Over 1 million tech questions and answers.

Infected With Msmsgs.exe(agobot-nl Worm)

Q: Infected With Msmsgs.exe(agobot-nl Worm)

Hello,
I started my computer today and I kept hearing these clicking sounds, the sounds were the clicking sounds whenever you click on certain items, and my screen would blink really fast once in a while, so I figured I was infected with something. So then I look at my processes running and I go through the processes and find msmsgs.exe, now at first I thought it could be the microsoft messenger, but I already uninstalled it so I knew it had to be the worm, or I thought it was. So then I did a search on it and found out that it was a worm but I couldn't find out how to remove it. If anyone could help me out I would really appreciate it. It sucks too because I just installed windows xp, I do have an anti-virus program called NOD32. Maybe I should get zone alarm too for the firewall? I know windows has it's own firewall as well though, or at least for windows xp sp2. Here is my log file from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:59 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

The weird thing is that for "O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe" states that its the messenger, however from the reading I found out about the worm, it said that it installs itself in the registry, so I'm not sure how we are going to remove this dang thing! Thanks in advance.

Thanks,
Matt

RELEVANCY SCORE 200
Preferred Solution: Infected With Msmsgs.exe(agobot-nl Worm)

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Infected With Msmsgs.exe(agobot-nl Worm)

Update: actually I'm not sure if it is from the agobot-nl worm because of this link http://www.bleepingcomputer.com/startups/ type in msmsgs.exe Matt

Read other 3 answers
RELEVANCY SCORE 68.4

I don't know how I was infected, but I clearly remember my laptop was making some noises, as if it was transmitting something/communicating something with an outside source.

NOD32 caught the virus from causing further damage, but my system had been compromised. After restart, I was delivered with a glassy blue desktop, and my Documents folder was on top of it.

I started Task Manager (Ctrl+Alt+Del), and manually opened Windows Explorer. Task Manager would open with only a few processes, and I noticed one of them was "crss.exe." I googled looking for a solution, and Malwarebytes' Antimalware was highly recommended. After a series of scans, with Malwarebytes', NOD32, Spybot S&D, etc., most of the Trojan virus was quarantined and contained.

What remains is an ugly blue desktop after every restart, with my Documents folder on top of it. The only thing that changed after scanning and isolating the Trojan, the glassy blue turned more opaque. I have to do the same operation every time I restart, opening Task Manager, etc.

Another thing that I noticed was that I couldn't, and still can't, go into Safe Mode using the usual F8 route when restarting. To go into Safe Mode, I have to open MsConfig, click on Safe Boot, restart, and then click on Last Known Good Configuration. To get out of Safe Mode, I have to do it via MsConfig too.

One last abnormal thing: every time I open a new tab on Internet Explorer (7, and most recently, 8 beta), it opens to "... Read more

Read other answers
RELEVANCY SCORE 64.8

I get this contantly popping up from spybot:
Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________
 Ark.txt   1.88KB
  3 downloads
 Ark.txt   1.88KB
  3 downloads

A:Agobot-ku Worm

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.DDS.pifDDS.COMDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results.Please note: You may have to disable any script protection running if the scan fails to run.Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed... Read more

Read other 2 answers
RELEVANCY SCORE 64.8

Xoftspy says I have the Agobot-JS worm in my soundman file. No other spyware removal I've run mentions this. I am new to reading about spyware removal products but I am learning fast about false positives by reading Eric Howes rogue site and other stuff. Other spyware removal products also give me registry warnings for spyware, but not the Agobot-JS worm! I thought I would have someone check it out for me. ...... Agobot-JS, please.

I run Giant-Antispy, Diamond port scan, McAfee antivirus, ZoneAlarm firewall, Spyware blaster, and Window washer. How did I get the Agobot-JS?

Logfile of HijackThis v1.97.7
Scan saved at 1:19:49 PM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomeg... Read more

A:Do I have W32/Agobot-JS worm?

Read other 7 answers
RELEVANCY SCORE 64.8

Hi My Anti Virus Program found something evil in my system. It found a Trojan that came from the AGOBOT-KU WORM!I think that I got it all in quarantine but I'm not sure so I'm posting a HJT log just in case.Thanks for your help.WendyLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:55:09 AM, on 2/2/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Anti-Dialer\a2service.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\COMODO\Firewall\cmdagent.exeC:\WINDOWS\system32\HPZipm1... Read more

A:Agobot-ku Worm!

Hi WendyI do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause: False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove either AVAST or AVG. ===== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".Click the "Download" button to the right.Select your Plattform: "Windows".Select your Language... Read more

Read other 8 answers
RELEVANCY SCORE 64.8

Greetings!

The pc I am using now has been infected with Worm/Agobot.29.R virus. I use a free edition AVG Antivirus program but it was unable to delete or remove this virus in my system. As I know, no technical support will be given for those who are using a free edition program.

The infected path is C:\WINDOWS\SYSTEM32\winhlpp32.exe. And the AVG program said, the file cannot be removed.

Please help me to fix this problem. Thank you!
 

A:Worm/Agobot

http://forums.techguy.org/t110854.html Go here and do an online scan with Panda and Housecall
 

Read other 3 answers
RELEVANCY SCORE 64.8

Recently I formatted my PC and installed a new OS (XP)
the machine has 2 drives one for business strictly Simply Accounting files and the other for everything else. I formatted the Master Drive and left the Slave alone.
I took the PC to my accountant so that he could transfer the simply accounting files across to his system, he said that as soon as he hooked my PC to his LAN he was notified that there was a virus!
When I got the PC back it was extremely slow when I looked at the processes it showed that winxtc.exe was taking up a chunk of CPU usage. So much so that the CPU usage at the bottom of the screen was at 100% !
So here's my question....how is it possible that a PC that was formatted then had new OS installed, nothing else loaded in could end up with this worm? Or did my accountant share his worm with my PC?
I went on line and found the removal instructions for this worm but can't find any information as to how the worm could remain on a PC that was formatted and had new OS installed.
 

A:How did the AGOBOT worm get into my PC?

Read other 11 answers
RELEVANCY SCORE 64.8

Hi

Worm/Agobot.30.BR
My AVG has detected this virus and has got rid of it numerous times. However, it keeps on coming back. I have tried scanning with SpybotSD and the latest adaware too but to no avail.

What should i do?

Below is my hijack this log. Thanks in advance.

Logfile of HijackThis v1.98.2
Scan saved at 2:05:43 PM, on 10/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\D-Link\D-Link DSL-200I USB ADSL Modem\dslmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\internat.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycom... Read more

A:Worm/Agobot.30.BR

Read other 8 answers
RELEVANCY SCORE 64.8

I have suspected that something was wrong with my laptop, my resources were bogging down right after I realized that my ISP was no longer using the services of Computer Associates for our "included" antivirus protection and apparently didn't update for nearly 2 weeks before I investigated and found this out on my own! ugh. I did every step in the prep guide here for the malware/spyware. I then went to the process library website to check each process on my task manager to see if there was anything that didn't seem "right". Well, when I got to the smss.exe process, it shows that it is actually the AGOBOT Worm? None of the programs seem to catch it. Can you help me?

I'm running Windows XP Media Center Edition on an HP Pavillion dv8000, Avast antivirus is the software I've been using recently.

thanks in advance.

also, I notice in my running processes quite a few of the svchost files, is it normal to have quite a few?
I ran the kaspersky scanner and it came up with 2 viruses and 4 infected objects. But it doesn't show which viruses?

here's the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 8:37:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 620192
... Read more

A:Agobot Worm?

Hello, run this scan it will produce an easier to read log for you.Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opers browser click that browser at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with SUPEROpen from the desktop icon or the program Files listOn the left, make sure... Read more

Read other 10 answers
RELEVANCY SCORE 64.8

Hey i have scanned many many times and deleted these agobot worm or virus , but they keep commin back, i have scanned with AVG , House call and norton but none of em helps......help me to get rid of this virus/worm please

Logfile of HijackThis v1.99.0
Scan saved at 10:18:18 PM, on 12/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Opera\opera.exe
C:\download\htj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startsiden.no/
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AV... Read more

A:Worm Agobot!!!

Please post back to your other thread dealing with this same problem, DO NOT start a new thread.
 

Read other 1 answers
RELEVANCY SCORE 64.8

Can't find anything that works to get rid of this worm.
Here's a logfile of hijackthis for ya'll.

Logfile of HijackThis v1.98.2
Scan saved at 11:08:05 AM, on 9/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system\csrss.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\r_server.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googl... Read more

A:Worm Agobot.15.Q help plz:(

Read other 16 answers
RELEVANCY SCORE 64

Hello I hope you can help me to get rid of a worm I have on my system. I ran AVG 6.0 and it identified that the worm Agobot.17.bu was in a file called C/windows/system32/msawindows.exe I have tried to remove it but AVG cannot move the file to the virus vault. I have downloaded other antivirus programs but they do not find the virus. I have downloaded Norton AV and firewall package but cannot link to their website to get the update to make it work. I have also downloaded the latest critical updates from microsoft.

After reading a couple of posts by other members I have downloaded Hijack This and the report follows. I would appreciate any advice on how to rid myself of this worm as it's driving me nuts.

Many thanks

Logfile of HijackThis v1.97.7
Scan saved at 23:04:38, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\msawindows.exe
C:\Program Files... Read more

A:Agobot worm problem

Read other 7 answers
RELEVANCY SCORE 64

Greetings!

The pc I am using now has been infected with Worm/Agobot.29.R virus. I use a free edition AVG Antivirus program but it was unable to delete or remove this virus in my system. As I know, no technical support will be given for those who are using a free edition program.

The infected path is C:\WINDOWS\SYSTEM32\winhlpp32.exe. And the AVG program said, the file cannot be removed.

Please help me to fix this problem. Thank you!

Operating System: WinXP
 

A:Solved: Worm/Agobot

Restart in Safe Mode and run AVG there. You can also try manually deleting the file in Safe Mode. When you return, give us a copy/paste of a HijackThis scanlog as well:

http://www.net-integration.net/tools/hijackthis.html

How to start in Safe Mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

It might also be a good idea to follow these instructions from Symantec on disabling the System Restore cache while you run the Antivirus scan. Then re-enable it to set a fresh check point:

http://service1.symantec.com/SUPPOR...5065b3834b10031488256b0900255ea7?OpenDocument
 

Read other 3 answers
RELEVANCY SCORE 64

I hope someone can help me.
I Have run Housecall and it came up with the 2 viruses in the title bar
and cannot delete them.

The Worm AGOBOT is in C:\Windows\System32\explored exe.
The DOS AGOBOT is in C:\Windows\System32\drive....

This is my first posting and I hope I have provided enough information.

Thank You
CBstir

p.s. I am running Windows XP
 

A:WORM _AGOBOT.QF & DOS AGOBOT .HM

Do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.....
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.
 

Read other 3 answers
RELEVANCY SCORE 64

I am trying to fix my mom's computer after noticing it ran slower than my 256 MB RAM one, when this one has 728 MB RAM. Found suspicious (really) entry in the Startup section of Spybot S&D. It is blank. The whole line is blank. I highlighted it and Spybot tells me it's system32.exe added by the AGOBOT worm. Here's an HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 9:38:49 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\H... Read more

A:Solved: AGOBOT-KU Worm?

Read other 16 answers
RELEVANCY SCORE 63.6

I'm running Windows XP, Home edition, version 2002, SP3.  I just ran Spybot and it found this in my startup files.  It listed a series of .exe files it might be (system32.exe, pathex.exe, svchost.exe), but when I did a search for them, I found none of the ones listed.  The entry itself is blank.
 
My system has been bogging down, and my browser (both Firefox and Chrome) crash regularly.
 
Please help.
 
 

A:AGOBOT-KU Worm installed on my computer.

Please download TDSSKiller from here and save it to your DesktopDoubleclick on TDSSKiller.exe to run the application, then click on Change parameters
Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now
Click Start Scan and allow the scan process to runIf threats are detected select Skip for all of them unless I instruct you otherwiseClick Continue
Click Reboot computerPlease post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your replyDue to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient===================================================RKILLPlease download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:Link 1Link 2Link 3Link 4In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.A black screen will appear and then disappear. Please do not worry, th... Read more

Read other 1 answers
RELEVANCY SCORE 63.6

Ok, i've gone through the other posts that have the same problem as i do, but to no avail, it's still been here for the past 5 hours.

Logfile of HijackThis v1.97.7
Scan saved at 3:40:43 PM, on 5/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Microsoft.exe
C:\Documents and Settings\Nick_\Desktop\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.battle.net/forums/war3/board.aspx?ForumName=war3x-general
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [Microsoft Update] ... Read more

A:[Solved] That dreaded DOS Agobot worm...

Read other 12 answers
RELEVANCY SCORE 63.6

My friend caught this little nasty. I attempted to find help via google, but little came up, in terms of removal advice...so, would the pros like to drop me some advice?

here's the HJT log

Logfile of HijackThis v1.97.7
Scan saved at 7:10:06 PM, on 5/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeremy Lewis\My Documents\download\jeremyatalbany\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=3c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Sof... Read more

A:worm agobot.ri - can't find information

I don't see any sign of Agobot in the log. Where is this infection reportedly being found. What is the exact location of the infected file?

I do see one thing. Your friend desperately needs to go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. This worm got on your machine by taking advantage of one of those vulnerabilities.
 

Read other 3 answers
RELEVANCY SCORE 63.6

yea well for some reson my comp seems to be attracting major worms/viruses etc.

anyways the ones i know of so far are:
Worm/Padobot.z
Qhost.gen or Dos Agobot.gen (same virus diff name ><)
Irc/Backdoor.Sdbot.37.N
and a couple more but i cant seem to remember them..

anyway im curantly using Avg 7 and Sygate Firewall i also update windows quite often (sp1) i have done a housecall scan and a pandaactive scan that showed Qhost.gen and Dos Agobot.Gen tho i cant seem to delete them. i have read a couple posts in this forum and nothing has realy helped me. could some 1 pls help me get this mofo off my comp ><"

i know i got more viruses etc. but i dont know what and where they are.

any tips will be gladdly apreciated

Logfile of HijackThis v1.98.2
Scan saved at 4:51:35 PM, on 15/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WIND... Read more

A:Qhost.gen/Dos Agobot.gen,Worm/Padobot.z..and more help pls!!

Read other 10 answers
RELEVANCY SCORE 63.6

Here is my Hijack this file> I am having problems getting rid of the agobot.gen worm. can anybody give me a hand please.
Logfile of HijackThis v1.98.2
Scan saved at 11:25:54 PM, on 8/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\schqzx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Inte... Read more

A:[Solved] trying to get rid of pesky agobot.gen worm

Read other 8 answers
RELEVANCY SCORE 62.8

Hi there. I'm working w/my dad's HP Pavillion DV 6000 laptop (AMD Turion 64MK-36, 2.01Ghz, 480 MB RAM, Broadcom 802.11b/g WLAN, NVIDIA nforce Networkg Controller) running XP Media Ctr Version 2002 SP2, recently auto-updated to IE7--no file-sharing or messenger/chat programs, very basically configured cuz he's a real beginner--and began 'acting strangely'--he said. For all I know, tho, some issues may be IE7 quirks, since I only know IE6 and dad barely can get around on any computer! He said the clock didn't keep time & date kept getting off, plus his MSN home page and others weren't accepting passwords, & just was 'acting strange.' Some brilliant person at his DSL co. talked him thru uninstalling the ZoneAlarm-Free he had on it so he didn't have a good firewall for a few weeks... (he only tools around on the Internet & has little idea what's ok to click on)BUT, Kapersky's online scanner said it had AGOBOT-KU worm and possibly system32 virus(?) and something to do w/ctfmon (which I just noticed someone mentioning on here today...), altho I don't get hits from any of the other scanners or s/w.As my first HJT post here, I followed pre-posting instructions nearly to a 'T' -- performing every single thing requested/required + more (except Avert Stinger b/c the prog was outdated [from 2006] and NO updates whatsoever within or on McAfee's site were evident [except an 11MB DAT file for their scanning prog...]). Those scans + an installed AVG antivirus came out CLEAN. ... Read more

A:Originally Scanned Agobot-ku Worm + System32

New info as of May 2:Super AntiSpyware found "Trojan.WinCommDownloader C:\PROGRAMS\~WINLOCK\WINLOCK.EXE" -- This was removed/quarantined or whatever that prog does w/themPanda found: Potentially unwanted tool:Application/Processor; Not disinfected; C:\Documents and Settings\Joseph Scire\Desktop\SmitRem Scanner\smitRem\Process.exe Potentially unwanted tool:Application/Processor; Not disinfected; C:\Documents and Settings\Joseph Scire\Desktop\smitRem.exe[smitRem/Process.exe] Spyware:Spyware/PeoplePC; Not disinfected; C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL But...Smit Rem is a LEGIT program!! Also, I can't find any way to uninstall the PeoplePC that came on his computer -- it's not actually installed yet, so how do I get rid of the DLL?New HJT Log 5-2: Logfile of HijackThis v1.99.1Scan saved at 4:47:49 AM, on 5/3/2007Platform: Windows XP SP2 (WinNT 5.0... Read more

Read other 22 answers
RELEVANCY SCORE 61.6

hey

i did the housecall scan, I'm infected with.....

WORM AGOBOT.K C:/WINDOWS\system32\cssrs.exe

but it cant delete it cuz it says it's currently in use.... the patch's dont run cuz they shutdown half way, i've tried DCOMbobulator, that wont disable..... I've tried stinger too... and hijackthis posted the results and got rid of the checked ones that cybertech told me to... and the other things i'm infected with is:

W97M Generic C:\documents\settings (in 1 place)
W97M ONEX.E C:\documents\settings (in 11 places)
W97M GABLE.A C:\Documents\settings (in 1 place)

what can i do to sort it out???

thanks
 

A:Results to my housecall scan... worm AGOBOT.K cant delete...cybertech???

You must follow the exact directions give by Housecall in order to remove it.

The first and main point is, you have to stop the process in your current session so that it isn't in use and can be deleted.

Good luck.
 

Read other 3 answers
RELEVANCY SCORE 61.6

Thanks in advance for all of your help! When I try to go to Juno.com I am redirected to: <hxxp://ads.addynamix.com/click/2-2125581-3>? And I get a “cannot find server†error. This happens with IE 6.029 and Firefox 3.01 but not SeaMonkey 1.11 (I can get to Juno on SeaMonkey). I am running Windows XP Sp2. I have another computer with Vista and IE7 working off the same router from which I can access Juno. I have run Spybot, AdAware, A2, and AVG with no results. I installed Kaspersky Internet Security 2009 and still have not detected anything. I have updated my Hosts file from mvps.org and I am still being redirected.3-6 months ago Spybot said I had been infected with “Agobot-KU wormâ€, but it could not could not fix the problem. My computer was really slow and there always seemed to be hard drive or internet activity going on when I wasn’t doing anything. I ran Spybot, Adaware, Avg, Housecall, and Stinger but they didn’t detect anything. Something was preventing my security software from updating and eventually I lost internet connectivity completely on this pc. After some research done from another pc, I turned off some BHO’s and Startup items and it seemed to fix the problem. During this time, I remember when I was shutting my computer down it would always say that it could not shut down Teatimer.exe and I would have to click on “end proce... Read more

A:Agobot-ku Worm And Juno Redirect To Addynamix With Ie, Firefox, But Not Seamonkey

Open notepad. From the menu at the top, remove the check from 'Word Wrap'. Close Notepad.Download SDFix and save it to your Desktop.Double click SDFix.exe and the files will be extracted to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Reboot the computer into Safe mode. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt
(Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum). Finally paste the contents of the Report.txt back here along with a fresh HijackThis log.

Read other 2 answers
RELEVANCY SCORE 58.4

Hi,

I would like to request for assistance on how to remove the MSMSGS.exe virus. The virus came from one of my USB flashdrives. Although the AVAST scanner was able to detect it, it wasn't able to delete or remove the virus completely. I would like to remove the virus from the USB flashdrive and my computer.

Kindly review the log and attached files.

DDS (Ver_09-09-24.01) - NTFSx86
Run by Hudson Ong at 22:26:11.73 on Fri 09/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3322.824 [GMT 8:00]

AV: avast! antivirus 4.8.1351 [VPS 090924-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:&#... Read more

A:Infected with MSMSGS.exe virus

Please disregard this post. A friend has offered to help me with this problem.

Thanks.

Read other 2 answers
RELEVANCY SCORE 54.8

Hey, I'm like one of the hundred crying out for help here...unfortunately I've been inffected with the sasser...its been inhibiting my internet...i get on's and off's with my internet...sometimes i can go on sometimes i can't...but when i can i downloaded a stinger tool, it detected it and removed it off my computer and I also remove the avserve.exe in my registry...but for some reason whenever i go on to regedit I get kicked off it in a timed duration...so I was lucky enough to delete it before it kicked me. OK...i did all the steps in removing it...I also installed all critical updates...reset my computer...the signs of kicking me off regit in a timed duration and my internet going on and off is still there(there are some sites I can't even load)...I tried a virus scan and it detected nothing...

luckily I did serval of the removal steps ASAP...so I don't have problems with my lsass crashing and causing my computer to reset...but the virus seem to did some changes in my computer that I don't know how to fix...is the virus or remainings of it still my computer...or is something that was changed by the virus so I can reverse it. Totally clueless..=(

then I searching around I figure the symptons are a cause of the agobot...I ran a free virus scan off trend and detected the dos ago bot...and i just deleted it...but signs still run...I download the Hijack.exe but everytime i run it it kicks me off in a timed duration...probably the doing... Read more

A:[Solved] Help - Infected with couple of viruses (Sasser + Agobot)

Read other 16 answers
RELEVANCY SCORE 50.4

Processor:  AMD A4-6210 APU with Radeon R3 Graphics 1.80 GHz
Installed RAM  4.00 GB (3.46 GB usable)
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display
Edition:  Windows 8.1
Manufacturer   Acer    Aspire E5-721
Canon MX452 all in one printer
Emsisoft is my main anti malware program.
 
Infected with W32/Mytob-EW worm and W32/Sdbot-BN backdoor worm
 
Bleeping brought this to my attention  while I was researching strange behaviour on my pc.  Several drive wipes with a factory install performed over the last four weeks.  Four wipes.  One done by my college computer technician.  Frustration over what was going on triggered the slow one by one process analysis using Task Manager.  When I selected the end task on these (so called worm in disguise) processes, they immediately started up again.  Using the right-click feature on the entries, to search online what they were, brought me directly to the Bleeping Computer description.  Upon further investigation it was unanimous that Bleepings information was correct.
 
My emsisoft was consistently detecting and quarantining two registry keys, over and over even after I deleted them.  I am no different than anyone else and have saved logs of other scans from JRT, adware, rogue killer, rkill, etc etc.  They usually don't help that much, but if you are curious I have ... Read more

A:Infected: W32/Mytob-EW worm & W32/Sdbot-BN backdoor worm

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2015
Ran by Cindy (administrator) on PERFECTPC on 26-04-2015 18:46:01
Running from C:\Users\Cindy\Desktop
Loaded Profiles: Cindy (Available profiles: Cindy & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QASvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAEvent.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Micro... Read more

Read other 84 answers
RELEVANCY SCORE 44.8

Hi all, sent here by Broni for elevated help.  Basically, to summarize, I got a worm possibly through a vulnerability in Flash and from an infected ad (I've only browsed legit websites and I have McAfee SiteAdvisor) and as is typical of people who have the worm, I can't remove it.  Apparently, it's infected my MBR and I was told to run DDS.
 
Here's DDS.txt
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.21.2
Run by Daniel at 18:10:34 on 2013-05-25
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4093.1324 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system3... Read more

A:Infected MBR; Infected with MSIL/Necast.D worm

Hello DasNasty I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

Read other 12 answers
RELEVANCY SCORE 43.2

Today, I used a pendrive of a friend on my computer, I had auto folder open on. the folder opened and later to find nothing on the pendrive but only a E:\ folder inside the pendrive, then when i clicked hidden items viewable, i saw the pendrive logo I went inside transferred my important document since it needed an immediate printing. My computer has turned very slow following that and there are various hidden documents now on my desktop like $w_microsoft.docx which are of names of files i had deleted long ago and several other files which i had created and used long back but never used in the near history. 
 
Please help me fix this , remove the virus and get back to my old computer speed.
 
 
Thanks alot for help in advance
 
 
 
----FRST LOG-------
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-05-2016
Ran by ASRLAPTOP (administrator) on DEEPAK (05-05-2016 18:57:15)
Running from C:\Users\ASRLAPTOP\Downloads
Loaded Profiles: ASRLAPTOP & Administrator & Guest (Available Profiles: ASRLAPTOP & Administrator & Guest)
Platform: Windows 10 Home Single Language Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entr... Read more

A:I think i have been infected by a worm from using an infected pendrive, need hel

Hello imdeepster I am Marie Curie and will gladly help you with any malware-related problems.Please familiarize yourself with the following ground rules before you start.Read my instructions thoroughly, carry out each step in the given order.Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.If you are unsure about anything or if you encounter any problems, please stop and inform me about it.Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.Back up important files before we start.--------------------------------------------------------------  Please read the following warnings before you proceed.  ComboFix Warning------------------------------ I see you have run ComboFix, a powerful first-responder malware removal tool, designed to remove some of the toughest malware; including bootkits, rootkits and backdoors. As stated in the disclaimer, the tool should not be used by someone untrained in its usage. Doing so may cause unforeseen circumstances, and could render your machine unbootable. For more information on why you should not run ComboFix without supervision, please read the following article.Backdoor Warning------------------------------ One or more of the identified malware is known to use a backdoor, that allows attackers to ... Read more

Read other 9 answers
RELEVANCY SCORE 42.4

I am having this issue with many computers on my network. Some are 95/98/ME/NT 4.0/2000. When you select shutdown the computer hangs for an amount of time (matters how new the puter is) then a box pops up saying something about msmsgs.exe blah blah blah will close in 20 seconds or you can click end task. On most of them if you wait the 20 sec. you still have to click end task. If you exit MSN Messenger before you go to shutdown it does not do this. My users find it annoying to have to exit this everytime so I need to find a solution. Can anyone help?
 

A:msmsgs.exe

Read other 13 answers
RELEVANCY SCORE 42.4
Q: msmsgs

Hate to bother you with this, I've been trying to fix the problem for a week and I'm not a tech.

My system doesn't want to boot up after shutdown.

I was hacked recently but had cleared that up pretty much here with the help of mr. Klein.

I did notice msmsgs running. I;m not using ms instant messenger and the msmsgs wont stay down. I press Ctrl, Alt, and del. Highlight msmsgs and click on end task, It reappears soon.

I have had some problems with my browser, been fighting xupiter way too often, and mostly I'm concerned about the possibility of being hacked, again.

Anyone have any ideas??

I did do a log from Highjack this today.
I ran adaware, then spybot a few times. Nortons AV program twice, Installed Outpost along with my Zone alarm that I already had.
This thing is making me crazy

Thanks,
Peaceful
 

RELEVANCY SCORE 42.4

Hi, for a few days now, every couple of minutes, the hour glass pops up next to the mouse cursor, like something is opening, even though there's not. I opened running applications, and waited for the hour glass to pop up, and when it did, I noticed the problem is "msmsgs.exe". Even when I end the process, it still does it again, about every 2 or 3 minutes, and it's getting on my nerves.

Any idea on what this is, or what I can do to get it to stop running every few minutes?
 

A:msmsgs.exe

Hi,

I got the thing that will make your problem go away:
"msmsgs.exe" is MSN Messenger - The Chatprogram you can call it.
There are many way to turn this of, but a good way is to rename it, that is what I have done, I rename it to msmsgs1.exe in the explorer.
Open: C:\program files\messenger
There you will find msmsgs.exe.
To rename it you would hav to turn the process off first in Task Manager.
Then you rename it and it will never start automatically again.

If you are using MSN Messenger, then download it from: http://messenger.msn.com/ and the messenger program-file has it name like "msnmsgr.exe"

Hope it will help You.

And there is other way to stop this, by using Group Policy and shut it of, but that is something you can read about some other places.

// Yehaten ( The Swede )
 

Read other 2 answers
RELEVANCY SCORE 42.4

Thank you in advance for your help.I use a program called System Surveillance Pro to monitor activity at home. Today I noticed that msmsgs.exe ran repeatedly, numerous times today while there wasn't anyone home to use the computer. Worried that this might be a virus/trojan. Here is a HijackThis log an the log from SSPro.Logfile of HijackThis v1.99.1Scan saved at 6:58:40 PM, on 1/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WINDOWS\Syst... Read more

A:Msmsgs.exe

Welcome to the forum, looks like you have MSN Instant Messenger set to run at every start up. This program is bundled with the full install of MSN Premium and can also be downloaded as a stand alone program. You also have Windows Messenger which is installed with Windows XP but it is not set to run. If you wish to turn off MSNIM you can do that from within the program like this.Right click the icon in the System Trqay and choose Open Messenger > Tools > Options > General Tab > Uncheck all sign in boxes then Apply and OK your way out. O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeI see no other malware issues in your HJT log.Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:http://forums.spybot.info/showthread.php?t=279http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14http://www.bleepingcomputer.com/forums/topict2520.htmlhttp://cybercoyote.org/security/not-admin.shtmlThanks...pskelleyBleepingComputerIf you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Read other 1 answers
RELEVANCY SCORE 42.4

I have the MSMSGS box checked in my Startup file, I think it's something to do with the Windows Messenger service. I'm not sure what this is as I mainly use my PC for emails and surfing.

Is it safe to uncheck the MSMSGS entry, and if it is, how can I remove the Icon from the bar at the bottom right of my screen?

Regards....CC
 

A:What is MSMSGS?

Read other 13 answers
RELEVANCY SCORE 42

i have inserted my digital mp3 player w/ usb storage device in my removal disk drive j not knwing that it was infected w/ this kind of worm. After i open the mp3 files folder, avg antivirus detected had detected this worm/vb.6.ba. Then suddenly my computer does not show removal disk drive(j) icon anymore...Deckard's System Scanner v20071014.68Run by user on 2008-07-12 21:05:28Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --42: 2008-07-12 13:05:34 UTC - RP42 - Deckard's System Scanner Restore Point41: 2008-07-07 04:55:49 UTC - RP41 - Removed hp psc 1200 series40: 2008-07-07 04:55:27 UTC - RP40 - Removed HP Photo and Imaging 2.0 - All-in-One Drivers39: 2008-07-07 04:54:37 UTC - RP39 - Removed HP Photo and Imaging 2.0 - All-in-One38: 2008-07-05 11:35:19 UTC - RP38 - Installed Windows XP KB926239.-- First Restore Point -- 1: 2008-06-23 12:52:08 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as user.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:09:09 PM, on 7/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS... Read more

A:Infected With Worm/vb.6.ba

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 42

When i start my computer i get a pop up window that tells me...

Spyware Alert!
Security Warning!
Worm.win32.Netsky detected on your machine.
the virus is destributed via the internet through e-mail and Active-x objects.
the worm has its own SMTP engine which means it gathers e-mails from your local compter and re-distributes itself.
In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data.
Viruses can damage your confidential data and wonk on your computer.
Continue working in unportected mode is very dangerous.

Type: Virus
System affected: Windows, 200, NT, ME, XP, VISTA, 7
Security risk(0-5): 5
Recomendations: It is necessary to perform a full system scan.

If i try to press Ctrl/Alt/Delete it says that "task manager has been disabled by your administrator."
Also i have a new background that says "YOUR SYSTEM IS INFECTED!" and when i right click the desktop to change the background, the background options are disabled as well.
Please help! I installed HOUSECALL and it says that it fixes all the problems, but the issues above still remain. HOUSECALL only helps my computer to run a little smoother again.
I attached the log file for the hijackthis program that i downloaded and i need to know which programs i should "fix" with the hijackthis program.
PLEASE HELP!
- Dan

A:Infected with something? worm i think

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may ta... Read more

Read other 16 answers
RELEVANCY SCORE 42

Hi check on viruses with AVG Free Edition and he finds Worm/VB.SO many times (+20000 threats) always on the same path C:\Documents and Settings\User\Complete\...this folder is invisible and i cant make it visiblei used many antivirus and spyware program before i post this logmost of antivirus programs check these files but they dont see those as a threat thanks for your help Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:02:53, on 07.02.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Norman\NVC\BIN\Zanda.exeC:\Program Files\Common Files\Protexis\License Service\PSIService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Bitv... Read more

A:Infected By Worm/vb.so

Hi halimos, If you still need help please post a new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide for use before posting a HijackThis Log , and I'll be happy to look at it for you.Thanks for your patience.

Read other 1 answers
RELEVANCY SCORE 42

I have a Compaq Presario machine running Windows XP Media Center Edition 2005. The system tab in the control panel says "Windows XP Media Center Edition 2002, Service Pack 3, AMD Athlon 64 processor 3500+, 2.19 GHz, 960MB of RAM. ATI Radeon Xpress 200 Series. (if this helps...)

Something is opening new browser windows to various search sites (If I try to connect to a Yahoo search result, sometimes a new window will open with a warning box and lock up my machine, other times I'll be directed to another site in the same window. I have Security Essentials residing in the compueter and the trojan hijacked it using Security Essential logos. It opened up a fake product called ThinkPoint and started to run a scan (I shut down the computer. In all, the virus seems to be blocking access to security/update related sites and controlling the browser.

So far, I've run, Windows Live OneCare (It initally blocked my access to it until I restored back to a date a couple of weeks old), TrendMicro's Housecall, CC Cleaner, Security Essentials, Microsoft Malicious software removal tool, HijackThis, Malwarebytes Anti-Malware. Most seem to find something but nothing seems to knock it out, my browser is still getting hijacked, it blocks access to Microsoft Update, and the machine gets a couple of consistent popup messages... "Generic Host Process for Win32 Services" and "svchost.exe - Application Error"

The DDS.txt log is pasted below (per instructions), and I... Read more

A:Infected with Worm, Not sure the name of it

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:

msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/m... Read more

Read other 2 answers
RELEVANCY SCORE 42

Hiya. I've been reading advice on this site for a while, but never posted before. However I've been having a few problems lately and need help. I think it was my windows detected a worm and then I ran Malaware for the 2nd time this week. It detected 3 infections this time. My computer is so slow, I can't download Avast as it comes up with an error. My Norton hasn't worked for a while but could be out of date. I've done what was required and hope it's all ok. See below:
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jane at 12:16:57.42 on 25/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.105 [GMT 1:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\anti virus\aawservice.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Fil... Read more

A:Infected with a worm but don't know the name

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTL ReportPlease download OTL from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the sc... Read more

Read other 11 answers
RELEVANCY SCORE 42

Friends, I desperately need help.My computer is showing that it is sending email to people I have no idea where they are. Every now and then, even right now, the symantec email scanner is showing up all the time and then I receive messages that says I am unable to send because serve is rejecting the message. I think it started when I opened an ecard.Plse somebody help me.Moved from the XP Forum. ~acklan~

A:I Think I'm Infected With A Worm, Need Help.

Hello LemekiSounds like you have some sort of malware (most likely a trojan) on your computer.Please read the 4 Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware tutorial by clicking here and follow the steps.Hope your computer gets fixed as soon as possible.Have a great day

Read other 3 answers
RELEVANCY SCORE 42

DDS (Ver_09-02-01.01) - NTFSx86
Run by Michelle at 23:17:14.65 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.29 [GMT -4:00]

AV: avast! antivirus 4.8.1296 [VPS 090313-0] *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe... Read more

A:INFECTED WITH WORM

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions th... Read more

Read other 2 answers
RELEVANCY SCORE 42

Please help, discovered a worm infection after clicking a link in facebook. Now, I am sending spam to my friends unwillingly. Tried to remove with spybot and malwarebytes but don't know if it's completely gone. Please check my log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:31:17 PM, on 05/10/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v7.00 (7.00.6002.18005)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\conime.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exeC:\Windows\System32\mobsync.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Windows\WindowsMobile\wmdcBase.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\ehome\ehtray.exeC:\Program Files\M?t?oM?dia\M?t?o?clair\Wea... Read more

A:Infected with worm

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 42

I Have been having issues with a program refusing to accept an activation code and started trying to change my Antivirus from Avast (I was told by the programmer That Avast/AVG are notorious for interfering with his program) to Microsoft Security Essentials.  In the process I clicked one of the first "download here" buttons and installed a "fix your computer problems free by paying us excessive amounts of money" program.  When I realized my mistake I had already had 3 or 4 programs installed by the technician who didn't tell me right away that the "free" service was only free if you signed a 1 year contract to pay $250 to receive the free part.  
Now I have been having problems for a while but at the time I told this fellow to get bent I ran several programs to scan my computer.  Not advocating the use of these programs I will simply say the programs he had installed all came back as High threat on more than 2 programs which have since removed the threats.  
 
Now comes the big issue....  When I rebooted my computer after re-sizing my Hard Drive (I am attempting to create a new Windows Vista installation To upgrade to Windows 7), I got a warning to the effect that "Trojan-08.XXX is unable to run you have the option of searching the internet for a program to open it" (where the .XXX was another code like .sbd or .sdb or some such)
 
Now I have to ask what should I do next?

A:Have I been Infected with a Worm?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll dow... Read more

Read other 20 answers
RELEVANCY SCORE 42

Hi.

I was extracting files from an archive that i downloaded today, when my McAfee VirusScan On-Access Scan Detected 3 malicious files that were inside of it. One of the Files was automatically deleted by Mcafee As it normally does however 2 of the files cannot be deleted. I then Opened C:\Documents and Settings\superior\Local Settings\Temp in windows explorer and located these 2 files: tmp25C.tmp and tmp25D.tmp.vir

When i tried to delete these 2 malicious files i recieved an error message saying:
Error Deleting File or Folder
Cannot delete tmp25C: Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.

McAfee says that these files are a worm and a trojan. although im not experiencing any problems i want to delete them. also i recieved error messages when attempting to use kaspersky and RSIT.
While Running RSIT i get this error:
Autolt Error
Line -1:
Error: Error parsing function call.
When Trying to run Kaspersky i get this error:
<www.kaspersky.com>

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Failed to resolve source DNS name]

A:Infected with Worm

Welcome to BleepingComputer...What version of Windows do you have?Let's try a Malwarebytes scan...Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue wi... Read more

Read other 3 answers
RELEVANCY SCORE 42

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Windows\system32\svchost.exe -k LocalServiceA... Read more

A:Infected with a RAT or worm

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:***************************************************First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/410814 and follow the instructions there. If you no longer need help, this is all you need to do. If you do need help please continue below.***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
Please do this even if you have prev... Read more

Read other 2 answers
RELEVANCY SCORE 42

Logfile of HijackThis v1.99.1Scan saved at 8:48:18 PM, on 7/20/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\WINZIP\winzip32.exeC:\Documents and Settings\Owner\Local Settings\Temp\wz5b75\HijackThis.exeF2 - REG:system.ini: Shell=explorer.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Fil... Read more

A:Infected-possible Worm

Hello stue760, and welcome to Bleeping Computer. My name is Charles and I will be helping you to clean up your computer.Please give me some time to look over your log and I will get back to you as soon as possible.Thanks,Charles

Read other 3 answers
RELEVANCY SCORE 42

hi i tried to follow everything, but everytime i try to restart the computer, the firewall is gone, i tried to set it up again but still the same thing "symantec email proxy" is showing. i tried to Download and Run Random's System Information Tool (RSIT) but it wont work when i try to click the icon on the desktop, saying Error: Subscript used with non- Array variable.
i hopw you could help me asap coz its ruining my pc

A:Infected with R-bot worm

Hello ruby1624 and welcome to BC I see that you have succeeded in getting RSIT to run and that you have that log posted here: http://www.bleepingcomputer.com/forums/t/186007/hijackthis-log-please-help-diagnose/ We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.This leaves you with a choice:1) Have this thread reopened and the HiJack This log topic deletedOR2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.Please send a Private Message indicating your choice.Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before y... Read more

Read other 1 answers