Over 1 million tech questions and answers.

Severly infected - Win32/Alureon.H, Win32/Hiloti.gen!D, /Meredrop, /IrcBrute, /FakeCog, /FakeScanti

Q: Severly infected - Win32/Alureon.H, Win32/Hiloti.gen!D, /Meredrop, /IrcBrute, /FakeCog, /FakeScanti

Greetings. Boy, did this machine step in a big puddle of sh*t!Current problems: Google search redirects to other search engines Machine will not run Windows update - page fails to load Machine will not update MS Secirity Essentials Firewall frequently will not start (MS Firewall service)--------------------------------------------------------------History:Machine HAD Mcafee A/V Corporate edition 8.5i & Spyware plugin (for all the good it did)Machine displayed fake A/V popups (I didnt notice which)Machine displayed google redirectsRan Malwarebytes and deleted 100+ problems, categories included: backdoor.bot hijack.user.init rogue.antivirussuite.gen broken.opencommand folder.stolen.data spyware.zbot spyware.passwords trojan.hiloti trojan.dropper rogue.wireshark rogue.antivirusThe names were: Win32/Alureon.H, Win32/Hiloti.gen!D, Win32/Meredrop, Win32/IrcBrute, Win32/FakeCog, Win32/FakeScantiUninstalled Mcafee AV (since it allowed the junk in the first place)Ran current Mcafee stinger to look for issuesRan TFC.exe to clean out the temp foldersInstalled Microsoft Security Essentials (MSE)Scan with MSE showed Hiloti virus - successfully quarantined *MSE Update fails - "Virus & SPyware update failed | Ox80072EFE | MSE wasn't able to check for Virus and Spyware definations. Make sure your comuter is connected to the internet and try again"*Windows Update fails "IE Cannot display the website"*Google redirects still happening.*Firewall service fails to start frequentlyI was going to start down the road with many of the tools listed in other posts, but as an I.T. professional I thought the better of it and decided I would simply follow the directions of those more knowledgeable than myself (namely you folks :-).I would be grateful for any assistance you may be able to lend.DDS (Ver_10-03-17.01) - NTFSx86 Run by J Silver at 20:28:51.00 on Tue 08/24/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.442 [GMT -5:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\WINDOWS\system32\taskswitch.exeC:\Program Files\Network Associates\Common Framework\UdaterUI.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Microsoft Security Essentials\msseces.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Program Files\Nikon\NkView4\NkVwMon.exeC:\Program Files\Network Associates\Common Framework\McTray.exeC:\Documents and Settings\J Silver\Desktop\dds.scr============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dllBHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dllBHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No FileBHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dllTB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No FileTB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No FileEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dllEB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quietuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"mRun: [CoolSwitch] c:\windows\system32\taskswitch.exemRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKeymRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkeyStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvwmo~1.lnk - c:\program files\nikon\nkview4\NkVwMon.exeIE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlIE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htmIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLLDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll============= SERVICES / DRIVERS ===============R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]R1 SonyFanC;FAN Control Device Service;c:\windows\system32\drivers\SonyFanC.sys [2001-9-10 68116]R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-2-15 104000]R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2005-2-15 7196]=============== Created Last 30 ================2010-08-25 01:24:04 0 ----a-w- c:\documents and settings\j silver\defogger_reenable2010-08-22 08:18:56 361600 ----a-w- c:\windows\system32\drivers\ygijoeut.sys2010-08-15 07:21:01 361600 ----a-w- c:\windows\system32\drivers\wkfvsuxo.sys2010-08-15 02:11:25 361600 ----a-w- c:\windows\system32\drivers\kvwpgwmy.sys2010-08-14 22:44:00 423656 ----a-w- c:\windows\system32\deployJava1.dll2010-08-14 22:24:32 0 d-----w- c:\program files\Microsoft Security Essentials2010-08-14 20:44:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-08-14 20:44:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-08-14 20:44:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-08-11 08:27:54 120 ----a-w- c:\windows\Nsugaloguj.dat2010-08-11 08:27:54 0 ----a-w- c:\windows\Dderoz.bin==================== Find3M ====================2010-08-23 18:35:15 1744 ----a-w- c:\windows\system32\d3d9caps.dat============= FINISH: 20:30:48.87 ===============

RELEVANCY SCORE 200
Preferred Solution: Severly infected - Win32/Alureon.H, Win32/Hiloti.gen!D, /Meredrop, /IrcBrute, /FakeCog, /FakeScanti

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Severly infected - Win32/Alureon.H, Win32/Hiloti.gen!D, /Meredrop, /IrcBrute, /FakeCog, /FakeScanti

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OKDeFogger may ask you to reboot the machine, if it does - click OKDo not re-enable these drivers until otherwise instructed.Download DDS:Please download DDS by sUBs from one of the links below and save it to your desktop:Download DDS and save it to your desktopLink1Link2Link3Please disable any anti-malware program that will block scripts from running before running DDS.Double-Click on dds.scr and a command window will appear. This is normal.Shortly after two logs will appear: DDS.txt Attach.txtA window will open instructing you save & post the logsSave the logs to a convenient place such as your desktopCopy the contents of both logs & post in your next replyScan With RKUnHookerPlease Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Save Report.Save the report somewhere where you can find it. Click Close.Copy the entire contents of the report and paste it in a reply here.Note** you may get this warning it is ok, just ignore"Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?"information and logs:In your next post I need the following1.logs from DDS2.log from RKUnHooker3.let me know of any problems you may have hadGringo

Read other 18 answers
RELEVANCY SCORE 120

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 106.8

hello. sorry about this mess. im afraid i dont really know what im doing. my nephew asked me to help get rid of a red circle with a white cross telling him he had spyware but its turned into something much worse. he only used windows firewall and nothing else saying he only uses world of warcraft and msn and music and doesnt surf the web!! i tried to scan with avg but it was aborted and the windows firewall was continually turned off no matter how many times i put it on. tried other antivirus progs but all were turned off. eventually i managed to do online scan on microsoft safety centre and deleted quite a few v high threat trojans but many unable to clean. i also ran sophos rootkit and nearly gave myself a heart attack - 938 hidden things that recommend not to clean. i resorted to you now. i followed the tutorial for posting hijack this and here are the resultskaspersky report for critical areas--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Saturday, November 29, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, November 29, 2008 12:40:36 Records in database: 1426420--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - Critical Areas: C:\Do... Read more

A:win32/alureon.gen, win32/Eldycow.en!A, win32/Small, win32/Olmafik, winNT/Xantvi.gen!A, Trojan-Game Thief and more

i think i have sorted this. i ran SDFix which cleaned up enough for me to install antivirus. avast caught lots of trojans and i have now been able to onlinescan and spybot s/d etc. all logs now coming back clean so can u delete this post please

Read other 3 answers
RELEVANCY SCORE 106.8

My computer just shutdown completely in the middle of moving some files around right after it told me i was infected and things needed my attention. Got BSOD on reboot and only way i could get into windows is with regular safemode and having to stop something else from loading, and i couldnt get internet access and Microsoft security essentials would not start up or update. I did a recovery from xp cd and was able to get Malewarebytes and SuperAntiSpyware and Microsoft Security Essentials running again. They seemed to clean most things but not sure if i got everything. Microsoft Security still wont update. Here is a hijackthis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:09:47 PM, on 2/15/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\WINDOWS&#... Read more

A:infected with win32/hiloti.gen!D and win32/fakeinit

Hello,My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Please download GMER from one of the following locations, and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zip MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs, as this process may crash your computer.Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.Double click on Gmer to run it.Allow the gmer.sys driver to load if asked.You may see a rootkit warning window, If you do, click No.Untick the following boxes on the right side of the Gmer sc... Read more

Read other 2 answers
RELEVANCY SCORE 103.6

Hello and thank you for helping me.Some ther symptoms are: Various messages in my icon tray telling me Harmful viruses have been detected on my computer. And unauthorized access on your computer. These messages rotate above an icon called "windows defense center." If i right clik on the icon I get a message: Defense center. ncertified MSC antivirus software detected on your computer. You need to remove MSC software for correct operation of the Defense Center. Attension: If you don't remove MSC software, the performance of your computer will dramatically degrade. Press "OK" to remove MSC.While typing this I currently have 3 of these windows open and im afraid to clik on them so i have them sequestered to the side.While following the intructions on posting I got to step 8 (the GMER rootkin scan) During the scan it suddenly stopped. I tried running the scan again and a Blue screen of death occured. My system then crashed. I rebooted and it abnormally booted leaving me with a black screen with no desktop. I rebooted again normally and re-extracted GMER to perform the scan. Nothing happens now when I try to run the GMER application. I am therefore posting only the DDS and the Attach txt unfortunately. DDSDDS (Ver_10-03-17.01) - NTFSx86 Run by hilary at 17:57:30.53 on Mon 07/12/2010Internet Explorer: 8.0.6001.18928Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3062.1799 [GMT -7:00]SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {678... Read more

A:Infected with fakecog and hiloti.gend

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 37 answers
RELEVANCY SCORE 100

avast has been detecting Win32:Alureon-EC[Rtk] and VBS:Malware-gen and WIn32:VB-NSA[Drp]...when you click "Move to Chest" nothing is happening..tried using Malware Bytes but unable to remove it...

As suggested in the Preparation Guide I have attached DDS and RootRepeal logs..Thank you!

DDS (Ver_09-10-26.01) - NTFSx86
Run by user at 9:20:27.81 on Fri 11/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.604 [GMT 8:00]

AV: avast! antivirus 4.8.1356 [VPS 091120-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast... Read more

A:infected Win32:Alureon-EC[Rtk] / WIn32:VB-NSA[Drp] / VBS:Malware-gen

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 98.8

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 98.4

So, this is a newer netbook, almost 8 months old, i dont know how i got these because i have had anti-virus runing from day one

Anyway it all started when i was on facebook it just went to a diffrent page and i never clicked on anything, then MS security center popped up saying everything was infected, and kept tellin me that i didnt have an antivirus program and i coudlnt do anthing thing but keep going to this ADD to buy one... Which was odd because Avast was running. I opend avast and did a quick check and found the first one Dracur_c, But when i tied to do the the action to mvoe to chest it was telling me that there was not enough room on disc... and my disc is NOT FULL ODD, so i deleted it and it worked i can not coppy and paste the results if i can i dont know how But i will tell you it was in: C:/system volume information/_restore{ number letters}.dll and .EXE and it was also in C:/windows/system32/fwcfg32.dll listed TWICE

I then restarted the computer in safemode and did a full scan and it then found it again in system volume information/restore{letter numbers}.DLL twice And then in Windows/system32/75.tmp..

this morning it was still acting wierd when i started EI redirecting me when i would use google and When i would send an error log to MS the page never loded and then i would get a poppup add So i ran another Avast scan and GOT the win32:trojan-gen,win32:alureon-hd, win32crypt-gwl that came up... This time it was found in my TEMP folder as an EXE and one in my ... Read more

A:avast found win32:dracur_c, win32:trojan-gen,win32:alureon-hd, win32crypt-gwl

Read other 14 answers
RELEVANCY SCORE 98

Yesterday Microsoft Security Essentials alerted that 3 trojans had been found (WinNT/Alureon.S, Win32/Alureon.EP and Win32/Alureon.CO). It said it fixed it and required me to restart to clean the computer. I restart, and then i got alerted again saying the same 3 trojans were there. This kept on happening each time I do the scanand restart.
 
DSS Log
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_25
Run by ****** at 15:32:46 on 2011-06-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1216 [GMT 10:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wire... Read more

A:WinNT/Alureon.S, Win32/Alureon.EP and Win32/AlureonCO Trojan keeps coming back

Good evening. Download aswMBR.exe from here and save it to your Desktop. Double click the tool to run it. Click the Scan button to, well, start the scan - obvious really! Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log. On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any. You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

Read other 43 answers
RELEVANCY SCORE 96

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 95.2

I downloaded what I believe is the Vundo virus ( http://en.wikipedia.org/wiki/Vundo ) which kept bringing up a false spyware company, I downloaded and ran Vundofix which seemed to get rid of it but now I keep getting the following errors whenever I log onto my computer in Windows Defender:

Trojan:Win32/Hiloti.gen!A
PWS:Win32/Daurso

I have found my problems to be very similar to another thread ( http://www.techsupportforum.com/f100...up-404528.html )

I performed the combo-fix steps exactly as explained in forhockey's post and created the following file named ComboFix.txt on my C:/

ComboFix 09-09-23.02 - Owner 24/09/2009 16:42.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1257 [GMT 10:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\wiaserva.log
c:\documents and settings\Owner\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\Owner\Start Menu\Programs\Total Security
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Installer\1208efd.msi
c:\windows\Installer\2af1c73.msp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serv... Read more

A:Trojan:Win32/Hiloti.gen!A PWS:Win32/Daurso.A repeated errors.

Sorry to bump this thread early but I found the following thread. http://www.techsupportforum.com/f50/...lp-305963.html

In response, here is the DDS.txt, and attached 'attach.zip'. I apologise for not doing this earlier, I tried to spend as little time online and missed this thread completely.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Owner at 18:07:39.32 on Sat 26/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1377 [GMT 10:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Offi... Read more

Read other 1 answers
RELEVANCY SCORE 94.8

I received dialog boxes that said that Explorer and winlogon were infected by the Trojan C.JEE. In addition, my browsers redirect me to alternative pages when I click on links from Yahoo! or Google searches. I tried to use the GMER tool to create a log, but it would not work, and my computer froze several times. I had to cold stop and restart my machine. Any help would be greatly appreciated. Thank you!!!here are the logs that I was able to run.DDS (Ver_10-03-17.01) - NTFSx86 Run by Mark at 14:38:52.12 on Mon 10/04/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2118 [GMT -7:00]============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\Ati2evxx.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Microsoft\Search Enh... Read more

A:Infected (possibly) Trojan win32/Alureon.ec or Alureon.H & c.JEE

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 3 answers
RELEVANCY SCORE 94.8

Can you tell me about them?
Describe what they do?

Windows Defender found them a long time ago . . .

A:Win32/Meredrop & Win32/FakeIA.E

Win32/FakeIA.E,Trojan.Win32.MeredropDid WD remove the threats?

Read other 3 answers
RELEVANCY SCORE 94.4

Hi. I'm new to this forum, and my brother recommended me. He told me to get a program called Hijackthis. I used the program and this is the log I got. Would very much appreciate help. My antivirus program opens but is disabled as so as soon as I enable it.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:28:01 PM, on 9/28/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe
C:\Users\Mom&Dad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
J:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet... Read more

A:Rogue:Win32/Fakescanti

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421008 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 94.4

It started with a backdoor virus which I removed. Next, Windows Defence popped up so I removed it. Then Security Suite popped up so I removed it. Now I have the following:Trojan.Win32/Hiloti.gen!DTrojan.Win32/Tibs.JLTrojanSpy.Win32/UrsnifWhen in normal mode sometimes I can get on the internet and other times I cannot. Last night I got online and it wouldn't let me close the browser. I could navigate to different websites but at the bottom it just kept showing new websites were loading and usernames, none of which actually loaded. I am now in safe mode with networking capabilities. I tried to download Microsoft Securities virus scan prior to coming here and it said I did not have administrative rights to do so; however, I downloaded all the things in your preparation guidelines without a problem.I am a novice computer user at best so please keep that in mind with your instructions. Thanks!DDS.txtDDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Alicia at 7:59:22.59 on Mon 09/06/2010Internet Explorer: 8.0.6001.18943Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.2037.954 [GMT -7:00]AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\... Read more

A:Trojan.win32/Hiloti.gen!D, Trojan.win32/Tibs.JL, TrojanSpy.win32/Ursnif

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

Read other 3 answers
RELEVANCY SCORE 94

Hello,Please help if you can .I ran free Avast! version 5.0.677 on my Windows XP desktop computer (Pentium 4, 1.5 Ghz CPU, 1 gb ram), and came up with the following virus warnings. Unfortunately the Avast! software internal tools to remove it are grayed out and not functioning. I tried a couple of things to remove viruses from help online and then realized I was in way over my head. I found this forum and am now requesting help.Avast! says I am affected with:JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and Win32:VirutAttached a screen shot of Avast! with viruses and partial path to them. Computer's Symptoms (not sure if these are all due to old slow processor or malware):Computer is freezing often;When it is in sleep mode it is turning itself on;Seems to be downloading stuff often and slowing down;Monitor is going black forcing reboots often;Couple weeks back I began getting floating ads that pop up when browsing online;I get an error message daily that says AdAware has shut down unexpectedly, do I want to send a report? I have been ignoring this, not knowing if it was important, been several weeks.Ok, I think that is all I can think of to share. Please help if you can. I appreciate it.Thanks,Dancer~~~~~~~~~~DDS (Ver_10-03-17.01) - NTFSx86 Run by ljk at 15:52:28.93 on Mon 09/20/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.102... Read more

A:Please Help ~ Infected with JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.I ask that you please refrain from running tools other than those I su... Read more

Read other 42 answers
RELEVANCY SCORE 92.4

I have used Windows live care and it told me of this problem Trojan:Win32/ircbrute and that it could not remove it can anyone help. Thanks in advance.
 

Read other answers
RELEVANCY SCORE 92.4

I have used Windows live care and it told me of this problem Trojan:Win32/ircbrute and that it could not remove it can anyone help. Thanks in advance. This was posted first by someone else but never got a reply. Now I have the same thing poping up on my scan????

Also can this effect email? My ISP has blocked my account because my email may be spamming. They want a screen shot of a clean scan to let me use it again. I found no other problems with live care or Webroot spy sweeper.
 

Read other answers
RELEVANCY SCORE 92.4

How do I remove it?
I NEED SOMETHING FAST AND FREE. tHANKS
I use windows xp
 

Read other answers
RELEVANCY SCORE 92

Unfortunatly, while on vacation in the beginning of the month, I clicked a link on facebook and Avast! (4.8) was quick to tell me that my laptop had been infected by Win32:Unruy-E, Win32:Alureon-EN and Win32:Trojan-gen. I tried to delete these with avast! but I kept getting pop-ups telling me that my laptop was still infected.

I shut the laptop off and kept it off until today; when I turn it on now I get a ton of messages saying different network controllers, drivers, etc are not responding and will shut down. The computer still works but it is incredibly slow, and system restore and back up crashes when I try to run them.

I appreciate any help you can give me. =)
Happy New Year!
DDS (Ver_09-12-01.01) - NTFSx86
Run by Connie at 17:35:08,54 on 31.12.2009
Internet Explorer: 8.0.6001.18828
Microsoft? Windows Vista? Home Basic 6.0.6001.1.1252.47.1044.18.3030.1864 [GMT 1:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sys... Read more

A:Win32:Unruy-E, Win32:Alureon-EN and Win32:Trojan-gen

Problem is solved. After alot of tweeks I was able to format the hdd.

Read other 3 answers
RELEVANCY SCORE 91.6

Hi!My machine is infected by a trojan and I need help to remove it. The name is: Trojan:Win32/FakeCog (or TrojanASPX.JS.Win32)Risc: HighNote: in the Avira's alert, the virus name is TR/Crypt.XPACK.Gen Trojan The directories are these:C:\Users\User\AppData\Roaming\User Protection\usrprot.exeC:\Users\User\AppData\Roaming\User Protection\uninstall.exe I'm not getting to enable the firewall, the Automatic updating nor Malware protection of Windows Security Center.I've already seen this other topic with this same virus, but I'm afraid to make some mistake, so I'd like your help anyway: http://www.bleepingcomputer.com/forums/t/249499/unable-to-delete-trojanwin32fakecogik/HiJack's log follows below. Tks for your help!Log do HiJack:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:15:39, on 28/03/2010Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18882)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Lenovo\Mouse Suite\ico.exeC:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Users\User\AppData\Local\Temp\fontviewxp.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Lenovo\Mouse Suite\FSRremoS.EXEC:\Program Files\Lenovo\Mouse Suite\Pelm... Read more

A:Trojan:Win32/FakeCog

Hello Victim, Welcome to Bleeping Computer. My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.I'm afraid I have very bad news.Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .... Read more

Read other 3 answers
RELEVANCY SCORE 91.6

About three days ago I downloaded an unsavory program and 'installed' it, infecting my computer. Immediately after dbl clicking the file no less than 20 processes stopped working and shut down. A whole flurry of windows opened with fake spyware removal requests, etc. The only protection I had at the time was windows defender, and it caught two or three of them quickly. The first of which wwere Alureon.bt and FakeCog. Over the past few days I have installed and run many malware removal programs and removed many of the offenders. The infections killed my ability to restore, edit the registry, back up and more. I've cleaned the drive using ccleaner, uninstalled all old java versions, etc. I've run superantispyware, microsoft security essentials, malwarebytes, combofix (sorry), live one care online scan, a squared and windows defender. Defender no longer works, nor does windows backup (a shadow copy issue), and worst of all, 90% of my clicks are rediredted to bogus sites. I get random audio playing sporadically (sounds like commercials), my C drive doesn't show up in disk management, and I get random errors saying 'CCP,' 'AML,' 'CPAX20,' 'HSDemo,' and other programs have stopped working. When I ran Combofix it would hang with no progress, not even stage 1. I ran it in safe mode and it crashed the system after stage 3. I've also run GMER and it freezes and stops working in regular and safe modes. Some of the files that were initially present that I was able to write down were: alu... Read more

A:Infected with Alureon.bt and *MANY* others (rootkitdrv.AA, obfuscator.hg, Rbot.gen, lol.exe, FakeCog, FakeVimes and trojandownl...

Though I'd add a Hijack this log as well:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:00:12 PM, on 11/25/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18828)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Sony\ISB Utility\ISBMgr.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exeC:\Windows\Samsung\PanelMgr\SSMMgr.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\Program Files\DNA\btdna.exeC:\Program Files\WebPosition 4\wpsched4.exeC:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\MozyHome\mozys... Read more

Read other 4 answers
RELEVANCY SCORE 89.6

Hi,Unfortunately my computer has become infected with a trojan virus. I ran A-Squared free and it detected a Trojan.win32.FakeCog!IK at this location:C:\WINDOWS\system32\UACwhwibqaoyh.dllIt seems anti-virus software is unable to remove this infection and i am in need of help as to what i should do. Any help would be greatly appreciated. ThanksHere is my hijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:27:20, on 08/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\Explorer.EXEC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\VIA\RAID\raid_tool.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Analog Devices\SoundMAX\Smax4.exeC:\Program Files&#... Read more

A:Unable to delete Trojan.win32.FakeCog!IK

Hi,* Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Read other 12 answers
RELEVANCY SCORE 89.6

I have a Dell Studio XPS with x64 Win7. Somehow I have managed to get DOS/Alureon and Win32/Alureon. The Malicious Removal Tool can find the problem, but has only been able to "partially remove it". I have also tried tdsskiller with no success. I've also run the following command prompt commands after using the repair option when booting to my Win7 install disk:

bcdedit /export c:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

bootrec /FixMbr

bootrec /Fixboot

bootrec /RebuildBcd

I have also run a Microsoft Security Essentials scan where I boot to a jump drive, but I get the following error when trying to remove the problem it found:

This program is blocked by group policy. For more information contact your system administrator.

All of this after I reformatted to remove it. My DDS Log can be found below. Any help is greatly appreciated. Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Mark at 21:27:57 on 2012-01-21
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4061.2585 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Runn... Read more

A:Infected with DOS/Alureon and Win32/Alureon

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/439364 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 4 answers
RELEVANCY SCORE 89.6

I have been struggling for the past week or so trying to get rid of a virus. McAfee started alerting me that I had the DNSChanger.o virus and that it had removed it. This kept popping up and it seemed that the virus had never been removed. I tried several instructions that I found through Google that advised me to run several cleaning tools such as MalwareBytes, ComboFix, etc. Needless to say none has helped. I opened the following topic http://www.bleepingcomputer.com/forums/t/280331/dnschangero-dlclkdll-not-being-removed-no-matter-what/ on BleepingComputer.com and the advice of the last person was that I post my log here.As per the previous advice, below is my log for dds. Currently I am unable to run rootapeal and cannot boot into safe mode. I do however have an Ark.txt file that was generated from another tool that I will attachAny help provided is greatly appreciated.DDS (Ver_09-12-01.01) - NTFSx86 Run by Rooster at 9:21:20.40 on Mon 12/21/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.452 [GMT -5:00]AV: avast! antivirus 4.8.1368 [VPS 091221-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program F... Read more

A:Infected with Win32-Alureon-EN[Rtk]

Thank you guys for your concideration. The issue has been resolved.

Read other 2 answers
RELEVANCY SCORE 89.6

Hello,This booger has been a nightmare! I have had browser hijacking issues for a while, but was really unaware what the problem was. Then I started having DCOM process launcher service errors. That no longer is an issue. I can stay connected just fine. But now I can't click a link in IE or Firefox without being redirected. I have done a scan with MSE and it detected this varmint, but it only disinfects it--not healing or removing it. So, each time I run a virus scan with MSE it detects this virus, still only disinfecting it. I have, also, ran MBAM with no infections being detected. And I have the Windows malicious software removal tool that didn't detect anything either. This has all been done in regular mode, not safe. My DDS tool log ...and I've attached the 'attach' file and the 'ark' file from the RootRepeal scan.DDS (Ver_09-12-01.01) - NTFSx86 Run by Kim at 18:15:56.70 on Fri 01/29/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.180 [GMT -5:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spool... Read more

A:infected with Win32/Alureon.F

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 89.6

I was asked to be redirected here. I was also asked to post a log file and rootpeal log but the utility he gave said that it cannot acess the system32 files..what should I do now? thank you..Original PostHey there could someone please help me? I got infected by this nasty trojan and I dont know what to do. Im running on safemode right now because windows does not want to boot. The mouse just floats over a black screen and sometimes it gets stuck at the welcome screen. I tried all possible scans and removal tools but to no avail. pleasedo help me and thank you very much..Running from: C:UsersUserDownloadsWin32kDiag.exeLog file at : C:UsersUserDesktopWin32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:Windows'...Cannot access: C:WindowsSystem32LogFilesWMIRtBackupEtwRTDiagLog.etl[1] 2009-09-21 09:24:41 64 C:WindowsSystem32LogFilesWMIRtBackupEtwRTDiagLog.etl ()Cannot access: C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-Application.etl[1] 2009-09-21 09:24:41 64 C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-Application.etl ()Cannot access: C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventlog-Security.etl[1] 2009-09-21 09:24:59 64 C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventlog-Security.etl ()Cannot access: C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-System.etl[1] 2009-09-21 09:24:57 64 C:WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-System.etl ()Cannot access: C:WindowsSystem32LogFilesWMIRtBackupEtwRTMsMpPsSession.etl[1] 2009-09-21 09:02:32 0 C:W... Read more

A:INFECTED BY Win32:Alureon-CY [Rtk] PLEASE HELP!,

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner o... Read more

Read other 2 answers
RELEVANCY SCORE 89.6

Hey there could someone please help me? I got infected by this nasty trojan and I dont know what to do. Im running on safemode right now because windows does not want to boot. The mouse just floats over a black screen and sometimes it gets stuck at the welcome screen. I tried all possible scans and removal tools but to no avail. pleasedo help me and thank you very much..

A:INFECTED BY Win32:Alureon-CY [Rtk] PLEASE HELP!

Now ... Download this Utility and save it to your Desktop.Double-click the Utility to run it and and let it finish.When it states Finished! Press any key to exit, press any key to close the program.It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the Rootrepeal log and the above log.Let me know how that went.

Read other 6 answers
RELEVANCY SCORE 89.6

Hey Guys,

wondering if someone can help me with this one, I've tried Combofix, TDSSKiller, and ASWMBR; I am running a boot scan right now with Avast.....The only one that has found the rootkit is ASWMBR and the log is attached. Any suggestions, really don't want to reformat.

Thanks!

A:**INFECTED** Win32:Alureon-ATN [Rtk]

Thanks anyways, got it!

Read other 1 answers
RELEVANCY SCORE 89.6

Dear whatever kind sole out there can help me:For about a month now, I've been living with Alureon.H. Sometimes it redirects me from my intended website to other websites. I tried fighting it a few times on my own, following advice from other websites, but it seems to keep coming back. Finally, a poster on another website steered me here. I've poked around this site, and I'm starting to think that I was an idiot for trying to tackle this on my own. I'm in over my head and ready to listen and follow orders. Any help would be appreciated. I cut and pasted the DDS text below, and I've attached the Attach.txt file. I tried to create a GMER Log, but while GMER was scanning and compiling data, I got a BLUE SCREEN with text that said GMER had stopped due to a "C0000145 Application Error," and that the program had "failed to initialize properly 0XC0000096".DDS Text:DDS (Ver_10-03-17.01) - NTFSx86 Run by The Hoffman Family at 10:00:37.83 on Sun 07/18/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.266 [GMT -4:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WIND... Read more

A:Infected with Win32/Alureon.H

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

Read other 2 answers
RELEVANCY SCORE 89.6

According to Microsoft Windows Malicious Software Removal Tool, I am infected with Win32/Alureion.H. I have Norton 360, but it doesn't seem to detect this. I have noticed that some of my Google searches are being redirected and my computer has been sluggish at times (don't know if that's related to this). I am running Windows XP on a Dell. Below is the log that the forum asks to be posted. Thanks in advance to anyone who can help.

Jim
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:39:08 AM, on 7/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement P... Read more

A:Help! Infected with Win32/Alureon.H

Read other 12 answers
RELEVANCY SCORE 89.6

MS Forefront detects this and attempts to remove it, but it comes back. The Trojan alters local DNS settings hobbling internet access.

DDS (Ver_09-07-30.01) - NTFSx86
Run by bowmma2 at 16:27:40.85 on Tue 09/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -4:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {C523C51E-66FB-4E1D-96B4-8164137FED50}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Forefront\Forefront System\Client\AntiMalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Insight\Tools\aiclient.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
c:\Program Files\Microsoft Forefront\Forefront System\Client\Agent\FSysAgent.exe
c:\Program Files\System Center Operations Manager 2007\HealthService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Fi... Read more

A:Infected With win32/Alureon.gen!U

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 89.6

Earlier today, my computer started doing some really funny stuff after I clicked on a website about home improvement of all things. I kept getting these popups about how my computer was infected and I needed to download some antimalware software to get rid of it. Of course, I didn't! I ran AVG Free, which found nothing. Two programs installed themselves to my desktop, and I was unable to remove them so I used System Restore to restore the computer to an earlier state. When the computer restarted itself, a program called Windows Malicious Software Removal tool told me it had partially removed part of some malicious software but manual steps were necessary. I went to the site and downloaded Microsoft Security Essentials. I ran AVG and then partially ran Microsoft Security Essentials. AVG turned up nothing, and I actually stopped MSE before it finished because I found instructions to use TDSSKiller to remove the alureon.h virus. I ran the program TDSSKiller, which found something, and began to restart the computer. It seemed to get stuck somewhere between on and off but never restarted after 2 hours, so I turned off the computer myself and restarted. When I turn on the computer right away, it comes up with something briefly that says Windows Firewall is not on, but then it immediately goes away and the Security Center icon turns green. I haven't really tried to do anything yet to see if the computer is working correctly, because I want to make sure the virus is gone.... Read more

A:Infected with Win32/alureon.h

The Virus the Malware Removal Tool found was Win32/alureon.h. I put that in the topic, but not in the actual text that explains the problem! Sorry!

Read other 18 answers
RELEVANCY SCORE 89.6

I have run microsoft security essentials and it detects Win32/Alureon.H but encounters Error Code: 0x80501001 whenever I try to remove it.The only effects of the virus that I have noticed are search result links from google being automatically redirected to various websites.Thanks in advance for helping with this problem. DDS log:DDS (Ver_10-03-17.01) - NTFSx86 Run by Jeep's at 19:24:19.01 on Fri 08/27/2010Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.405 [GMT -4:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files&... Read more

A:Infected with Win32/Alureon.H

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Do not Attach logs unless I ask you to.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please readWhat this virus does do.QUOTEFunctionalityThe functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.What the virus can do.QUOTEBackdoor.Tidserv is a Troja... Read more

Read other 14 answers
RELEVANCY SCORE 89.6

I run Windows XP

The last coiuple of days I noticed:
No volume icon in the tray
Win display is in 'classic' mode only. No XP theme available
Internet connection fails due to missing internet settings
Web page redirects occur

I googled the symptoms and it appears it is due to a virus.

I ran Microsoft's Online scanner it detected win32/Alureon.H (but cannot remove it)

Help in its removal would be greatly appreciated.

Paul

A:Infected with win32/Alureon.H

Hello and welcome... Please follow our Removal Guide here How to remove the TDSS, TDL3, or Alureon rootkitYou will move to the Automated Removal InstructionsAfter you completed that, post your scan log here,let me know how things are.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Read other 19 answers
RELEVANCY SCORE 89.6

My internet explorer has been hijacked and when I use the search engine it redirects me to different unwanted sites. I am running windows xp. I used microsoft security essentials to find I had win32/alureon and also their malicious software removal tool to confirm the same. However, this has not removed the problem. I understand from reading some info on microsoft's site that some manual removal is required, unfortunately their explanations on how to do this are beyond me. (DNS settings? More abbreviations that I do not understand and unfortunately, also can't search for explanations easily because I'm redirected somewhere that I didn't intend to go.)

Help me, bleepingcomputer. You're my only hope.

A:Infected with Win32/Alureon

Hello and welcme. Let's see if we can get solved with 2 scans first.Please run the tool here How to remove Google RedirectsWhen it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Before you save it rename it to say zztoy.exe alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to instal... Read more

Read other 28 answers
RELEVANCY SCORE 89.6

Hello, I would really appreciate any help.

For the past three days Avast has been detecting Win32:Alureon-EC [Rtk] at two-hourly intervals on my computer (Windows XP, SP3). The message is "Sign of "Win32:Alureon-EC [Rtk]" has been found in "C:\Windows\system32\tdlwsp.dll" file."

Each time I move it to chest or delete it and do a MBAM scan/Avast boot-time scan which shows everything is clean, but then Avast detects it again two hours later and I repeat the process... I am wondering why it keeps on happening (10 times so far!) and if it is a sign of something more sinister? I have disabled System Restore due to a previous infection (described below) and am not sure when to start enabling it again.

My computer seems to be running ok.

Not sure if this is related, but a month ago Avast detected that I was infected with some trojans (Fasec, Xorpix-AR), Win32 MalOb-Z (Cryp), a rootkit (Rootkit-gen) and a dropper (Neredr). Avast was able to remove most of the infections apart from Neredr, so I installed MBAM and it seemed to do the trick. I also used SuperAntiSpyware to scan and it came back clean.
Two weeks ago Avast also detected Win32:Rootkit-gen in my USB, which was moved to chest. MBAM scan was clean.

As suggested in the Preparation Guide I have attached DDS and RootRepeal logs.

Thank you so much for your time.
DDS (Ver_09-10-26.01) - NTFSx86
Run by Htay at 0:25:15.56 on 15/11/2009
Internet Explorer: 6.0.2900.5512... Read more

A:Infected with Win32:Alureon-EC [Rtk]

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follo... Read more

Read other 19 answers
RELEVANCY SCORE 89.6

Stemmed from an attempt to install Microsoft security Essentials Leading to MIcrosoft Installer not working.  All th enormal attempts at activating via MSIexec/regserver and reinstallation did not work.
 
Ran Microsoft security scanner which found and removed Java/Blacole.FK, JAVA /CVE-2010-8040, JAVA /CVE-2011-3544,,JAVA /CVE-2012-0507,  and JAVA /CVE-2012-1723 . 
 
Afterword, still unable to get mse to install.
 
This morning I ran newest version of MS Safety scanner witch found the following:
MalWare                                    Results:
Trojan: Win32/Alureon.FV         Partially Removed, manual steps required 
Exploit: Java/ CVE-2013-0422   Removed
Trojan: JS/Iframe.BC                  Removed  
Trojan:Win32/FakeSysdef         Removed
 
I'm assuming that there is stuff left  to do by the results message and that this virus might not be gone. Attempted Kaspersky TDSSKiller on advice from your site.  It scanned 316 objects and found no threats.
 
 Still can't get Mirosoft Installer to work: 
 
DDS:
DDS (Ver_2012-11-20.01) - NTFS_x86
Int... Read more

A:Infected With Win32/Alureon.FV

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from one of these locations:Link 1Link 2IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recov... Read more

Read other 38 answers
RELEVANCY SCORE 89.6

Hi there. So, evidently I have a virus. I've been trying on my own to get rid of it, but to no avail. I run on Windows XP. Any help at all would be greatly appreciated...this virus is getting the best of me! I tried to run a DDS Log thing, but all I got was a bunch of symbols in Notepad and buried in there was something about not running DOS.I did do the GMER thing...here it is.GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-07-11 11:46:16Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:\DOCUME~1\Windows\LOCALS~1\Temp\kwlyruob.sys---- System - GMER 1.0.15 ----SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF880687E]SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8806BFE]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Internet Explorer\iexplore.exe[688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A .text C:\Program Files\Internet Explorer\iexplore.exe[688] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A .text C:\Program Files\Internet Explorer\iexplore.exe[688] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C .text C:\Program Files\Internet Explorer\iexplore.exe[688] USER32.dll!Di... Read more

A:Infected with Win32/Alureon.H

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 3 answers
RELEVANCY SCORE 89.6

My computer was infected with the Internet Security 2010 which I tried to stop and remove with rkill and malwarebytes.The fake security pop ups have stopped but now my browser gets redirected whenever I use a search engine and click on any of the search results. Windows Defender found a Win32/Alureon.CO infection but cannot remove it. McAfee did not find any infection. Spybot Search and Destroy, Malwarebytes and Superantispyware also did not pick up the infection.Your help is greatly appreciated. Thank you.DDS (Ver_09-12-01.01) - NTFSx86 Run by Ignacio E. Sanabria at 9:58:20.48 on Wed 01/20/2010Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = hxxp://m.www.yahoo.com/uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.localuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dlluURLSearchHooks: McAfee S... Read more

A:Infected with Win32/Alureon.CO

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

Read other 2 answers
RELEVANCY SCORE 89.6

Hello,My AV advised me that I was infected by Win32/Alureon.ec. I tried to get rid of it using my AV but it keeps coming back. After some research I found out that one of your member (1bsymum) had the same problem and was able to fix it with the help of one of your malware expert (SifuMike). If one of you could help me get rid of it (and maybe some other unknown to me) it would be greatly appreciated.Note: Aside from many internet failure (error:"Connection to the server was reset while the page was loading") my computer is running ok.ark.txt file was too large too upload, I tried to cut and paste a portion of it in a different file (ark2.txt) but could not upload it because the 512k upload quota. I also tried to reply to my post and attach ark2.txt file to it but it did not work so keep in mind that the ark file is incomplete.Thanks in advanceStephDDS (Ver_10-12-05.01) - NTFSx86 Run by Stephane at 17:34:34,22 on 2010-12-10Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_17Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6002.2.1252.2.1036.18.3061.1168 [GMT -5:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\system32\svchost... Read more

A:Infected with Win32/Alureon.ec

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please downloa... Read more

Read other 13 answers
RELEVANCY SCORE 89.6

Hello i'm having a malware problem. First of all i did some self help and removed the Total PC defender which i believe was installed through a redirect from the alureon. I used malware-bytes and it removed a couple unwanted files. Now im having an issue with searching, when i search anything and click on a link for the search it redirects to multiple dif websites. I installed and updated the latest version of avast! and then it kept poping up a warning for Win32:Alureon-fr, it would replicate every 3-5 seconds over and over and so i shut it off so i could get some help. Also i have tried to use the kaspersky TDSS rootkit removal tool but it doesn't work. I followed all of the preparation guides instructions as follows.DDS (Ver_10-03-17.01) - NTFSx86 Run by Bryce Woodson at 14:07:41.71 on Sun 03/28/2010Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.423 [GMT -6:00]AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k n... Read more

A:Infected with Win32:Alureon-FR

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 9 answers
RELEVANCY SCORE 89.6

Windows Live One Care has detected the WIN32/Alureon.h trojan but has been unable to remove it. Malwarebytes Anti-Malware didn't find it, neither did CA E-Trust.DDS (Ver_10-03-17.01) - FAT32x86 Run by Thing1 at 20:39:06.56 on Mon 06/14/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.46 [GMT -4:00]AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchSVCHOST.EXEC:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsSVCHOST.EXESVCHOST.EXEC:\WINDOWS\system32\spoolsv.exeSVCHOST.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Microsoft Windows OneCare Live\Firewall\ms... Read more

A:Infected with Win32/alureon.h

GreetingsOne or more of the identified infections is a Backdoor Trojan. - TDSS rootkitThis could allow hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised and there is no way to be sure that your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"I Would like you to do the following.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:... Read more

Read other 4 answers
RELEVANCY SCORE 89.6

I am using AVG free and it does not detect the virus. Neither does Ad-Aware, Malwarebytes or Spybot. When I run Spybot it does find other viruses and malware and has removed them, to the best of my knowledge. The only scan that has identified the win32/alureon.h virus is the one I run through windows live safety and it says it can not fix it. When I try to update Windows Defender, I am unable to. To the best of my knowledge the virus has not changed my home page at any time. It does however constantly redirect my search when I use Google or Ask.

A:Infected with Win32/Alureon.H

GreetingsOne or more of the identified infections is a Backdoor Trojan.This could allow hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised and there is no way to be sure that your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"I Would like you to do the following.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:Please visit th... Read more

Read other 15 answers
RELEVANCY SCORE 88.8

I've been fighting agains this little menace for the last couple of days now.
No success.

I was infected through a torrent file (wasn´t cautious enough...), using AVG 9.0 paid version.
Since then I've try them all (practically), since NOD32, Kaspersky Internet Security, Malwarebytes (...) to Microsoft Security Essentials.
Kaspersky was the only one who could delete it (at least I thought so), but then my PC couldn't reboot itself, so then I was forced to restore the system and the virus was back in active!

For what it counts, I do have access to my Windows install disc.

Your specialized help is my last hope before I decide to format my Pc.
So thanks in advance for all you can do.
 

Read other answers
RELEVANCY SCORE 88.8

I've been fighting agains this little menace for the last couple of days now.
No success.

I was infected through a torrent file (wasn?t cautious enough...), using AVG 9.0 paid version.
Since then I've try them all (practically), since NOD32, Kaspersky Internet Security, Malwarebytes (...) to Microsoft Security Essentials.
Kaspersky was the only one who could delete it (at least I thought so), but then my PC couldn't reboot itself, so then I was forced to restore the system and the virus was back in active!

For what it counts, I do have access to my Windows install disc.

Your specialized help is my last hope before I decide to format my Pc.
So thanks in advance for all you can do.


Ark.txt and Attach.txt attached at the bottom.

Here's the DDS Scan:



DDS (Ver_09-10-13.01) - NTFSx86
Run by Zootopia at 15:23:45,52 on 23-10-2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.351.1046.18.2047.1090 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Fi... Read more

A:VIRUS ISSUE: Rootkit.Win32.TDSS.u / Trojan:Win32/Alureon.gen!U

Bump.

Anyone?!

Read other 2 answers