakeav.kueHi,My antivirus program, BitDefender Antivirus 2010, has blocked the above trojans. The main trojan that keeps popping up however is: Trojan.Agent.AMPC. It is located in my temp file as 94.tmp. I have deleted my temp files, some of them wouldn't delete so I downloaded and ran CCleaner.After successfully deleting files that windows alone wouldn't allow me to do, I presumed my problems were over. (haven't had the antivirus program pop-up in 12 hrs now)I opened up google and typed in the topic I wanted and clicked on the link I wanted & I was redirected to btcar.com. I closed it, clicked on another link and I was directed to virtualway.info among other annoying sites. So I blocked these sites in IE, and proceeded to download & run SpyBot S&D. 4 Issues were found and I repaired them.I then did a deep system scan with BitDefender and it said no viruses or spyware were found:BitDefender Log File Product: BitDefender Antivirus 2010Version: BitDefender Antivirus ScannerScanning task: Deep System ScanLog date: 5/6/2010 2:36:47 AMLog path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1273077407_1_00.xml Scan paths: Path 0000: C:\ Scan Level: Scan for viruses: YesScan for adware: YesScan for spyware: YesScan for applications: YesScan for dialers: YesScan for rootkits: YesScan for keyloggers: Ye... Read more

A:btcar popup, trojan.agent.apmc, trojan.script.14303, trojan.fakeav.kue

Hello and and Welcome to BleepingcomputerPlease note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have sinceresolved your issues I would appreciate if you would let me no so I can close this topic.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Please download Malwarebytes' Anti-Malware from HereNote: If you already have Malwarebytes' Anti-Malware, just update then run it.Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and Paste the entire r... Read more

Read other 2 answers

Help! My computer is infected! I ran Kaspersky full scan and it found the following, but is unable to get rid of them:virus HEUR:Trojan.Script.IframerTrojan program Exploit.JS.Pdfka.btaBelow is the hijack this log. It's also attached. Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:27:25 PM, on 3/29/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\PLFSetI.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exeC:\Program Files\uTorrent\uTorrent.exeC:\Windows\system3... Read more

A:Infection! Trojan.Script.Iframer, Trojan program Exploit.JS.Pdfka.bta

Help! My computer is infected! I ran Kaspersky full scan and it found the following, but is unable to get rid of it:Rootkit.win32.agent.bdkqBelow is the hijackthis log. Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:27:25 PM, on 3/29/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\PLFSetI.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exeC:\Program Files\uTorrent\uTorrent.exeC:\Windows\system32\conhost.exeC:\Program Files\TrendMicro\HiJackThi... Read more

Read other 18 answers

Dear Tech Support,

My computer seems to be infected with some Trojans.
I would appreciate your help in removing these.

I run Windows XP Professional Service Pack 3 with Bitdefender Internet Security 2010.
The following summarizes the issues I have:

1. I get repeating Bitdefender alerts on blocking Trojan.Script.16726 for wscript on C:\autorun.inf and H:\autorun.inf (H:\ is an external USB mass storage HDD). The deep scan also suggests removing these files. Once deleted, from Bitdefender or manually, the autorun.inf files are quickly recreated.
2. I sometimes get Bitdefender alerts on Trojan.Dropper.SVX on C:\Windows\system32\winxp.exe. Many times the scan hangs on this file and keeps finding threats in it.
3. Many times the Bitdefender service (vsserve.exe) becomes "unavailable", sometimes even a restart won't make it work.
4. The compute is slow and often halts. I often get some keystorkes ignored.
5. Windows Updates is not working because the Automatic Updates service
is being stopped (Error number: 0x8DDD0018). If I turn it on (following Microsoft support team advice I even ran an HF KB922582 that didn't help), the updates are failing to be installed (Error numbe: 0x80070002).
6. I'm missing the System Restore option in System Properties, it is simply not there anymore.
7. When I exit Windows I get an error "End Program rundll32.exe".
8. On shutdown the system often suggests there are two updates that needs to be installed.

Here'... Read more

A:Trojan.Script and Trojan.Dropper

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.


Be sure to make active all your USB devices when running ComboFix as instructed below.
Download ComboFix from this location only.
Disable your AntiVirus, Firewall, and Ant... Read more

Read other 11 answers

ok well i went to a site that i wont name and they said that someone hacked their forums and if you click on the unlock threads you will get a new trojan that no one has ever seen. my firewall hasnt asked me anything so far and my computer isnt slow now but im worried because yesterday i was on the forums and just today there saying it.

A:Trojan Script

You are probably OK as long as you didn't click on any links at that site. The information in the link below is a discussion about this. http://www.bleepingcomputer.com/forums/top...tml#entry465511

Read other 1 answers


No idea how this got onto my PC but I started up my pc today and it says it's infected 3 files already.

Bullguard just seems to be quarantining them, but then I go to quarantine and it's not there.
Just wondering if I could have some help on removing it please

Thanks in advance

Read other answers

My computer is constantly giving me this error message when I leave it alone and it goes into sleep mode, when I come back to use it again, it ALWAYS tells me that "windows has recovered from an unexpected shut down" .....anyway, so there is an option to look for a solution to the problem, and every single time it trys to find a reason for the problem, it cant.

Also, I have Kaspersky Anti Virus 2009 inatalled, and according to that program, it has detected a virus it lists as HEUR:Trojan.Script.IFramer and then it lists this website that I frequently like to go to to get myspace backgrounds.....and I have always had Kaspersky installed on my computer, its not like I just got it or something....anyway, so I have been going there to get backgrounds for like a year and I have never had any kind of virus come from being imbedded in that website. I really don't get it....all of a sudden theres a trojan on there? I even e-mailed the website administrater to tell them about what my antivirus was claiming to have found on their site, and the web master responded to me telling me that that is absolutely rediculas, and that I was the only person who has this problem.

The specific web address that is being associated with the Trojan (according to Kaspersky) is http://www.dolliecrave.com/tabs.js

Could it be that maybe my computer was just programmed to be attacked with some kind of trojan....i mean if a person/hacker went to look to see what websites i typically freq... Read more

Read other answers

i want get in this link .. it was not like this before .. please help

A:Please Help HEUR:Trojan.Script.Iframer

You would have to exit/ turn off your Kaspersky. You need to ask yourself is it worth the risk of a serious infection to do that just to
watch a second rate pirated movie.

Read other 1 answers

Have Windows 7, run AVG security 2012. Recently started getting threats, AVG fixes it, but next day, they are back. Downloaded Microsoft Safety Scanner. During scan, computer froze, what a mess. This morning, all appeared OK, connected to internet, but says no access. We run 2 computers, so there is no internet problem, as the other is working fine. However, we have unplugged modem/router, turned computer off and on, still can't connect. This must have something to do with the trojan. We chatted with AVG, free, but they said we needed more help and had to call and pay $99. Last time we did that, got nowhere. Were just about to have someone local come and check computer out, but were hoping to find out the internet access issue first. Is there something connected to this trojan, that was supposedly fixed, but keeps returning, that would allow no internet access?

Read other answers

Hi, this is a customer of mine's log file...they have the HEUR:Trojan.Script.Generic trojan and I can't seem to remove it. They do an awful lot of online banking/deposits/accounting on that system and seems pretty risky with this little bug...any help would be appreciated. Below are the logs I could run on their system...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:24:59 PM, on 6/24/2014
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17126)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_user_customer.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK14/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go... Read more


Read other 9 answers

I got a bunch of virus/spyware/malware on July 3rd. I used anti-malware's program to remove it, thought it was taken care of. Now I am finding that the websites I updated since then are all infected. So ... I'm confused and thought I'd run a hijack this scan to be sure I'm rid of it before I re-infect my clients' websites (what a nightmare!). I don't know how much history you need of what I've updated and run and scanned - so I will post my hijack this log and wait for reply - if you need more info please ask. Today I ran all the Windows updates from Microsoft (not SP3), scanned via McAfee, updated and scanned to death.Thanks so much, I've used hijack this once before (a few years ago) and it was extremely helpful.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:08:28 PM, on 7/14/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\P... Read more

A:recurring trojan/script I thought I removed

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers

hellomy pc restarts again and again everytime I reinstall my window around 4 5 times on restart its grphic also change like old 4 bits and firefox crashes too much plus chrome flash plugin also crashes and when i take search from Malwre byte it detected suome PUM.Disabled.securiy.centre malware but after few time pc again restarts and again on scan it comeagain or sometime nothing detectedplease help me no data.cab file softeware cant install in it and winrar file cannot extract it gives clipboard error 2i reinstall my window around 5 6 times/week :Sits some trojan or malware :S :S or or watHelp meeeeeee(Moderator edit: post moved to more appropriate forum. jgw)

A:victim of some spyware trojan or malware or script

Hello and welcome.. Lets see if we can get these logs.Please click Start > Run, type inetcpl.cpl in the runbox and press enter.Click the Connections tab and click the LAN settings option.Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.WIN7.. Please Download this file, Click Me Right-click on winsockfix.bat and click on Run as Administrator.Reboot into Safe Mode with Networking How to enter safe mode(XP/Vista)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. >>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.Run RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows... Read more

Read other 9 answers


I think i'll need help with this.
The only weird thing i noticed is that when i want to open GoogleChrome browser, it immediately closes.

Short after that, Kaspersky is detecting this MEM:trojan.script.angrypower.gen and tried removing it twice on a reboot. But it's detected again after startup.
AdwCleaner and Malwarebytes didn't find anything.

When i click disinfect:
This shows:
i tried the green button twice. no result. detection shows up again on startup.
and without restart it just fails to remove it and have to press skip:
So, i still can't start up Chrome , i uninstalled it and reinstalled it. Same behaviour.
Also tried changing the compatibility didn't work.
Browsing in Firefox now, which i don't like at all...

help please. thanks.

Tech Support Guy System Info Utility version
OS Version: Microsoft Windows 10 Home, 64 bit
Processor: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, Intel64 Family 6 Model 94 Stepping 3
Processor Count: 8
RAM: 8090 Mb
Graphics Card: NVIDIA GeForce GTX 960M, -2048 Mb
Hard Drives: C: 118 GB (18 GB Free); D: 931 GB (492 GB Free);
Antivirus: Kaspersky Total Security, Enabled and Updated

Read other answers

My antivirus "Kaspersky" caught this trojan and said it was inactive. I am trying to learn how to remove it and I had heard you guys were WONDERFUL!! at helping people do this sort of thing.
I appreciate any help you can give me with this as it's my first time dealing with this monster!!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:35 PM, on 6/9/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\H... Read more

A:HEUR:Trojan.Script.Iframer Removal

Read other 14 answers

Kaspersky reminded me to remove MEM:trojan.script.angrypower.gen,then I followed it and reboot my computer.One week later,Kaspersky reminded me again.How can I remove MEM:trojan.script.angrypower.gen forever.I need you help,Thank you very much.

Read other answers

Hi Everyone,I hope someone can help me get my Windows 7 back in good working order. Recently my browsers started acting up by being slow to open pages, not able to load and watch any archival TV shows and in general acting a bit strange and today I noticed Avira entries about a script virus/trojan in the quarantine log. It is like my DSL internet speed is being slowed down to almost like dial up. I decided to try and do a restore point to see if that would help clear things up but was unable to use any earlier point than yesterday's. During all that with some reboots and trying to run things in Safe Mode I was denied permission to open any of my files. Then I got a black screen. Finally got back to a regular working order and then tried to download some other antivirus programs to try if they would make a difference. I also tried to get a fresh copy of the Firefox. The browser downloads were incredibly slower than usual and then the installations would not open saying they were corrupted. Something is definitely wrong and so I am asking for help to get rid of whatever is really happening. Appreciate your help!Here is my DDS.txt log. I have attached the other DDS file. The GMER program had all the selections unchecked and grayed out except for Services, Registry, Files, C and ADS and the report showed no entries when finished. The saved file has O bytes and will not attach..DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24R... Read more

A:HTML Infected Script Virus / Gen. 4 Trojan?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

Read other 15 answers


i was having problems while browsing youtube.com (it crashes always, 3-4-5 secs after a video starts..) and then everytime i open a window (not with chrome, but this one crashes too) my antivirus (avira, i tried AVG but didnt made any difference) pop up a window telling me that some trojan virus named gxvxclksdfjaoirgnasdklajsda.dll was trying to do something, i always chose delete but the problem persists.

here's an cap of that pop up

so, i came here and i did the dds.src thing and everything worked great but when i use gmer.exe after 20 secs it crashes my laptop! it made it twice so i didnt run it again...

here's the dds.src report:

DDS (Ver_09-10-26.01) - NTFSx86
Run by motz at 5:41:49,67 on 10/11/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_16
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.34.3082.18.3000.1332 [GMT 1:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
... Read more

A:gxvxc trojan on my laptop (got it from some greasemonkey script)

kaspersky said this:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online(i am!!) to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Antivirus bases have been updated after key expiration]

malwarebytes wont open when i execute it ...

Read other 19 answers

Okay, before I post my HJT logfile, I'll explain what I know.

My wife's laptop has somehow contracted a false-trojan (from what I've read; it may be the real deal, but there aren't many resources online that I've found that can give me definite answers and solutions); the file that's causing me trouble is .ttX.tmp.VBS, found in c:\docs & settings\...\local settings\temp. (X could be, in this case per its manifestations in my problem, tt1, tt2, ttA, ttF, ttD, etc).

When this began, I noticed the following: the desktop background changed to a faux warning window with the message, "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer." Beneath which, was this: "Warning! Win32/Adware.Virtumonde detected on your computer," repeated with a similar warning beneath that, naming "Win32/PrivacyRemover.M64." And, finally, beneath all that, a link/button with the text: "Please activate your antivirus software to Clean your computer."

I cannot change the background; I cannot access the tab within the Properties options to view my desktop background preferences; and, I strongly believe I didn't click the link for the program referenced in this problem, nor did I install anything of the like. So... I am under the impression that while I am infected or have been compromised with SOMEthing, I probably avoided the worst of what might've been.

I've attempted to run VundoFix (referenced ... Read more

A:A fake trojan? Antivirus XP & the elusive .ttX.tmp.VBS script...

Here is the Panda Active Scan results... if it's any help. I believe I read that posting these results, too, might help. Well, we'll see.

Read other 2 answers

I cannot get Kaspersky to remove the Trojan.Script.AngryPower.gen. I keep getting a Malware Detection and I try to have Kaspersky remove but it does not keeps comingup. I saw a thread on this forum get posted in the past and there appears to be a fix through Farbar. I have the txt scripts and the addition txt scripts. Can someone help?
The prior thread is a bit old but it was called Kaspersky can't remove MEM:Trojan.script.angrypower.gen


Read other answers

OK im pretty sure i removed the source..but i did a boot time scan with AVAST and it said i had 4,000+ files still infected from the viruses...i wanted some help from an experienced person with maybe looking at my hijack this log and helping me with some problems on there i found...lol i am computer illiterate

A:Redirect ME trojan and HTML script infection

You may be dealing with a dangerous polymorphic file infector that typically infects thousands of .exe, .scr files, compressed files (.zip, .cab, .rar), and script files (.php, .asp, .htm, .html, .xml). I recommend you get another opinion by downloading and scanning with the Kaspersky Virus Removal Tool from one of the links provided below.Link 1Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal ToolHow to use the Kaspersky Virus Removal Tool to automatically remove virusesDouble-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
Vista/Windows 7 users right-click and select Run As Administrator.If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.Setup may recommend to scan the computer in Safe Mode. Click Ok.A window will open with a tab that says Autoscan and one for Manual disinfection.Click the green Start scan button on the Autoscan tab in the main window.If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutr... Read more

Read other 1 answers

Over the past week or so, Avira has warned me several times of a Trojan, however neither an Avira full system scan, or a MBAM scan find anything.

I have posted the DDS log, and attached both attach.txt and ark.txt as a .zip file.

Thanks for taking the time to look.

Here are the items in my Avira quarantine:
Contains recognition pattern of the APPL/WinLock.A application C:\Documents and Settings\Steve\Application Data\dwlGina3.dll
Contains recognition pattern of the APPL/WinLock.A application C:\Documents and Settings\Steve\Local Settings\Application Data\dwlGina3.dll
Contains recognition pattern of the APPL/WinLock.A application C:\Documents and Settings\Steve\Local Settings\Application Data\dwlGina3.dll
Contains recognition pattern of the APPL/WinLock.A application C:\Documents and Settings\Dan \Application Data\dwlGina3.dll
Contains recognition pattern of the HTML/Malicious.PDF.Gen HTML script virus C:\Documents and Settings\Steve\Local Settings\Temp\Acr3B.tmp
Is the TR/Trash.Gen Trojan C:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP281\A0068379.exe
Is the TR/Trash.Gen Trojan C:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP281\A0068380.exe
Is the TR/Trash.Gen Trojan C:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP281\A0068381.exe
Is the TR/Trash.Gen Trojan C:\Sys... Read more

A:Trojan/HTML Script Virus (Windows XP)


Not sure if it makes a difference but the PC has been EXTREMELY slow for a week or so, to the point where it takes 10 minutes for the Black XP loading screen (with the blue bar) to clear, and for the XP Logon screen to show.

Once I click my user, it can take anything from 2-30 minutes before I can use any programs.

Read other 10 answers

My normally dependable Dell,i5, Win 7, laptop suddenly began to be erratic, booting at odd times
and showing strange, inappropriate errror messages. A number of antivirus programs either can't load or can't
run properly. I ran Kaspersky Security Scan and it reported the HEUR trojan, said "index (2) htm" was malware
along with several entries it said were incorrect.

I could sure use some help with this. Any assistance will be greatly appreciated.

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by norm at 14:31:26 on 2012-10-18
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.1668 [GMT -7:00]
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -... Read more

A:Kaspersky reports HEUR:Trojan.Script.Generic

Greetings Phydron and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. If you would allow me to call you by your first name I would prefer to do that. ===================================================Ground Rules:First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance. Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do... Read more

Read other 30 answers

Every month, I scan my computer just in case i had a virus, using "deep scan". I have the clasic "pack 3" (Avast free, Free Comodo firewall and Malwarebytes Premium),  so i scanned with those.. well, only with avast and malwarebytes. They didn't find nothing bad.
I found another Scanner ( Kaspersky Security Scan ) to scan a last time, "just in case" again, but it found 1 trojan:
Kaspersky Security Scan
- C:\ProgramData\InstallShield\Update\isuspm.ini
Is that a real virus/trojan? or a false positive?
The computer doesn't have any typical problem ( slow, pop ups, or weird behaviors)
After that, i scanned again with tdsskiller in safe mode but it didn't show nothing bad.
What should i do?
I had Windows 10, Avast free, Free Comodo firewall, Malwarebytes Premium

A:HEUR:Trojan.Script.Agent.gen inside isuspm.ini ?

Heur...heuristic....meaning something about that file caused Kaspersky to point to it as possibly malware.
I doubt that it is malware as the INSTALL SHIELD UPDATE is a legit program. If you are not experiencing well
known malware or adware issues I would suggest considering it a false positive.

Read other 3 answers

My customer clicked on the bank_statement.zip e-mail attachment which started circulating 9/30. It seems likely that it's dropped another Trojan or two as well. This is an exceptionally nasty, stealthed package --- GMER and other rootkit tools find lots of kernel hook activity, but HiJackThis looks pretty clean, all the major virus scanners find nothing with current updates. [Avast! did block my download attempt, so the scanners are starting to catch up...]See http://www.virustotal.com/analisis/056dc7e...8c1bc72bf0601a8, and http://www.threatexpert.com/report.aspx?ui...76-6fae34194ede for scans of the original infector.In normal mode on an XP SP2 system, double-clicking on _any_ application starts it running as a background process, with no open window. The cursor passes under the Start Menu button, so it can't be opened or right-clicked. Right-click Properties don't work on anything else, either. It also boots without prompting for a logon. Anything launched from the Run line doesn't open a window either, e.g. services.msc.In Safe Mode, applications can run and open windows normally, logon prompt is normal, etc. HiJackThis and GMER found an obvious infected file: utm3mzgz.sys in Win\System32\drivers, which I renamed from a boot disk, and I've disabled System Restore from the Registry. Unfortunately, I can only run GMER, HiJackThis, ComboFix, AVZ, Avast! etc. from Safe Mode (I do _not_ want to connect this box to the network again for current update... Read more

A:0-day Trojan (zbot/hupigon/sdbot Variant) --- Needs Cleaning Script...

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part... Read more

Read other 2 answers

In the last one week, whenever I am trying to open a web page that I frequently use, I am getting this message from my anti-virus software.

The requested URL cannot be provided

The requested object at the URL:

hxxp://www.calebgattegno.org/ < warning DO NOT CLICK ON THIS LINK >


object is infected by HEUR:Trojan.Script.Generic
Message generated on: 29-07-2014 16:02:48

I went through your post and noticed that another member had asked the same question to you. You had advised the member to download TDSSKIller and FRST. I also did the same and generated four reports, which I am attaching with this mail. Please let me know how I can proceed further. You can find the details of my system as below:

Tech Support Guy System Info Utility version
OS Version: Microsoft Windows 7 Home Basic, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz, Intel64 Family 6 Model 37 Stepping 2
Processor Count: 4
RAM: 3892 Mb
Graphics Card: Intel(R) Graphics Media Accelerator HD, 1722 Mb
Hard Drives: C: Total - 235677 MB, Free - 161880 MB; E: Total - 99999 MB, Free - 49833 MB; F: Total - 131531 MB, Free - 28340 MB;
Motherboard: Dell Inc., 0FR6M4
Antivirus: Kaspersky Anti-Virus, Updated and Enabled

I would be very grateful for your early reply, as I am afraid that this virus may cause serious damage to my system.

A:Heur:Trojan:Script:Generic virus not allowing me to open a web page

Read other 7 answers

Kaspersky detected HEUR:Trojan.Script.iframer or lframer, at the same time a .dll waswhitelisted, maybe related to a javascript on a webpage
Computer OS: Windows 10
Antivirus: Kaspersky 2016
I clicked this page yesteday through google.
-After the page loaded, what was probably a Kaspersky alert window soon appeared together with a sound.
-it said it detected HEUR:Trojan.Script.iframer or HEUR:Trojan.Script.lframer (I am not sure whether that was
a capitalized i or a l)
-I clicked the alert window several times, maybe 4-5 times,  probably out of reflex because I wanted to close it, which may have closed the window (alert window) each time,so I maybe got this window to appear several times in a short time span. (I'm sorry for my bad explanations)
I think the window may have been red.
I might have seen the word whitelist on one of these windows, and this wasn't on the first window that apppeared.
The problem is I am not used to Windows 10 and Kaspersky 2016 and I don't know what an alert window about a blocked object looks like and if there buttons inside the window that I ended up clicking.
But I've deduced is that if HEUR:Trojan.Script.iframer downloaded some object (trojanetc...), that it is possible that I may have unkowingly whitelisted it when I quickly cliked on the Kaspersky alert window(s) that flashed.
And I closed the web page after the thing with those alert windows.
I checked Kaspersky's log, and what I... Read more

A:Kaspersky detected HEUR:Trojan.Script.iframer or lframer, .dll whitelisted

Hi there,my name is Jo and I will help you with your computer problems.Please follow these guidelines:Read and follow the instructions in the sequence they are posted.print or copy & save instructions.back up all your private data / music / important files on another (external) drive before using our tools.Do not install / uninstall any applications, unless otherwise instructed.Use only that tools you have been instructed to use.Copy and Paste the log files inside your post, unless otherwise instructed.Ask for clarification, if you have any questions. Stay with this topic til you get the all clean post.My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.*** Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.Vista / Windows 7/8 users right-click and select Run As Administrator.A Notepad document should open automatically called checkup.txt; please post the contents of that document.*** Please download Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.Scan your system for malwareWith some infections, you may see two messages boxes.'Could not load protection driver'. Click 'OK'.'Could ... Read more

Read other 22 answers

Sadly, I am not just saying "Hello, I'm a new member". I am an unhappy, infected member.
I have made many attempts with MalwareBytes and ZoneAlarm Extreme scans over the past few days (both in and out of Safe Mode) and am unable to rid my pc of these pests: Trojan-Banker.Win32.Banbra.advx ; HEUR:Exploit.Script.Generic ; and, also Google Redirect.
Per your instructions, DeFogger was executed and I am attaching DDS.txt, attach.txt, and ark.txt.
Thanks in advance for "being there".
 DDS.txt   8.95KB
 Attach.txt   2.16KB
 ark.txt   320.57KB
I must admit that I have been impatient and have continued to run scans in attempts to "do something"
So, I may need to post new logs whenever I get a helper assigned to my case.
The trojan appears to have mutated from Trojan-Banker.Win32.Banbra.aedx to Trojan-Dropper.Win32.TDSS.abhd

A:Trojan-Banker and HEUR:Exploit.Script.Generic and Google Redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 23 answers

This topic is the continuation of another topic that you find here, it is useless for me to repeat the same information: https://www.bleepingcomputer.com/forums/t/666731/kaspersky-security-scan-finds-a-trojan-that-the-others-antivirus-do-not-report/#entry4411013In the topic you find my problem, but there are some updates, that I will give you now.By necessity I had to reconnect the "infected" PC to the internet. After doing so, I re-scanned it again with all the anvirus added to the previous topic and also with Eset Online Scanner and Malwarebytes Anti-Rookit. No one has found anything even Kaspersky Security Scan can not find any virus anymore. However, as requested by a moderator I did a scan with Farbar Recovery Scan Tool, and here are the results:
 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by fdfer (administrator) on DESKTOP-DG73G7R (05-01-2018 22:40:33)
Running from C:\Users\fdfer\Desktop
Loaded Profiles:  fdfer (Available Profiles: fdfer)
Platform: Windows 10 Pro Version 1709 16299.192 (X64) Language: Italiano (Italia)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Win... Read more

A:Kaspersky Security Scan find "HEUR: Trojan-Downloader.Script.Generic"

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===I can confirm that both of your logs are clean.If all is well.To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/Simple and easy ways to keep your computer safe and secure on the Internet.===

Read other 3 answers

Hello there , I think i have been infected , after download something ( stupid of me ) i noticed a quick faded command promp appear , i rushed to scan my computer and found traces off what appeared to be a Trojan dropper .
I've run the following programs :
Malware antibytes
ESETNOD32 ( for some reason didnt found the virus ??? )
I manually uploaded some files and traces of the virus using VirusTotal
The problem is , some tracers of the virus ( xml , scripts and logs are still here and what's alarming is one txt file containing script lines keeps getting updated after a reboot  despite all the scans done )
There is this  xml file called exacly xml that seems to remote to an non extension file called by x
 There is an second one called xxml that calls to another non extension file called by xx file
The xx file shares the time stamp of the xxml and AppVShNotifyt.txt ( The script file that autoupdates each boot so as the xx file ) 
A dll , shares the same time stamp as the others ;  MCconfig.dll  checked with both anti virus and uploaded to VirustTotal but no results , still is pretty suspicious.
Other file that shares the same time stamp WindowsCodecsRaw.txt  here's some similarities in behavior http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/HPmal~Fareit-B/detailed-analysis.aspx    [ Do notice the x , xml , and mcconfig file drop s... Read more

A:Infected with Virus ( Trojan Dropper / scrips etc etc ) script file auto updates

Since the 1 Post was to big Im going to continue with multi reply's to try and split the information.
A screenshot of the files mentioned :

Read other 22 answers

Two days ago, I was browsing as per normal through Chrome when Kaspersky encountered and blocked the trojan detailed above.  Since it declared the program was blocked, I thought nothing of it after doing a cursory Malwarebytes scan, and another with Kaspersky.  
Today I rebooted my computer for the first time since that warning, and the first thing I noticed was a little lockpad-shaped icon down in my toolbar that appeared and disappeared fairly quickly (it's apparently some kind of windows process according to my googling).   When I tried to access Chrome it refused to launch, even though the program existed in the task manager.  I rebooted the computer several times only for the same thing to happen.  It finally successfully launched about an hour later, and it appears to be running normally but since that's super abnormal for my fairly new PC I thought I'd check in for some advice.  Is there a remnant of the trojan on my computer or was it just a fluke?
ETA: I get a message when I try to check for Windows updates that the server isn't running and I should relaunch Windows.

A:Chrome takes a time to launch after Kaspersky blocks HEUR: Trojan.Script.Iframer

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click ... Read more

Read other 30 answers

Hi, recently my two sisters got computers and have a habit of going to random websites or clicking adverts/downloads.

my question is, if one of them got a virus or some kind of malware could it spread to my computer or others on the setup we have?

okay, none of the computers have file sharing or anything like that, although all are connected to the same router (they have wireless, im using wired)

Again none are networked exactly, but are connected to the same router, each has some form of firewall and anti virus.

any more information please ask, i will be around for 20 minutes, otherwise ill check here tomorrow.

thanks in advance

A:Can i virus spread like this?

i assume you and your sisters have good antivirus software?

you should be ok if so.

Read other 9 answers

I recently built a new PC. Asrock p45 mb, e8500, WD 250 sata2 hd, ddr3 1333. Does anyone know if spread spectrum should be enabled in bios? In the past it was recommended off. Default setting on this board is auto. Are there any problems with system stability, or performance issues.

A:Spread Spectrum

Hi EasyRider and welcome to the forums

There should be no problems with leaving this set to Auto in the BIOS, however I have disabled it in mine. Note that Auto is the equivalent of Enabled in many BIOSes for this item. If you are having stability issues with it Enabled (Auto) then set it to Disabled, which is the setting that I use for this item. Note that there might be more than one entry in your BIOS pertaining to this. Treat them all the same. For further information, check out the link below.

Spread spectrum - Wikipedia, the free encyclopedia

Read other 3 answers


dear all,

hope someone could help.

My users are getting this viruses "Trojan.Win32.Sasfis.bgeg" and some type of these trojans from mails and facebook access.

they seem to state its from 'parcel service notification'
DHL notification or parcel delivery mails .

any idea how i could remove them?
pls advice
pls help

A:RE: Virus spread

Hello and Welcome to TSF.
I'm nasdaq

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.


We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post the logs in your next reply for my review. It's the only way I can suggest sound advice.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 2 answers

Just a basic question here....it seems like my music may be spread out in several different places.Surely that doesn't mean that there are multiple copies of it floating around on my hard drive,right ??. SO...if I were to delete 2 copies from 2 different areas (folders)...the other copy would still be there right ??

A:Music spread all over.........what to do,what to do ???

That is correct, they are pointing to the same place, but how did they get to 2 folders in the 1st place ?

Here`s what you need to do.

Make a folder in Music and label it with todays date, then go through the 1st folder of music you have and copy it to the that new folder. Verify the data, then delete the original folder. Now go to the other folder of music you say you have and copy it to the folder you just made, when it starts to copy, if you already have that music, it will ask you to replace it, just keep saying no until your done. Then delete that folder of music. When you`re done all your music will now be in the new folder you created today.

Don`t understand, just reply.

Keep all your music in the music folder and you should be ok.

Read other 8 answers

I have some problems (OS Windows 7 x 64), recently i found two files (lsprst7.dll and lsprst7.tgz) in folder with my files. After that i delete it manually and reboot computer. After that each folder on my computer contain those files. I check file with online webservice virustotal.com and it's clean 0/42. I use both antivirus systems Microsoft Security essentials and Trend Micro Internet security.
How to remove it?
Who knows what it is and why it's spread on each folder?

A:lsprst7.dll spread

Please see this bleeping computer thread.

Read other 4 answers

So i would like to know that can bad sectors spread from 1 hard drive to another hard drive? for example i have 2 HDD's and one of the drive has bad sectors which is connected through a USB Enclosure for a backup or is directly connected inside the PC as a secondary drive? can it spread and infect the other good drive?

A:Can Bad Sector spread from HDD to another HDD?

If you have a hard drive with bad sectors it won't spread to another hard drive, but it will fail sooner rather than later.

My advice would be to backup anything valuable on the drive with bad sectors and get it replaced as soon as possible.

At the very least you should run Chkdsk in the hope it will find and recover any damaged sectors.

Disk Check

Read other 9 answers

Hello i wanna ask:does viruses and browserhijackers spread through Wi-Fi?I mean if both computers connected to the same Wi-Fi.(sorry for my bad english)

A:Virus spread through Wi-Fi?

It is possible for certain types of malware (i.e. worms) to spread on a local LAN behind a router and for some types of malware to infect router firmware and change the router settings.Routers can be compromised if they have a weak or default password which attackers can easily guess or break using a dictionary attack or brute force attack. Malware which can modify routers are rare and may require the router to be a specific make, model and firmware revision. The most common was the DNSChanger Trojan which compromised the router's weak default password using brute-force attacks. The Trojan then changed the router's DNS table to malicious DNS servers...redirecting Domain Name resolutions to unsolicited, illegal and malicious sites the attacker wanted victims to access. ...Some DNS changer Trojans can alter routers' DNS settings via brute-force attacks. As a result, all systems connected to the "infected" router also become infected. Some DNS changer Trojans can also be used to set up rogue Dynamic Host Configuration Protocol (DHCP) servers on certain networks, which can have the same effect.How DNS Changer Trojans Direct Users to ThreatsMillions Of Home Routers Vulnerable To Web HackMalware Silently Alters Wireless Router SettingsSome routers have known vulnerabilities which can be exploited to open them up to attacks without needing to know the proper password. There have been various reports of vulnerabilities and attacks against hardware devices such as routers and dat... Read more

Read other 5 answers

Hi, I had the "system is infected" virus and I think it finally sent my 4 year old hard drive packing, I did a windows repair, but all that happens is windows asks me if I want to activate it, I say yes, I can see my old desk top background (which i assume means I still have most of my files on that disk?) but nothing else happens, it just freezes with my old desk top background, with no icons etc.

So I have decided to go buy a new hard disk and the new windows today and install windows on the fresh HD. My question basically is, when I plug my old HD that originally had the virus as a back up disk to the new one, can the "your system is infected" virus spread onto the new HD? Or did I kill it off with I did a windows repair?

A:Virus spread?

Reinstalling Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards so a Repair will NOT help!. As such, there is no guarantee, you will not infect the new drive when slaving the old one to it.Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action.

Read other 1 answers

I've googled this, but I seemd to get a load of people who didn't know themselves what they were talking about, all wondering what it is themselves. I guess it must ave been the terms I used....

Anyway, what exactly is the "CPU Spread Spectrum" option in my BIOS for? IE, what does it do, and how does it do it (how does it work?)

A:Spread Spectrum

It isn't documented in your manual?
(tried to download it, but it would've taken me about 30 min, since they seem to be bandwidth starved!)

Read other 5 answers

I need to make a spread sheet for my bills.  Does this computer have a program installed for that?

Read other answers

For the past day or two, I have been seeing command prompt popup windows when I login to Windows XP. I ran a full scan with AVG anti-virus (free) and it moved the following Infection to its virus vault:

Trojan horse Downloader.Zlob.AQXA C:\Documents and Settings\Jacob & Jamie\Local Settings\Application Data\tckihf\nvyvsftav.exe
f.y.i. "Jacob & Jamie" (referenced above) are my 10yr-old twin boys. They downloaded a game called Wizard 101 the night before the virus, popup, and script errors appeared, so I uninstalled the game.
I rebooted and still the command prompt popup window appeared, this time followed by a script error.
(I can attach a printscreen of the lengthy script error, if you need to see it).

I also ran Ad-Aware but it detected nothing. I got a few more script errors when browsing the Internet.
Please advise how to get my computer back to normal--I need it for school & work. Thank you! ~Melinda


A:Trojan horse Downloader.zlob.AQXA; script errors; command prompt popup at LogIn

Read other 16 answers

I know I posted an article asking if this is possible, but now I want to know how likely is it.
I read somewhere it is exetremly unlikely but that post was from 2013 and things could have changed.
So, how likely is it?


A:How likely is it for a virus to spread via the network?

I think if possible, if you get infected with a worm.

Read other 6 answers

According to The Trust Media team, a malicious SWF file was downloaded on the victim's computers when accessing a video page. The malicious file was hosted on the brtmedia.net domain and was imitating a video player.
This SWF file executes its malicious load only on lesser known sites, avoiding large video platforms, where security teams continually search their sites looking for problematic ads.
The actual attack happens when the SWF file injects JavaScript code in the page where the video ad is supposed to display, simulating a winning ad bid, but actually loading a 1px by 1px hidden iframe.
This iframe loads a popup window that scans the user's computer settings and prompts him with a message to update some of his local software.
If the user is careless to click on the popup, he will download malicious software packed with PUPs and other malware.
Read more : http://news.softpedia.com/news/malvertising-has-now-spread-to-video-ads-496161.shtml

A:Malvertising Has Now Spread to Video Ads

Ad Networks Ripe for Abuse Via MalvertisingWhy Malvertising Is Cybercriminals’ Latest Sweet Spot

Read other 1 answers

Can the Cryptolocker virus or its more recent MM variation spread from an infected hdd that has been removed from the computer and attached to another computer?  

A:CryptoLocker - can it spread from External

I don't think so because cryptolocker sample usually destroys itself after accomplished mission. It's not like W32.Sality which spreads on all drives connected to infected computer and patching them.

Read other 4 answers

HiMy desktop had a bad virus! Now my laptop has some of the same problems. I was getting security alerts just like on my desktop. I have run some scans like Malware I couldn't even get on internet. Now I can get on internet but my laptop is extremely slow......How can I be sure Iam virus free?? Also when I start my laptop something comes up that says I have an update...How do I know what things I should update? and what I shouldnt?Please help

A:Can a virus spread from desktop to lap top?

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

Read other 27 answers