Over 1 million tech questions and answers.

numerous problems (real/false?) rootkit, trojan?? help please!

Q: numerous problems (real/false?) rootkit, trojan?? help please!

Below is my hijack this log. I have no idea what is going on. In addition to my other issues today I have duddenly developed a problem with my host file?? Other issues are:

Warnigns coming up saying I am infected with root kit and malware. Some scans find them, some don't. I don't know if these are false warnings. I remove them and the warnings keep coming.

It takes severl trys to get to web pages sometimes and computer is often very slow or freezes

Pop ups are turned off but keep popping up

It seems that computer settings are changing on their own.

My avast scan would not complete

I would appriciate any help. Thanks in advance. forgot....Have also seen warning that there are problems with my email. they disapear so fast I can't read them. My mails often freezes and I can't close out from that page. Restart does not always work.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:38 AM, on 11/16/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5234
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5234
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5234
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5234
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] C:\Program Files\Uniblue\RegistryBooster\Launcher.exe delay
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\Common\eReg.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8434 bytes

RELEVANCY SCORE 200
Preferred Solution: numerous problems (real/false?) rootkit, trojan?? help please!

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: numerous problems (real/false?) rootkit, trojan?? help please!

Read other 16 answers
RELEVANCY SCORE 72

Yeah, so the Trojan.KillAV file was found on the drive that (I'm hoping it was gateway! It's mentioning PC Angel in any case...) is locked down so I can't access with admin rights with Windows Explorer . I'm looking at my older HJT log from a few days ago, and although I don't know too much about reading the logs...I think Symantec files popping up as files missing isn't good. Since it was on the backup drive, I'm wondering if it's a false positive. The name of the file is add_gateway.exe, which googling gives no relevant info to...If I can get some help pulling things out of an NIS 2007 quarantine file if it's still there, I can submit if whoever helps would like. I'll submit the log before my NIS scan and I'll throw in a current one too. I would like to know if anyone knows about the international options line, too. I don't use other languages for WinXP... : / I'm using a Gateway CX2620 Tablet PC. Patched as of 6 January 2007.

First HJT! Log

Logfile of HijackThis v1.99.1
Scan saved at 8:05:35 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Fil... Read more

A:Trojan.KillAV was found, not sure if it's a false positive or real.

Bump because it's on page 5....is it ok to bump when it gets that far back?
 

Read other 3 answers
RELEVANCY SCORE 69.2

First, thanks for all the good work you guys are doing.
 
Sept4 early morning, I was browsing through a Tumblr account, clicked a pic and was redirected to a tab which I couldn't close. Back button on my browser wouldn't work either. Had to Ctrl+alt+del to close my browser.
 
I ran a scan with AVG immediately after and got the ff. results:
 

Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_SHUTDOWN -> CLASSPNP.SYS ClassIoComplete+0xEF";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\PCIIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\hidusb IRP_MJ_CREATE -> HIDCLASS.SYS +0x1902";"C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_INTERNAL_DEVICE_CONTROL -> CLASSPNP.SYS ClassInternalIoControl";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\hidusb IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x1902";"C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\hidusb IRP_MJ_READ -> HIDCLASS.SYS +0x1902";"C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS";"Cannot be cleaned"

Infected;"Medium";"IRP hook, \Driver\PCIIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";... Read more

A:IRP Hooks detected by AVG Free - false positives, or real problems?

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run.There will be a short delay before the next dialog box comes up. Please just wait a minute or two.When asked if you'd like to "download the latest Avast! virus d... Read more

Read other 21 answers
RELEVANCY SCORE 62

Got bit by a trojan and thought had it solved but I believe the problem now is related. Background, few weeks back downloaded what I thought was a auto manual for my car and ended up crashing the computer. When rebooted, got the "ad" stating a trojan/virus was detected and click here, etc. Knew I had a trojan. Was able to eradicate (I thought) and all was well. The other day I was looking at a DVD that was freezing up on my sons computer and when it froze on mine, a BSOD appeared (not long enough to see what it was) and then rebooted. When rebooted, was very slow and got a McAfee blocked a buffer overflow error in services.exe. I also found that my D: drive was still showing in my computer, but when clicked on said was not formatted, did I want to format. I am fairly sure all the data is still there, so I am thinking the MBR may be corrupted (not sure if related to the infection or coincidental). I ran Malware AntiMalware and found a ton of trojan files which I fixed. Ran again, found more, fixed, until now I am getting a clean scan with nothing being found. Ran Hijack this and removed a entry in the 020 setting that apparently was loading at bootup. Ran SuperAntispyware and found 2 adware files which I deleted. I just ran HiJackThis again and am posting the log. I need help as to where to go from here. It runs very slow even in safe mode. I need to get it up to speed, then need to figure out how to get my D drive back. Appreciate any help. I am usi... Read more

A:Trojan caused numerous problems..Need help

Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 62

Hi, i've been having a lot of problems with this particular trojan; Trojan Horse Collected. 11.B. I've tried removing it several times with AVG...but it just keeps coming back, I have it 10 times in the AVG Virus Vault plus Trojan Horse Generic4.RMZ also.

Can someone help me plz.
Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:10:56 PM, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jr... Read more

A:Solved: Help! Numerous Trojan problems! Inc HJT log.

Read other 16 answers
RELEVANCY SCORE 58.4

On several browsers, Avast is alerting with this message when I use my browser to check my juno email. There is nothing in my inbox or other folders at the time. AV says it has blocked a possible virus.

A:False positive or real

Hi there .. That has been going on for years .. I thought Avast had that fixed long ago ..

Read other 1 answers
RELEVANCY SCORE 58.4

I am having some system problems that are hard to pinpoint...no BSODs...no hangs...fails to verify backup archive randomly...loss of internet connectivity that requires a reboot to reestablish...random failures when using SageTV to record programming, etc.

I ran the Windows memory diag...many immediate failures in the upper end of conventional memory. MemTest86+ ran overnight with no failures. TuffTest Pro also runs without error.

I have a gig of memory on an Asus A8v mobo (4x256)...tested each simm separately without failure with the Windows memory diag. Swapped simm pairs around...error in same area of conventional memory.

Running an AMD X2 cpu...no overclocking...bios is at defaults for speed/voltage/timing...etc.

Any thoughts would be greatly appreciated. Wonder if I am chasing a phantom?
 

A:Ram errors...real or false???

Read other 9 answers
RELEVANCY SCORE 57.6

Hi. Most of my troubles started a little while back. I was on the computer and all of the sudden a whole bunch of different windows popped up. I can't really explain it better, but it didn't seem like internet browswer windows, but windows with names of files in the title. I seemed like my computer had crashed.

I restarted and ran an AVG scan, Malwarebytes scan, SUPERAnitSpyware scan. I quarantined some files. I think after I did this is when I started having problems with my internet. I cannot connect to the internet through my wireless broadband modems (I have two usb modems from two different carriers). The usb ports work, but not for internet as one modem shows a signal but gets stuck on "connecting" and the other shows no device is connected. I checked and both modems work on other computers. I may have quarantined something I shouldn't have.

What I found from Malwarebytes was Spyware.PWS in C:\system volume information\restore.....\A0013280.exe. AVG found something, but after I quarantined it, I uninstalled AVG and installed Avast. I believe what AVG found was the TR/Dropper trojan, which I would see later. Whatever SUPERAntiSpyware had found, I restored because I thought it might have caused a problem with the modems. It wasn't the problem and SUPERAntiSpyware doesn't even show it as a threat anymore. I believe the threat had something like "winlogon" and "taskman" listed in a registry.

Today Avira fou... Read more

A:TR/Dropper.Gen - Real or false alarm?

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan were in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:Restore Point ForensicsForensic Analysis of System Restore Points in Microsoft Windows XPSystem Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and proba... Read more

Read other 3 answers
RELEVANCY SCORE 57.6

I have my laptop running Win-7 64-bit.
Just the other day, I downloaded mbr.exe from gmer.net and ran it using Admin. Got the following in log file:
*********MBR.exe Log Begins**********************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601
device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR
*********MBR.exe Log Ends **********************************************
Getting a bit concerned, I then downloaded aswMBR from gmer.net and ran it without virus scanning. Following are the results:
********* aswMBR.exe Log Begins **********************************************
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-13 20:23:31
-----------------------------
20:23:31.383 OS Version: Windows x64 6.1.7601 Service Pack 1
20:23:31.383 Number of processors: 2 586 0x170A
20:23:31.384 ComputerName: NK-PC UserName: Admin
20:23:32.283 Initialize success
20:23:32.558 AVAST engine defs: 13061301
20:23:39.692 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:23:39.696 Disk 0 Vendor: FUJITSU_MJA2250BH_G2 8919 Size: 238475MB BusType: 11
20:23:39.809 Disk 0 MBR read successfully
20:23:39.813 Disk 0 MBR scan
20:23:39.819 Disk 0 Windows 7 default MBR code
20:23:39.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:23:39.842 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 140374 MB offset 2... Read more

A:False Positive or Real Problem??

Let's get one more look.
Open MalwareBytes ....Click on More Tools
Then click on Anti-Rootkit and run that.
There are instructions there..
Post that log here.

Read other 7 answers
RELEVANCY SCORE 56.8

Very late last night I ran a quick avast scan and it found two decompression bombs that it couldn't scan. A few days ago I did increase my sensitivity settings. Test whole files was unchecked & the suspicious behavior HIPS monitoring was set to one bar now two. Could this just be a mistake because I changed these settings and what scans should I run next to verify it is or isn't a real virus?

I attached a screenshot below of what the infection inside avast scan history looks like. I'm running Windows 8.1 & both it & Avast are always up-to-date. This is just a cheap best buy laptop but here's the specs I was able to find out that are also on my profile. CPU: Intel i3-3130M, 4GB RAM, Intel HD 4000 Graphics, Firefox Browser, Logitech M100 Mouse, 678GB HDD.

Read other answers
RELEVANCY SCORE 56.8

Hi, I hope I'm posting in the right place:

Lenovo t400
Vista 32 OS

A day ago I started getting browser redirects to happili.com

I ran malwarebytes, which found the (apparent) Trojan and needed to reboot to remove it, however on reboot I recall there was an issue and the browser redirects continued.

Malwarebytes could no longer find anything though, and neither could Spybot S&D, or TDSSKiller.

I searched around and found a suggestion to try panda securities free remover for that (pretty sure it was Panda Anti-Rootkit). I ran it and it requested a reboot - said something about a library or dll file perhaps? I don't remember exactly.

Now however when I try to boot after I login at the vista users login screen I get a blue screen that says it is shutting down to protect my system. It will then continue doing this unless I try to go to safe mode -- then i am forced to go directly to lenovo's thinkvantage rescue and recovery.

I am afraid to try anything else without further advice. I'd like to not have to restore my system if possible but can't even boot to safe mode.

If someone can help me out of this jam I'd be forever greatful.

Edit: the more I Google around about this the more I think the Panda Anti-Rootkit caused the issue (maybe because not compatible with system?)

A:Trojan removal attempt -- now real problems

Hi,Please do the following:For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive let... Read more

Read other 70 answers
RELEVANCY SCORE 56.4

This morning while running simultaneous scans with Malwarebytes and SuperAntiSpyware, Avast popped up a "Threat Detected" message on the file dds.scr. It was in my Downloads folder. I have never heard of it and did not intentionally download it, so let Avast put it in the Virus Chest.

A subsequent boot scan additional infected files. Specifically,

A0005880.scr - in a system restore file
A0005885.scr - in a system restore file
errorfix.exe - in the Downloads folder
FFDShow_Setup.exe - in the Downloads folder

I discovered (from Bleeping Computer) that errorfix is a PUP. But what about the others? I assume the .scr files are screen savers or something similar. FFDShow is a codec file, I think. Is it also a PUP? Yes? No? If they're infected, why did Avast allow them to be downloaded instead of blocking them?
 

A:Solved: Avast - real malware or false postives?

Read other 16 answers
RELEVANCY SCORE 56.4

Hello --
We got the following ATA alert on a Windows 10 Enterprise Direct Access Enabled laptop which was doing a FAST ring build over build upgrade to Windows 10 Enterprise 10122 this morning:
X.X.X.X (ATA Management Server IP)/suspiciousActivity/376844bd2334dcaab3034733
W10LAPTOP (X.X.X.X)'s Kerberos tickets were stolen from DASERVER (X.X.X.X) to W10LAPTOP (X.X.X.X) and used to access ldap/DC.domain.local/domain.local.

Laptop is: W10LAPTOP. Windows 2012 R2 Domain Controller is DC.domain.local. Windows 2012 R2 Direct Access Server is DASERVER.
We guess this may be a false positive and want to confirm if we need to add ATA exceptions in a Windows 2012 R2 Environment with a Direct Access Server? If so, please explain exactly the exceptions needed. If not, we can provide all requested log files
as needed.
Thank You

Read other answers
RELEVANCY SCORE 56.4

I am running ComboFix on a Dell Dimension 4550 with XP Pro SP3.I've run into this a couple of times before. This time I need to make sure because one of the real time scanners being reported as active is: VirusRanger 3.2.I am unable to find any reference to VirusRanger in my Registry or Hard Drive.Is this a false positive? Where, and how, can I find the reference to this being active? How do I remove this if it is a false report?ThanksEdit: Moved topic from XP to the more appropriate forum. ~ Animal

A:ComboFix false detection of real time scanner(s)

If you suspect ComboFix is falsely detecting a legitimate program, please report it here.sUBs, the developer has been monitoring that topic and may request you to submit a sample.

Read other 1 answers
RELEVANCY SCORE 54.4

Hey Guys,

I would greatly appreciate some help here:
Program: HitmanPro.Alert v3.0.41 build 187. It intercepted an attack in the latest version of Firefox (38.0.5) about 30 minutes ago, Flash player is up to date, no Java, etc.- I got a detection during the worst possible time. I was doing online banking with Both Checking, Savings and a Credit Card account open in the browser. (The detection pop-up occurred when I think I was clicking on a page on my banks website).

HitManPro scan came up clean this time. I am a bit concerned about ESET. I will be doing a scan w/ it and MBAM free.

Is anyone experiencing a lot of DEP attacks in FIrefox?

I am using WIndows 7 64-bit SP1 up-to-date
ESS 8
MBAM Free
HitmanPro.Alert.

The code it provided was written in hex. I took a screenshot, and copied/pasted the text it displayed.

I am looking for advice: was it a FP? How can I tell? What do I need to do Now?

Thank you!!!
 

A:HitmanPro.Alert - False Positive Detections during Online Banking- FP, or the real thing?

If you are paid customer, then open SurfRight support ticket...

Very difficult to say if false positive or not.
 

Read other 4 answers
RELEVANCY SCORE 52.8

In preparation for buying something online, I decided to run my standard array of scans (Avast! Antivirus and Sophos Anti-Rootkit). Avast found nothing, but Sophos gave me inconsistent results. First I tried running it in Safe Mode, but got a "Fatal error" message. So I ran it in normal mode and it found a rootkit. When I ran Sophos again at first it turned up nothing, then the next time I got another "Fatal error" message. If I remember correctly, I had Firefox running when Sophos found the rootkit, don't know if that would affect anything. I can't remember what the rootkit's name was, but when I Googled it only two results came up, one of which said something about amvo.exe.

These wildly inconsistent results are giving me heartburn. Any help would be appreciated.

A:Rootkit Or False Alarm?

http://www.sophos.com/security/analyses/vi...sillyfdcbr.htmlShow Hidden Folders/FilesOpen My Computer.Go to Tools > Folder Options.Select the View tab.Scroll down to Hidden files and folders.Select Show hidden files and folders.Uncheck (untick) Hide extensions of known file types.Uncheck (untick) Hide protected operating system files (Recommended).Click Yes when prompted.Click OK.Close My Computer.

Read other 14 answers
RELEVANCY SCORE 52.8

I have a XPP box that had the OS reinstalled with a complete reformat of the HD. ComboFix is telling me there is rootkit still on the box. I've run it several times with the same message. I've also downloaded and ran: McafeeRootkitDective, AntiRootkit, PAVARK, RootkitBuster, RootRepeal, TDSSkiller, GMER and Kaperski. All of these find nothing.

Who is telling the truth?

A:False Positive on Rootkit?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting... Read more

Read other 2 answers
RELEVANCY SCORE 52.8

Today i was scanning my computer making sure it was clean. I made a full scan with Mbam, a quick scan with avast internet security, a quick scan with superantispyware and some scanning with spybot s and d. I finished off by using blacklight anti rootkit tool just for the sake of conscience really.
Then blacklight said It has found 2 hidden files...

I found out these files were files belonging to the sandbox of Avast Internet Security.

Are these files harmless being in the sandbox or should i delete them or rename them??

here is the scan by blacklight:

11/21/10 19:11:50 [Info]: BlackLight Engine 2.2.1092 initialized
11/21/10 19:11:50 [Info]: OS: 5.1 build 2600 (Service Pack 3)
11/21/10 19:11:50 [Note]: 7019 4
11/21/10 19:11:50 [Note]: 7005 0
11/21/10 19:11:53 [Note]: 7006 0
11/21/10 19:11:53 [Note]: 7011 400
11/21/10 19:11:53 [Note]: 7035 0
11/21/10 19:11:53 [Note]: 7026 0
11/21/10 19:11:53 [Note]: 7026 0
11/21/10 19:11:58 [Note]: FSRAW library version 1.7.1024
11/21/10 19:12:03 [Info]: Hidden file: c:\## aswSnx private storage\snx_rhive
11/21/10 19:12:03 [Note]: 10002 3
11/21/10 19:12:03 [Info]: Hidden file: c:\## aswSnx private storage\snx_rhive.LOG
11/21/10 19:12:03 [Note]: 10002 3

A:Do I have a rootkit or is it just false alarm?

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.I believe those hidden files are related to avast anti-virus (C:\Windows\SysNative\drivers\aswSnx.sys). Most references I found are on Finnish, German or Italian forums where users have avast installed but it is mentioned as an avast file at Widlers Security forums.What specific issues are you having that require a request for assistance with malware removal? Please describe any problem(s) in detail as they could provide a clue as to whether your issues are malware related or not.

Read other 2 answers
RELEVANCY SCORE 52.4

Here's a bit of background. Yesterday, I decided to try to use my Xbox controller as a gamepad, assuming Plug & Play would recognize it immediately and I'd be good to go. Turned out, I needed a driver. So, I hopped on google and arrived at a site that looked... well, questionable. Against my better judgement, I clicked to download a driver, and... nothing happened. Or so it seemed at the time.

I went back to Fallout 3 on the Xbox, and when I looked over a few minutes later, my computer was going nuts. My desktop background had been changed to an image warning me that everything I typed was being logged, and I was getting further warnings from a phony "antivirus" program that had popped up down by my computer's clock. Clearly, something was wrong. I opened up task manager and immediately noticed b.exe. A few swift moves later, this virus and the fake antivirus had been removed from the system (though the latter has since returned twice). When I booted back up from safe mode, ESET's Nod32 told me that it was able to quarantine an olmarik.hq trojan and an exploit.gen trojan, but that it could not clean this rootkit.odg trojan.

I managed to get dds.scr to run, and I have saved both logs and zipped them up. I could not get gmer.exe to run at all (I even gave it a few hours and tried it in safe mode, just in case; neither worked). I also attempted to install Malwarebytes, but to no avail. I've managed to backup everything important to me, and I am ready and wil... Read more

A:rootkit.odg Trojan problems

I'm leaving on a five day trip, so someone with the authority to do so should close this thread. I'll post a new one on my return with the same information and any updates I might have.

Read other 2 answers
RELEVANCY SCORE 52

I am using XPSP3 fully updated and AVG Internet Security 2011 also fully updated. Running the antirootkit utility I get a warning: Object name: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Detection name: Service function NtUnloadKey hook -> uphcleanhlp.sys +0x75C Object type: file SDK Type: Rootkit Result: Object is hidden When I instruct the utility to remove it, it requires rebooting. This done, however, here it appears again (also if I try in safe mode). Have got in touch with the Support services but no news yet -about a week later. GMER also detects it but it does not remove it either. Other antirootkits do not even find it. Any ideas? Also: Any comments as to what this bug does / can do / how nasty it is... or (keeping fingers crossed: Is it a false positive? Any suggestions about a specialized forum / webpage to submit it will also be welcome. Thanks in advance. psicutrinius

Read other answers
RELEVANCY SCORE 52

I am attaching the latest combofix log. This is the first time I've ever had to ask for help to remove a malware. I started with a Kaspersky rescue disk from usb and it found quite a bit. Then I ran Combofix and it detected rootkit.zeroaccess in the tcp/ip stack. After that I've run tdsskiller, bitdefender's zero access remover, bitdefender's top 100 for december, malwarebytes, superantispyware etc. and they either found nothing or very little. But every time I run combofix it still says there is rootkit activity. I am attaching the latest combofix log to see if you can help. The computer is behaving fine and has internet access. I just want to make sure it is clean.

Thank you.

A:rootkit.zeroaccess - false positive ??

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

Read other 2 answers
RELEVANCY SCORE 52

About a week ago Firefox froze up and couldn't display any pages on the internet. I ran some programs and could not find anything until I ran combofix (I know, I know!) and it said it found rootkit activity and would reset the computer. After the computer reset it would do a complete scan and find nothing. Out of curiosity I ran the scan again and it found rootkit activity and after it reset it found nothing. Just to be safe I flashed the bios, put in the a windows sp3 bootdisk did a fixmbr, reformatted the hard drive, and reinstalled windows. After getting everything back up and running I did a combofix scan and found nothing. I did nothing else to the system except allow windows update to run. The next day I did a combofix scan and it detected rootkit activity. I've gone through these steps several times now and keep getting the same thing. I've done scans with many different rootkit scanners and they found nothing until I tried rootrepeal and found this in part of the log:

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

So Combofix and Rootrepeal keep finding something, where no other malware scanners are. I scanned atapi.sys on the virustotal website and found nothing. My system is not really having any strange behavior anymore, but was wondering if there is sti... Read more

A:Returning Rootkit or False Positive?

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

Read other 1 answers
RELEVANCY SCORE 52

About a week ago Firefox froze up and couldn't display any pages on the internet. I ran some programs and could not find anything until I ran combofix and it said it found rootkit activity and would reset the computer. After the computer reset it would do a complete scan and find nothing. Out of curiosity I ran the scan again and it found rootkit activity and after it reset it found nothing. Just to be safe I flashed the bios, put in the a windows sp3 bootdisk did a fixmbr, reformated the hard drive, and reinstalled windows. After getting everything back up and running I did a combofix scan and found nothing. I did nothing else to the system except allow windows update to run. The next day I did a combofix scan and it detected rootkit activity. I've gone through these steps several times now and keep getting the same thing. I've done scans with many different rootkit scanners and they found nothing until I tried rootrepeal and found this in part of the log:

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

So Combofix and Rootrepeal keep finding something, where no other malware scanners are. I scanned atapi.sys on the virustotal website and found nothing. My system is not really having any strange behavior anymore, but was just curious at to what is going on her... Read more

A:Returning Rootkit or False Positive

Please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.

Read other 3 answers
RELEVANCY SCORE 52

Hey there - i've recently been infected with the Trojan virus. My symantec antivirus 'Auto-Protect Results' window shows up every few minutes with new threats/infections that include: Trojan.Gen, Trojan.Gen.2, Trojan.Zeroaccess.B

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_29
Run by G at 17:10:03 on 2012-08-24
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1097 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program ... Read more

A:Symantec Antivirus detects numerous counts of Trojan.Gen/Trojan.Gen.2/Trogan.Zeroaccess.B Virus Infections

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 18 answers
RELEVANCY SCORE 51.6

Hello my name is Tom. Earlier this morning while surfing the web via firefox a false virus scanner popped up with a security alert in the taskbar. It had somehow installed itself, possibly from firefox or from my email. It said i do not currently have a firewall running and suggested installing one. I started microsoft security essentials to find it. I disconnected my internet access to keep it for calling for help. Then the false scanner popped up showing a scan in progress. (one of those that shows umpteen thousand viruses found)

I found it and shut it down using taskmanager (wasn't smart enough to remember/make note of the program name) The program restarted, firefox crashed and I was unable to start firefox, internet explorer or google chrome. No other programs crashed that I could see. Before security essentials completed ITS scan the computer bugged out and I eventually had to reset it.

Upon reset I found that no programs at all would run. I would only get something like the following error message :

-The procedure entry point mswsock.migratewinsockconguration could not be found

I searched for solutions on my ipod, but most required internet access to download Rkiller or Hijackthis. After a bit of mucking about I realized I could open pictures. So I right clicked a picture>open with> internet explorer and managed to download Rkill.exe When I ran it it killed one process and I could launch .exe files once more. I found techguy, registered and now woul... Read more

A:false virus scanner- probable rootkit

Read other 16 answers
RELEVANCY SCORE 51.6

Every time I run combofix, it says it has detected rootkit activity, reboots, then warns that Zero-Access rootkit has been detected. Multiple runs still say the same thing. I've thrown everything I can find at it, nothing else shows the rootkit. I've attached an otl log and am ready to provide whatever information you need.

I ran otl with the "all users" checked, and:

msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
wininit.exe
hlp.dat
/md5stop

It did not generate a minimized "extra.txt"?

System info:
XP Professional SP3
2.4 Dual core, 2gb ram.
Thanks for your time.

A:False Positive from Combofix? Zero-Access rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

Read other 6 answers
RELEVANCY SCORE 51.6

Hi,

Today I ran Malwarebytes Antimalware and it announced I had one infected file, which supposedly was infected with rootkit.0access.

I had Malwarebytes remove the infected file. I then ran RogueKiller (log attached). Could someone explain what this log means? It seems to say that there are no infected files, but there are some suspicious registry entries. Could this have been a false alarm? Or should I change all my passwords now (major hassle)? Repeat scans by Malwarebytes and MS Security essentials showed no infected files.

Subsequently I also ran Combofix, and I messed up somehow when running it, resulting in my computer not being able to connect to the internet any more. So I had to restore my entire C-drive from a backup made a year ago using Acronis. Does this guarantee the infection has gone away, assuming future Malwarebytes scans are negative?

I would greatly appreciate any help.

Best wishes,

MM

UPDATE: I ran another Malwarebytes scan and the same (supposedly) infected file is back already, even though I just restored my entire C: drive from a backup I made a year ago. Can this be real? I mean, if this is a real infection, shouldn't there be more than just one infected file? I'm attaching my DDS and Malwarebytes logs. I would appreciate any help!

A:Infected with rootkit.0access? Or a false alarm??

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 36 answers
RELEVANCY SCORE 51.2

An interesting one here:

I've suspected for a while that there's been something not quite right with my system - it's periodically stupidly slow, despite constant defragging etc. Most of all, the internet connection seems to be being used all the time by something over and above what I'm doing, and cutting down on my bandwidth. The icon in the taskbar is always a right light blue whenever (and as soon as) i get connected.

I thought at first it might be rustock, but I did some research and it doesn't seem like it. Over the last few days I've been scanning with everything under the sun, but they haven't found anything except a couple of things in zip archives that NIS hasn't let install off of sites. Oh, and they've picked up each other, as well, which is fun.

Anyway, the only thing to give me a clue was GMER, which came up with some SSDT entries (just numbers in the left pane, and I don't actually know what SSDT is); and one ADS - in C:\Documents and Settings\All Users\Application Data\TEMP:8FB6501C

So I tried to delete that a few times, but every time, it came straight back after restart. Nothing else gave me any indication of anything, until I downloaded this program today called ADS spy. It found the same entry (102 or 103 bytes, I can't remember), and also, once I'd deleted it and scanned again, some hidden stuff in my recycle bin.

Here it is:

C:\RECYCLER\S-1-5-21-527237240-1343024091-1859301939-1003\Dc4\poo... Read more

A:Subtle and confusing rootkit infection, or false alarm?

Oh well, it doesn't matter now, anyway. I started getting a bit further into it, after layers and layers of gmer and ADSspy (each one stripping away another layer), I found a hidden registry entry in CurrentControlSet; and as soon as I deleted that, laptop crashed and my hard drive no longer existed.
 

Read other 2 answers
RELEVANCY SCORE 51.2

Every time I run combofix, it says it has detected rootkit activity, reboots, then warns that Zero-Access rootkit has been detected. Multiple runs still say the same thing. I've thrown everything I can find at it, nothing else shows the rootkit. I've pasted an otl log and attached a gmer.log am ready to provide whatever other information you need. I ran otl with the "all users" checked, and:msconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5startexplorer.exewinlogon.exewininit.exehlp.dat/md5stopIt did not generate a minimized "extra.txt"?System info:XP Home Edition SP32.0 ghz cpu, 2gb ram.Thanks for your time.  I have attached gmer.log (quick scan) and pasted otl.txt(all users).  OTL logfile created on: 7/28/2014 3:02:37 PM - Run 1OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Home\DesktopWindows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 8.0.6001.18702)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.99 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 62.16% Memory free3.84 Gb Paging File | 3.11 Gb Available in Paging File | 81.13% Paging File freePaging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 298.08 Gb Total Space | 218.75 Gb Free Space | 73.39% Space Free | P... Read more

A:False Positive from Combofix ??- Zero-Access rootkit Detected

Hello  moddman, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  I will be analyzing your log. I will get back to you with instructions.      Download RogueKiller on the desktop
    Close all the running processes
    Under Vista/Seven, right click -> Run as Administrator
    Otherwise just double-click on RogueKiller.exe
 ... Read more

Read other 23 answers
RELEVANCY SCORE 50.8

Hello, as per instructions from my previous thread, I'm making this new one with my computer problems.Before, I had rootkit problems that somewhat expanded and became rootkit plus Trojan problems. However, MalwareBytes and SuperAntiSpyware seemed to have removed most of the problems (icons not remaining in place on desktop, unable to open/run Opera, My Documents + Computer settings not saving, weird background noises when nothing is running/open, etc). While all of those problems were resolved, I recently had one issue that came up, and just last night caught on to another potential problem.For at least a couple of weeks now, my computer has been unable to connect to the internet. I thought the problem was with Comcast or the modem itself (the light would only flash orange) and they took me through some steps, but that resolved nothing. After a while, I tried to connect with the PS3, which didn't work either initially, but it did a couple of days after. Just last night, I tried to use a CD, but my computer did not at all acknowledge that I was putting in a CD at all. As I looked into it, I realize it said the driver was probably corrupted or damaged, and apparently my only option was to reinstall. I followed the instructions from the guide linked from the old thread, and while both DDS and Gmer scanned my computer, there were a couple of small problems with Gmer. When I first open it, the following message appears :LoadDriver( "C:DOCUME~1\Martina\LOCALS... Read more

A:Internet problems, previous rootkit and Trojan issues

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461498 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 47 answers
RELEVANCY SCORE 50.4

re I even knew it, or something much worse?
 
Running Windows 8.1 on an HP Pavilion 500-054. I started freaking out when Avast Antivirus told me it actually detected something yesterday when I was completely clean as recently as a bit before last week.

I tried repairing, deleting, moving to the virus chest, all of them had an error. At first the scan told me it had to reboot to fix the problem but when I opened up the scan history again it didn't tell me the problem was fixed, the same message telling me to reboot remained. I'm intending to uninstall the program this rootkit was found in (Droid4x, an Android emulator) but in case that might make the situation worse I'm holding off on that idea. I'm also hesitant over backing up my files and reformatting my drive or something on the idea that the rootkit will just come along with everything else when I restore the files anyway if it's there.
 
Went on to scan after running rkill.com(which told me it had no malware to actually stop) with Malwarebytes with rootkit scan enabled on in safe mode, then Malwarebytes Anti-Rootkit, then TDSSKiller, they caught nothing at all. When I tried scanning with Avast again, the very same rootkit couldn't be found. I then tried to get a second opinion off of HitmanPro and it didn't find anything...aside from suspiciously marking TDSSKiller as malware. Strangely, TDSSKiller also only scans a small number of files (around 500), even though I have hundreds of thousands of files... Read more

Read other answers
RELEVANCY SCORE 50.4

Hi, on my Vista laptop, I have recently received a rootkit through a fake flash player update. Not only do I get redirects whenever the internet decides to work, but also the flash updater window has appeared on occasion and begun to install more things without permission. Of course, I have cancelled those false windows and attempted to uninstall flash altogether. Now I am just getting redirects/slow internet and need some help removing it because I am personally a malware noob. The main redirect is something along the lines of delivery.jemacpvAlso note I must complete everything from a flash drive at the moment because none of the updates or downloads are working on the infected computer.Here is a DDS log from safe mode with networking. The attached GMER log had to be done in safe mode with networking, and it successfully completed on a second attempt. The first attempt in safe mode it blue screened and shut down. THE GMER log was too big to attach. Want me to host it some other way? This post is from an non-infected computer. Thanks in advance!.DDS (Ver_2011-08-26.01) - NTFSx86 NETWORKInternet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0Run by Administrator at 10:45:07 on 2012-07-06Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1014.537 [GMT -5:00].AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: McAfee An... Read more

A:Google Redirect Rootkit via False Flash Player Update

hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Boot Menu:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Repair your computer menu item.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Choose your language settings, and then click Next.Click Repair your computer.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolScan your computer's memory for errors.Command Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter.Note: Replace letter e with the drive letter of your ... Read more

Read other 20 answers
RELEVANCY SCORE 50.4

Ive been having trouble with a very nasty virus/spyware something. So far the only way ive been able to completely remove it is by formatting. I'm pretty sure it keeps reinstalling on me from an external usb drive that Ive tried to clean and get data back from. I'm not entirely sure what it does but the most annoying thing is it messes up my internet and ip addresses, so that Ive had to factory reset my modem and start entirely over with my network. It also seems to make multiple user accounts and changes permissions on some of its important files. And creates a lot of files that are well camouflaged and may have taken information from my pc when creating the file names.

I believe the virus originally was a "windows defender" fake anti-virus, In my trial an error attempts to remove this my self i think i might have crippled it, so that only parts and pieces of the virus install making it very hard to find were exactly the problem is at. Any way I'm eager to learn how to clean this system up and keep it protected so Ive (hopefully) fallowed the instruction and made logs of the nitty gritty any help would be greatly appreciated!

This is just my personal PC. I Have not made a home network per say there is no file sharing but whatever it does to this PC seems to affect any laptops trying to connect wireless to my router.

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, 64 bit
Processor: Intel(R) Co... Read more

Read other answers
RELEVANCY SCORE 50.4

I recently removed these two infections using SuperAntiSpyware. My computer is still acting odd, including some services (DHCP, Wireless Zero Config and Themes) not starting automatically as they are set to do. Those two scans are attached.I have also already run OTL and those logs are attached also.I was running GMER but I started getting a bunch of errors including delayed write errors, a blue screen flashed up (all of this happened very quickly) and then my system rebooted. I noticed in another post that you had the user uncheck IAT/EAT, Drives/Partitions other than SystemDrive and Show All, but I had not done that.I should also add that new tabs are being spawned in Firefox without me clicking on anything. Clearly I am still infected by something.Thank you for your assistance.Tim

A:Trojan.Agent/Gen-Nullo and Rootkit.ITGRDEngine removed, still have problems

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OT... Read more

Read other 16 answers
RELEVANCY SCORE 49.2

C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe Hiddenprocess

When I ran BD 10 rootkit finder the above exe shows up.

Using SM 7 itself is says this is an essential yet hidden process from iolo.

BlackLite from F secure also detects it and gives a rename option.

My guess is this really is needed but why the hidden process?

Advice please.
 

A:Help! Systems Mechanic 7 Is this real Rootkit?

Read other 6 answers
RELEVANCY SCORE 49.2

Hi guys. My computer is in serious need of some virus medication. It has been infected by numerous Trojan's, worms, and other spyware, I'm sure. Here are some examples that are in the "Virus Vault" of AVG Free 8.5:

Trojan horse Agent_r.MM (3)
Trojan horse BackDoor.Generic_r.DJ
Trojan horse SHeur2.AFAA
Trojan horse SHeur2.AFWV
Trojan horse SHeur2.AFXC
Trojan horse SHeur2.AFAA

As you can see, its overwhelmed. I don't have the money to purchase any of the top line security programs.. So I'm somewhat S.O.L.
Here is the DDS log:
DDS (Ver_09-05-14.01) - NTFSx86
Run by zaccc at 21:28:39.31 on Sun 05/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.149 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointServic... Read more

A:Numerous Trojan's.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 48

To the Dearest staff here, i really really really need your help.My computer has gone haywire.. and it seems to me it has contracted millions of trojans and viruses and i am just oh so overwhelmed.. i need to fix this soon so i can do my work. i think these trojans got on my computer when a forum i was using was hacked and some iframe was put in that lead me to a trojan or virus at everypage i clicked. thats maybe why i have so many problems. BAH.i started getting system alerts and warnings this afternoon and they wouldnt stop. ive been browsing around the internet for a while.. and ive followed some outside advice.. and some advice from here.. I ran Smitfraudfix.cmd and done option #2 cleanup. this was the reportSmitFraudFix v2.240

Scan done at 18:55:20.46, Thu 18/10/2007
Run from C:\Documents and Settings\Chungy.KAMPINGHO\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

???????????????????????? SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

???????????????????????? Killing process
???????????????????????? hosts
127.0.0.1 localhost

???????????????????????? Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
???????????????????????? Generic Renos Fix

GenericRenosFix by S!Ri
????????????????????????... Read more

A:Help. Numerous Trojans Ie. [email protected]

i also scanned using ComboFix.. heres the reportComboFix 07-10-18.6 - Chungy 2007-10-19 1:27:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT 10:00]
Running from: C:\Documents and Settings\Chungy.KAMPINGHO\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Chungy.KAMPINGHO\Application Data\searchtoolbarcorp
C:\Documents and Settings\Chungy.KAMPINGHO\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Chungy.KAMPINGHO\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Program Files\Hammer.dll
C:\Program Files\vsadd-in
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\emytgaik.dll
C:\WINDOWS\SYSTEM32\hjkmp.bak1
C:\WINDOWS\SYSTEM32\hjkmp.bak... Read more

Read other 4 answers
RELEVANCY SCORE 48

hi guys...
Please do help me!
I ran symantec full scan on my windows vista home basic.
It found many Trojan virus: Trojan horse, trojan Zlob, trojan.adh
one of it cant be cleaned or deleted. file name is java plugin.exe

I ran hijack this and the log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:01, on 2011/2/18
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18565)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Cyberlink\PowerDVD\PDVDServ.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SingTel\McciTrayApp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\wuauclt.exe
C:\Program ... Read more

A:Help numerous Trojan horse detected

Decided to bump my post back up as it has been more than 24hours. So sorry! But I do need help with this.Thank you so much in advance!
 

Read other 1 answers
RELEVANCY SCORE 48

I had some recent computer troubles that caused me to reinstall Windows with file backup (all files are copied to a folder within the new Windows installation). The fresh installation ran for about a day before I got around to installing Avira AntiVirus, and a reboot or two after that the virus warnings start popping up. What troubled me the most about this is the fact that Avira is detecting the virus within its own files, which makes me nervous about my course of action. So I am turning to you kind people in hope of a little help. Seems most posters are asked to run HijackThis and paste the log file, so I have already gone and done that below. Avira is detecting a virus called Drop.Agent.dgo.21 (I think the last number changes sometimes). I ran a full system scan with Avira and it detected the virus in about 11-13 locations, including itself. If there are any other questions I will try to answer them the best I can, thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:18 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOW... Read more

A:Numerous Trojan detections after reinstalling XP

There is also some file called "jkklk" that I believe was one of the first areas of detection, after the Avira program, and on my System Configuration Utility it popped up as a Startup item.
 

Read other 3 answers
RELEVANCY SCORE 48

Help....I am having numerous problems with my laptop and appear to have a number of viruses that I cannot get rid of including 'hamehalu','Fraud.XP', 'PWS.LDPinchIE' and 'fopijunu.dll' among others. Can you assist.
I have run ACG 8.5, CCcleaner and spybot but cannot get rid of them?

A:Numerous Trojan/Virus issues

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 47.6

Whenever I turn my laptop p.c. on my real-time protection is turned off. After I turn it back on and start my computer the next time it's turned off again. This has been going on for about a week.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.51.2
Run by Desktop at 16:41:58 on 2014-03-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.7990.5072 [GMT 13:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
C:\Windows\system32\svch... Read more

A:Infected with suspected rootkit that keeps turning my real-time protection off

Whenever I turn my laptop p.c. on my real-time protection is turned off. After I turn it back on and start my computer the next time it's turned off again. This has been going on for about a week.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.51.2
Run by Desktop at 16:41:58 on 2014-03-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.7990.5072 [GMT 13:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
C:\Windows\system32\svch... Read more

Read other 6 answers
RELEVANCY SCORE 47.6

Hello all. I seem to have picked up something nasty!I keep getting various continous pop-ups about infections, security alerts asking me if i'd like to activate my anti virus now. The only anti virus I have is AVG free and this is not that. Although I managed at first to run AVG and it did detect and remove various infections (a couple of trojans were included) the problem continues and has also stopped me opening other applications. It continues to pop-up: - application cannot be executed file rundll32.exe is infected, do you want to activate anti-virus now? I haven't at anytime clicked yes to these requests.The scans that I have attached the results from as instructed on this site I have only managed to do while starting my computer in safe mode as it wouldn't let me run them any other way.Oh, and when I ran GMER the first time, the computer screen went blue and it shut itself down, the second time nothing at all came up in the results.The virus 1st appeared at around 1900 on the 14 Aug.Would be grateful for any guidance.RegardsDDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Administrator at 21:55:40.23 on Sun 08/15/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1718 [GMT 1:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvcho... Read more

A:Help! Numerous 'Security Alerts' Infected trojan?

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

Read other 13 answers
RELEVANCY SCORE 47.2

I hobby with PC's. Sorta do what you guys do nationally but locally only. I do free hardware & software repair/support for those who need it. I also use donated/trashed stuff to build and give away desktops. Poor kids and seniors are my usuals although I do free stuff for others as well. Here's my current project: Laptop from secretary where I work. Not booting upon receipt. Worked through it until after removal of tons of viruses and trojan dwnldrs am left with following; (1) Spybot can not remove Wildtangent (3) entries PUPS (2) IE 7 works but something hijacks and opens (1) or (2) pages sometimes indiscriminately and always after initiating a search of any kind. One looks to be an "empty" browser page/window (note: not in a tab but a seperate window)with no menu, address bar or anything else. It's just an empty "shell" with Windows Internet explorer in the Header and nothing else. The second varies but is most often looking for <hxxp://url.adtrgt.com>. It should be noted adaware and avg find nothing. Firewall and auto Updates have all been fixed. Also this started because McAfee was not renewed and not replaced either. Further it (the subsequent infection) apparently was allowed to fester until it actually totally killed the unit, blocking initial attempts to boot even into safe mode. Works now with only the aforementioned problems remaining. I might note here that I have never, until the last year (2008) seen infections as complex or as difficult to remove befor... Read more

A:Started with Viruses & Trojan Dwnldrs 2 numerous 2 list

Moderator please close this thread. I have completely resolved the remaining problems and have since returned the laptop to the secretary who by now has delighted her daughter with her repaired/disinfected unit. Further assistance will not be neccessary. Thank your team for being there as an option. Sometimes knowing you have a fail-safe is enough to free your mind up to solve a problem. I really admire what you guys do especially when I consider the scale you do it on. Sooooooooooooo thanks again.
The AXEMan!

Read other 2 answers
RELEVANCY SCORE 47.2

First issue, not able to connect to internet via wireless or ethernet. (Reg mode or in safe mode) no access to most programs via shortcuts, not able to open control panel or network settings. Through USB on my desktop I downloaded a lot of scanners jrt Malware adware virus etc so I have a lot of reports to deliver just let me know what you want. I'm posting via my phone with laptop in front of me but the desktop is in the basement so I'll need a bit to copy results to usb and post from my desktop. Found a Java Trojan exploit bytverify that is in quarantine with kvrt. Vipre finds issues but unable to clean I used revo Uninstaller and got McAfee and avg off as both were giving pop-up error messages. I still have McAfee showing on the scans but no way of finding how to finish removing them. I used avg Uninstaller already again using usb. Some scans won't fully load giving a variety of error messages. One being a problem with Microsoft installer. This is a friends computer that she was going to throw away because of the Internet issue so I am trying to recover for her as a side project. Any help is appreciated as I am not a computer specialist but have become pretty good at trouble shooting and fixing common issues. I'm no pro but love tinkering with this stuff!

A:dell inspiron win 7 Trojan quarantine but still numerous issues

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scr... Read more

Read other 36 answers
RELEVANCY SCORE 47.2

I just got a new Asus Netbook with windows XP on it, about a week ago. I installed everything, did my windows updates and installed the Avira antivirus program as well as malewarebytes. Two programs I had on my previous computers that worked very well. Everything was fine until two days ago.

Avira found two items they quarantined during my scan. First it said I had an Rce.gen, and then a Vilsel.oty Trojan. I fixed that. And now every couple of minutes while online (on Firefox) I get avira quarantining a CRYPT.ZPACK.Gen Trojan. I have 8 of them quarantined right now. Avira says the file path for these are svchost.exe files and they are in the C:\Windows\Temp\ folder following a weird lettered tmp file.

I just got this netbook, and I don't go to anything but benign websites so I really have no idea how this all started.

Thank you for your help. I really don't know what to do, other than reinstalling my whole system. And from what I've read on the forums, it seems some people have been doing this and it hasn't helped them much.

I downloaded and installed hijackthis and saved a log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:32 PM, on 12/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\... Read more

A:Google Redirecting & numerous Avira Trojan popups

Read other 10 answers
RELEVANCY SCORE 47.2

Initially I was hearing commercials even when not on the internet. Google goes where it wants and not where I tell it. friend told me to run combo fix which i did. i have placed the results in this message. however a reponse i recieved back from this forum told me to go to the preparation guide and follow directions. i did and could not get beyond step 6 because now I have a message that tells me that my current security settings do not allow the download. I am totally lost as to what to do.

ComboFix 12-10-09.01 - Dawn 10/09/2012 21:56:52.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1584 [GMT -5:00]
Running from: c:\users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EFIOS5Q2\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\OApps\bhO_project.dll
c:\program files (x86)\Retrogamer_2zEI
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:&#... Read more

A:numerous problems

Please run the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exewhen the window opens, click on Change Parametersunder ?Additional options?, put a check mark in the box next to ?Detect TDLFS File System?click OK Press Start Scan
If Malicious objects are found then ensure Cure is selectedIf TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)Then click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)

Read other 6 answers