Over 1 million tech questions and answers.

W32/Rootkit.BAK - I've been ignored for FOUR MONTHS! Please help :(

Q: W32/Rootkit.BAK - I've been ignored for FOUR MONTHS! Please help :(

I have recieved this virus W32/Rootkit.bac, and its stopping any updates and other applications! I can't seem to find out how to remove it or where it is, my virus scan says it will be deleted after I reboot but it returns as soon as i try viewing anything on the web, i thought by uninstalling and then re-installing Internet Explorer would help but it hasn't, does anyone know what to do? I BEG FOR YOUR HELP!!

I have it for months now and i really need it sorting, i almost reformatted my PC.. but i dont have any external storage to back everything up!

Please helpp!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08:55, on 17/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.formula1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Presario&pf=desktop" target="_blank" class="wLink">http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.14\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.14\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28D5FBF9-3EC0-417F-A10B-B2C17F97A9E8}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{299AD407-1516-462C-A4E7-8F021A77927F}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =,
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: Google Update Service (gupdate1c9935b12a7018a) (gupdate1c9935b12a7018a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
End of file - 12050 bytes

Preferred Solution: W32/Rootkit.BAK - I've been ignored for FOUR MONTHS! Please help :(

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: W32/Rootkit.BAK - I've been ignored for FOUR MONTHS! Please help :(

Read other 16 answers

I have been fighting this virus/rootkit/bootkit whatever it is for getting close to 6 months now. It started as some virus on my little brothers computer at his house which infected his router and about 5 other computers in the house. I connected to the router and it proceeded to infect my laptop, the router at my home and all the computers there as well. It also has infected 4 android phones a Palm Treo Pro with windows mobile and a palm Pre. Along with infecting anyone who connected to any of the routers. I am currently writing this from my mothers laptop which has the worst infection. She purchased a new one to replace the old one which seemed to be impossible to to fix at a cost of around $2,000. 1 Day later her new laptop was infected although it wasn't apparent to to her. I am currently go to school for my Bachelors in Computer science, my Cisco CCNA and Network security certifications. Have been building computers since I was 10 (am 28 now) and I have never come across anything like this in my life. She has been content with just letting it be because the computer works to a point. I on the other hand will not have someone or something controlling my computer. The os on this computer is Windows 7 Home Premium x64 HP laptop with a 2nd gen core i-7 that runs like its a 486 and its so infected its unreal. Also the infection causes the computers to load in Windows PE mode in a virtualized environment so nothing picks it up. I have 2 desktops and a several laptops ... Read more

A:Persistant Rootkit for over 6 months now Infects Routers Windows x32 and x64 Linux Android Phones etc

here is the dds log as well as an additional one. Will c if if it uploads this time.

Read other 3 answers

I update and save quite a few files each day, and I can see in File History that there are many saved versions for these files.
This would fill up my backup drive fairly quickly, and therefore, I need to reduce 'Keep saved versions' from the default of 'forever' to about 3 months.  But does this mean that all files older than 3 months will be deleted my File History backup?
 What happens to all my files that have only ever been saved once, but are older than 3 months?  Are these retained in File History or deleted?
The forums on File History do no make this very clear.

Read other answers

Okay first of all I would like to say I have been having on going issues for months to almost a year... I have tried everything I can think of... Including wiping harddrives to DoD standards with dban, gparted etc.... I have tried monitering my connections with wireshark...  I have tried several differet anti- (virus and malware) programs including paid version of kaspersky, malwarebytes, bitdefender, eset.....
This problem also has involved some black hat hackers compromising my system and bank account, credit card etc all being hit and continueing to do so... I have switched ISPs , changed hardware, thrown away devices including cell phones and laptops... It seems that they were also backdoored into several of my devices and were using several different methods to continue to spread and infect other devices.. These devices include android, iphone, ipod, ipad, netbook, laptop, smart tv and even my dvd player (java).. I have tried to ask for help and seek help for this and no one can figure it out or think this cant be real.
I have now thrown out all laptops, and all phones at the same time and started from scratch but having issues on a brand new laptop... I am not sure this is the same issue as before... However, I would like and really appreciate if someone could help me out and view my logs and make sure.. because I have been through hell and back with all these issues.. Loss of finances, time, and sleep... SO, I truly appreciate any and a... Read more

A:Malware, Spyware, And hackers...equals months and months of going insane!! help!

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2015-06-29 18:38:16
Windows 6.3.9600  x64 \Device\Harddisk0\DR0 -> \Device\00000036 HGST_HTS721075A9E630 rev.JB2OA3J0 698.64GB
Running: 11ybrc3o.exe; Driver: C:\Users\M4M8A\AppData\Local\Temp\kxldypow.sys
---- Modules - GMER 2.1 ----
Module   \SystemRoot\System32\drivers\iaStorA.sys (Intel Rapid Storage Technology driver - x64/Intel Corporation SIGNED)(2014-09-02 06:28:41)                                                fffff800f9c65000-fffff800f9f1b000 (2842624 bytes)
Module   \SystemRoot\system32\DRIVERS\edevmon.sys (Devmon monitor/ESET SIGNED)(2015-01-30 23:13:30)                                                                                          fffff800fa393000-fffff800fa3d2000 (258048 bytes)
Module   \SystemRoo... Read more

Read other 3 answers

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers

OK- I am not extremely computer savvy... I may have destroyed the computer beyond repair, but my files are not backed up and all of the videos of my son when he was a baby are on there and only there. So, HELP!!!! I had a bad virus that started as pop ups for fake virus protection- I can't even remember what it said. I gave it to my brother in law to fix and it took him a month to tell me I needed to backup my files cause he was going to dump the whole thing. Last night after plugging in the USB and having it fill up without even getting through a 1/4 of our pictures, I decided to try to get rid of the virus myself. I ran malwarebytes which found some items and told me to shut down to complete. I did, got the blue screen- started in safe mode w/ networking (got a pop up that said malwarebytes could not be located). After some more searching, I downloaded Hitman that was made for the DNS virus- I know whatever it is on my computer is really bad. The local connection icon was completely removed. Ethernet driver gone and microsoft system tools like firewall and security all gone. Here is a what hitman said before it told me to reboot to complete the deletion of the virus (s). Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.graftor.13001 (engine A), backdoor.maxplus, trojan-dropper.win32.sirefeflIK... and 57 items in tempfiles..... HELP PLEASE!

A:. Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.g...

Copy this tool to the infected PC FSS Checkmark all the boxesClick on "Scan".Please copy and paste the log to your reply.

Read other 1 answers

I'm working on a friend's laptop and they believe one of the kids went somewhere they didn't need to be going. They said they started noticing issues on 7-20. I was going to try and clean it my self and did a little research on the rootkit and decided I needed to ask for some help. I attached the logs from malwarebytes and TDSSkiller. When using TDSSkiller I had it skip trying to "cure" the infection.
defogger_disable by jpshortstuff (
Log created at 14:50 on 24/07/2012 (Elizabeth)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Elizabeth at 14:51:40 on 2012-07-24
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2286 [GMT -4:00]
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C... Read more

A:Infected with Rootkit.Zaccess/Rootkit.Boot.Pihar.c, Trojan.Dropper.BCMiner

please go ahead and re-run TDSSKiller and allow it to "cure" what it findsNEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:


* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Read other 21 answers

Got some problems.I am running Vista on a Gateway. Everytime I run a AVG or otherscan the computer just restarts itself without being prompted. Before it restarts it shows a Trojan, Windows Antiviruspro and Rootkit.cloaked/service-gen 3. RootkitRepeal and dds will not run but HJT will run.Any help is appreciated.Here is a HJT logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:18:36 PM, on 8/18/2009Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16890)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\sttray.exeC:\Windows\System32\hkcmd.exeC:\Windows\WindowsMobile\wmdc.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\igfxpers.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEC:\Program Files\Glance23\Glance.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software ... Read more

A:> Rootkit, Trojans and Windows Antiviruspro, cannot run rootkit tool, restarts computer on scans

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.Your log will be analyzed and you will be instructed on what to do next as soon as possible.

Read other 21 answers

Hello,I have been working on cleaning this system(Desktop PC: Dell Optiplex 7500: Windows XP SP3)for a few days now after discovering an old partially removed infection of Paladin Antivirus. Ran the usual removal tools, MBAM, Combofix, Avast Boot Scan, and F-Secure Online scans, and all show up clean now; however, the Avast real time behavior scanned is still flagging a latent Rootkit service: SVC:PRAGMApxevsticxr. Of course when avast asks what I want to do I choose delete, and it recommends boot scan which comes up clean, and the avast process starts again. Knowing I was still infected, I decided to go to the ever trusty, but lengthy ESET online scanner which found: C:\WINDOWS\PRAGMApxevsticxr\PRAGMAc.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\PRAGMAd.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz1D.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz3.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz7.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedand then in a subsequent ESET scan: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000075.dll a variant of Win32/Krypt... Read more

Read other answers

I originally received Security Tool 2011 from golf.com.au. It came through svchost.exe.

I found and deleted the .exe and System Restored to before the infection. In safe mode with networking (i..e without firewall), iexplore.exe was startig by itself and before I picked up on this I believe I was infected with a series of trojans and other nasties. Many of these were picked up by Malwarebytes and SUPERAntiSpyware. I then used Avast! and it picked up a Win32:Cossta and the Alureon Rootkit. The Cossta trojan was cleaned. The rootkit has remained.

MBRCheck diagnosed the MBR Code as being non-normal or infected. Boot_remover identified the code as 'FAKED!'

After cleaning as much as I could with Avast! Boot scans, I attempted to use both MBRCheck and boot_remover to 'fix' the MBR. Neither were able to.

My next step was to download aswMBR.exe but it would not run. I then attempted to download GMER but the options were greyed out. I then downloaded TDSSKiller which detected 1 Rootkit which I 'cured' and 1 locked file which was 'skipped'. A log is provided below.

This allowed me to access aswMBR.exe which I ran, and posted the log below. After this I ran ComboFix (sorry!!) which said I had Rootkit: Zero Access. ComboFix rebooted and successfully went through all its 'stages'. The ComboFix log is provided below. Interestingly, I had uninstalled all my Anti-Virus software prior to running ComboFix, except for Malware Anti... Read more

A:Infected with Rootkit: Zero Access from Security Tool 2011 [Also potentially Rootkit: Alureon]

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427038 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 14 answers

Hi,Since Friday my computer started to run slow and kept crashing. I also noticed it would redirect Google searches to various webpages and not the actual link it was meant to...I have McAfee Security Centre (updated daily), so ran a scan. It revealed some trojans, namely "Spy-Agent.bw!mem, DNSChanger!ba and Generic FakeAlert!cd". Some of it was removed/quarantined while 1 or 2 files couldnt be fixed by McAfee.I then ran MBAM which managed to clear everything. Here is the log from then (28th Aug):[/color][/color]-----------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.40Database version: 2709Windows 5.1.2600 Service Pack 328/08/2009 18:07:25mbam-log-2009-08-28 (18-07-25).txtScan type: Full Scan (C:\|)Objects scanned: 165024Time elapsed: 36 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 1Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C... Read more

A:Infected with Google redirect & Rootkit TDSS and Rootkit.Agent/Gen-Rustock[KBI]

UPDATE:Did an online scan with Eset, it reported the following: C:\Documents and Settings\Amit Sinha\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2a20046a probably a variant of Win32/Agent trojan deleted - quarantinedSo lloks like there are still some remanents...Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are... Read more

Read other 4 answers

I would really appreciate some help from someone with experience with this matter.


Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.

Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.

B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.

Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned d... Read more

A:Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough


You need Jacee and/or Corinne's help with this - they are our resident security MVP's. No doubt they will see this, but I'll drop them a message and ask them to have a look at this for you.


Read other 9 answers

On Feb 14th, I posted about a rootkit that is on my system HERE in the 'Am I infected" section. It has been a very long time since I have been here, but I believe you used to have to post there first and only ended up here once someone started helping you, but I truely can't recall. Should I leave that where it is and wait for a reply there? or can that post be moved here? can the topics be merged? or should I repost my issue here and delete that post? I apologize that I am so out of touch with forum protocol here, but on the other hand, I don't want to waste anyone's time by posting in the wrong place and clogging up the wrong queue.I do have a nasty version PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant. All other infections have been removed, and I believe the bulk of the rootkit has been disabled. I *think* I just need to drop a custom script into ComboFix or Avenger2 to finish the removal; however, I am not sure because I haven't seen a piece of malware this resiliant in years.The following scans have been run and their logs are saved and available for posting:DDSGMERRkillCombofixRootRepealHijackThisMBAMESET Online ScanFSecure Online ScanSuperAntiSpywareAvast Boot ScanAs well as a manually created record of all self deleted registry keys related to PRAGMA.The bulk of the pertinent information (at least what I *think* is pertinent) is in the original thread linked above with the exception of the GMER info on the rootkit.Please advis... Read more

A:PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant

Post removed due to Crossposts

Read other 28 answers

Hello, I was sent here from the Am I Infected Forum by garmanma. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/260361/requesting-virus-help-malware-greenav-and-rootkit-etc/ ~ OBPrior to posting in that forum. I tried to run MBAM, Spybot, Spyunter. The programs would not run at all, I would get an error stating I didn't have appropriate permissions. I downloaded the DDS.scr file and tried to execute a scan. The scan screen popped open for about one second and closed....every program that I try to run will either not run at all, or if it does run, it will close a few seconds into the scan then shut down. If I try to run it again, I'll get an error saying I don't have permission to run that file.I have tried online scans from Bitdefender, Microsoft's OneCare, and one more (forgot the name)...but every online scan shuts down the entire browser. Also, on occasion I get a fake page saying that the webpage I requested has been blocked due to my infections, and links to me to a page regarding GreenAV. I could not run most of the tools in the preparation guide, even after renaming them. However, in the other forum I was able to run a couple of scans before the programs shut down. I was requested to start a new topic here and post the logs that I have. Thanks in advance:I was instructed to download "peek.bat" and run that program and also RootRepeal. The results from both are listed below:Peek.bat Log:Volume in drive C is SQ004214P01Volume Serial Number i... Read more

A:Rootkit and Spyware Problems: Antispyware/Antivirus/Rootkit Scanner programs all shut down when executed...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers

Dear Folks,

It looks like my computer is infected with Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

I use McAfree Antivirus. Whenever I scan, it shows the following log and it says detected 1 and fixed 1.

8/1/2009 10:24:13 PM Scan Started: 08/01/2009 10:24:13 PM
8/1/2009 10:24:59 PM Scan Started: 08/01/2009 10:24:59 PM
8/1/2009 10:25:44 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/1/2009 10:29:00 PM Total objects scanned: 12981
8/1/2009 10:29:00 PM Objects detected: 1
8/1/2009 10:29:00 PM Scan Done: 08/01/2009 10:29:00 PM

Also I get BLUE Screen very often and my system gets rebooted automatically (screenshot attached).

Please help me in resolving this issue.

I downloaded "ComboFix.exe" from your website but didn't run it as I saw many times that I should not be run without the proper instruction / help from Technical Folks.

I'm just waiting for your response. Please help..!!

Thanks in advance.


A:Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

Hi Folks,Thanks for responding for my "Personal Message" from Orange Blossom ~ forum moderator and email from Administrator.As mentioned in the email, I followed the steps mentioned in the following "Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools" which is located @ http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/1. Data Backup - Done2. Verified that my computer is infected by NTOSKRNL-HOOK trojan3. Steps 3, 4 & 5 are also done6. Downloaded DDS and scanned my computer. When I tried to run this scan, I got the warning in the same Command Prompt with the message three times like "Not enough memory to complete the sort.". After that the scan has produced two files (DDS.txt and Attach.txt).7. Responded to my own topic which I've created on Aug 2nd, 2009. Please help me out in resolving this issue ASAP.Please find the log from DDS.txt file which is pasted at the bottom of this message.I'll upload the Attach.txt file, if you want. Please let me know.Problem with my computer is that - I get blue screen often and gets rebooted by itself (I'm loosing all the data). - System hangs when Windows Logon Screen appears (only sometimes); I'm not able to login. I've to hardboot.Just curious: When DDS.scr was scanning, I found that the following EXE files processing in the background in "TASK MANAGER". Please confirm are they genuine.fi.exewregs.exefindstr.exedds.screds.execs... Read more

Read other 13 answers

A. McAfee scan has found multiple instances of a ?Generic Rootkit.d!rootkit?, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once ?removed,? they appear again in no time.
B. McAfee ? Update Error
?An error occurred in updating. Please reinstall these programs:
- McAfee Security Center?
NOT DONE ? Expected to be repetitive.
C. Defrag ? no access
1) Norton Speed Disk won?t start. Error Message:
?An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.?
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
?Disk Defragmenter could not start.?
D. Backup ? presently unable to back up.
1) My backup utility, XXCLONE, will not start. (Last backup was WAY too old.) It returns following Error Message from its initial disk scan:
?The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.?
2) Windows XP Accessories backup component refused to start as well. Error message:
?The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices. Please exit and start the Removable Storage service using the System Services function of the Management ... Read more

A:Hijacked; Generic Rootkit.d!rootkit (NTOSKRNL-HOOK); certainly other probs.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 1 answers

well once again my co workers have managed to get something that i cannot remove, last time i had a issue you guys fixed it perfectly and i am here again asking for help, somehow this computer got a virus on it that has been spamming e-mails, because of this our ip has been blacklisted and e-mails we need to go out are not going out ect ect... i would just reformat this machine but it has very specific software on it and i cannot

as far as i know the virus's are called
rootkit-agent, rootkit.protector, and agprotector, here is my DDS.txt and again i hope i have done everything correctly and i hope you can help, thank you again

DDS (Ver_09-12-01.01) - NTFSx86
Run by Big Fox at 15:18:51.93 on Thu 12/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.389 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe... Read more

Read other answers

 Attach.zip   4.33KB
  1 downloadsThis was a redirect by OBlossom,Hi Hope you can help. I clicked on a link to a web page that I shouldn't have and got a popup saying I needed to update my Adobe, thinking all was ok! When I did that another popup came and said I may be infected and it wanted me to click on their link. Which I didn't, instead I tried closing the windows, even with Ctrl-Alt-Del, it wouldn't let me. Then returning to desktop, McAfee said something wanted access and if I allowed. Again, no! The only way out was a reboot, which took some time to shutdown. When the system came back on I got a window saying Google installer had a problem and had to close, never had that before. It did have a "more info" link, which I clicked and a new window opened up saying something about UACD.SYS & WJQS.EXE! I found them in the registry, I knew I had a problem. After running McAfee it said something about NTOSKRNL-HOOK and Generic RootKit.d!RootKit. Needless to say I am here. I would continue to get that popup, about Google Installer needing to close. Also when I did a search and would click on a link I would get the "WindowsClick" and was redirected to another web page. Ok, try to shorten it, I tried a lot and nothing seemed to help. Until I read here and ran ComboFix, it seemed to work! Had to make note of some files "UAC******.dll and one UAC******.dat another was Service_Uac.sys, ... Read more

A:NTosKrnl-Hook UACD.SYS WJQS.EXE Generic RootKit.d!RootKit

I just wanted to mention an oddity I've noticed, my msn.com link in favorites keeps disappearing, I've saved it then, it's gone again! I'm not proceeding with anything else until told to do so. Though I do hope to understand this soon and rectify its problems!?thanks again,Hello RikCab,We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.Thank you for understanding.Regards,The weatherman (Moderator)Thanks weatherman, I did just read about that while scanning another's post. I was going to make a note of it here, but you beat me to it, lol. I did try to edit m... Read more

Read other 17 answers

Hello to any and all helpers,
I am new to this forum, so please help me follow the rules. I downloaded/ran the scans on the "new instructions" thing and will connect them to this post. 2 wks ago Friday I checked "the official" website of St. Exupery to see if one book was written before the other and up pops McAfee saying it identified 2 instances of the trojan named in the title of this thread. I was already late to class so I closed the window (IE7) and shut down the comuter, hoping it would be better later(bad move!). When I got home.. I'm trying to remember, I believe the computer started up ok to run the scan, somewhere in that day I had to restart several times because it stalled (windows was open but wouldn't do anything). I did run the McAfee scan and delete the trojans, but my computer wouldnt restart fully until the next day, when I discovered that my internet connection would no longer work (it may not have been working right away, I'm sorry I dont remember). It said it was connected but no pages would load. Since then it has not worked, even though I tried to reconfigure the connection (and my IP address). I would say that this is a problem with the modem/router, but my bf's computer is connected to the same and it works fine (this is the computer Im writing from btw, and he has no antivirus and is resolutely against it and so I can do nothing about it. I wanted to try to reestablish my internet connection before starting a thread so that I do... Read more


Hello, Exams+this :)
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it'... Read more

Read other 19 answers

I have tried Norton AntiVirus and also Kapersky's TDSSKiller and neither have found any Trojans. However, I know I have one because my whenever I do a google search the results pop up but when I click on something I get redirected to another website via Click.LiveSearchNow (the addresses usually aren't website names, they're random IP addresses to sites). I have attached my logfile from HijackThis below. Any ideas?
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:51:54 PM, on 11/25/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxi... Read more

A:Trojan / Rootkit - Click.LivesearchNow - Not Detected by Rootkit Removers

I'm going to try the Junkware Removal tool since I didn't have any luck with any of the other programs I've seen thus far. I will paste the log when I'm done per the instructions I saw in another thread (see below for those).

Shutdown your antivirus to avoid any conflicts.
Right-mouse click JRT.exe and select Run as administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message

Read other 21 answers

Logfile of HijackThis v1.99.1
Scan saved at 2:37:34 AM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDO... Read more

A:first HJT log in a few months

Read other 9 answers

Site looks great... But, when you put in OT at work and have a new born at home it's hard to visit your favorite forum.... I had a quicky for the group to help solve - a 3 parter.

1st part - create a user form to display xml data - what is the vba code to display an xml node in a user form text box.

2nd part - create a macro that when run captures the hilighted words in the current PPT slide then displays it in the VBA userform textbox.

3rd part - on the same userform create a button and code that when clicked will add the text from the "selected text" field then add it to the XML doc.

thanks in advance for the input,

Read other answers

This computer got a virus several months ago. It redirects the browser and doesn't allow me to do a lot of things, so I got frustrated back then and stuck it in the closet. I fired it up this morning, deleted a bunch of programs, and decided to give it another try. Here's the DDS Log:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Marc at 16:40:26 on 2012-06-18
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3006.1956 [GMT -7:00]
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe ... Read more

A:down for months

I know, being patient is one of the rules, so I apologize in advance. Maybe the title I chose, "down for months" gives the impression that I'm not too interested in resolving this issue - I don't know. I am very interested in getting help with this. I realize this is free voluntary help, and I appreciate that. I noticed that I've had 28 or 29 views, but no one has replied. I'm honestly not trying to seem impatient. Just curious that's all. I have no idea what's wrong with this computer, or how to read that DDS log. My concern is that, since there have been 29 views, I'm assuming those who do know how to read that log have looked at it and decided not to get involved, for whatever reason. If someone who reads the log and doesn't want to help could just leave me a reply saying, "You're screwed - your computer is now an anchor" that would be very much appreciated also.

Thanks again and sorry if I seem impatient. I'm not . . . much

Read other 19 answers

Hello! I believe my computer has an infection, and I'm not sure what it is or how to get rid of it. Hopefully I have followed the log and posting instructions carefully as I would like to avoid any delays and try to resolve this as soon as possible.What my computer is doing:It's slower than normal, but the big thing that seems to have started on Saturday 12/12/09 is that whenever I log into my eBay and PayPal account, the next page I'm directed to is a Fraud Prevention page asking me to submit a ton of personal and financial information, everything from my SS# to my ATM + PIN number. I am on the official eBay and PayPal website, happens after I log in using my username and password, I see no way to skip it, and no way to get rid of it. This is NOT eBay or PayPal, it's absolutely fake, neither site would ask for such information, there are even spelling errors. You can view a screen shot of the page here:Screenshot of Fake eBay Fraud Prevention PageDoesn't appear every single time, but often enough throughout the following day (today), at least 5-6 times out of 10. I have several eBay listings currently listed, eBay and PayPal are both important to me.What I have done - my computer infoI'm running Windows XP, sp 3, Firefox browser, Dell desktop, wired DSL connection. Only things I have done "prior" to the logs and steps asked by BleepingComputer are: 1. ran a scan with Malwarebytes (4 objects found)2. scanned with Avast antivirus (nothing found) 3. scanned... Read more

A:Rootkit infection - MBR Rootkit?? eBay & PayPal affected

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow ... Read more

Read other 32 answers

Yes I've tried running almost every possible program in safe mode to remove this trojan, but everytime I reboot I get either continuious cycle of reoccuring blue screens that reboot the computer or anytime I trying running a program the a physical memory dump occurs and the computer restarts this way. I've been working on this for about 2 weeks now and its really starting to get annoying. Please help.

A:Can't remove generic rootkit.d rootkit NTOSKRNL-HOOK

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Having problems with spyware and pop-ups? First Steps

link at the top of each page.


Please follow our pre-posting process outlined here:


After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

Read other 1 answers

Earlier tonight, I was apparently infected with the above rootkit. I started to get Symantec AntiVirus notifications that downloaders were being deleted, and Windows Firewall kept popping up asking me if I wanted to block access to different nefarious items, the first being Rootkit.Win32.Agent.PP. I did a google search for this and found this site, in particular, this page. I started to follow the instructions on this page, so I ran MalwareBytes, which found a rootkit, among other things. I also ran the TFC program mentioned next. I rebooted after each of these. However, before doing anything else, I stopped and read the preparation guide for this forum. I next ran DDS and RootRepeal and am attaching the log files to this post.Before running MalwareBytes, I was getting frequent Symantec AntiVirus notifications, and frequent Windows Firewall notifications as mentioned above ("frequent" being 1 every minute or so). After running it and TFC, I have not gotten any more notifications. Upon reboot, though, Symantec AntiVirus reported that there were items it could not remediate after rebooting. So, I'm not entirely sure if I've gotten everything or not. I'm pasting my MalwareBytes log below, and then the DDS log.Thanks in advance for any help you can provide. Just to be safe, I am disconnecting my computer from the network tonight and will check any replies from another computer.-----MalwareBytes log:Malwarebytes' Anti-Malware 1.43Database version: 3485Windows 5.1.2600 Service Pack... Read more

A:Rootkit infection (possibly Rootkit.Win32.Agent.PP)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

Read other 11 answers

Currently system shows to have ntoskrnl-hook - generic rootkit.d!rootkit 5. The only AV that seems to detect it is Mcafee. It states that it has removed it and it keeps coming back. System restore is off. The different scans I have ran have seemed to taken most of it out but it just starts over and infects more. Below are the reports. Thanks for any and all help in advance. Below is DDS and I have attached the other DDS "Attach" and the RootRepeal report "ark".
DDS (Ver_09-07-30.01) - NTFSx86
Run by Bryan Miller at 20:30:32.37 on Tue 08/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Offi... Read more

A:Infected with ntoskrnl-hook - generic rootkit.d!rootkit 5

Hello.One of the infection is a rootkit.Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?Although the rootkit has been identified and may be removed, your PC has l... Read more

Read other 11 answers

I need help removing Generic Rootkit.d!rootkit from my computer using Windows 2000. My McAfee virus scanner is erasing it but it keeps coming back. I've tried to run McAfee in Safe Mode but it won't run. I've also tried to install and run Malwarebytes' Anti-Malware but it won't run. I was able to run Stopzilla in Safe Mode but it didn't do anything. Can't get PC Tools to run either.

Any help would be appreciated.

My other 2 laptops were infected also but they utilize Windows XP and I was able to get rid of this trojan/virus on those computers. Right clicked on My Computer and disabled system restore. Then ran Malwarebytes' Anti-Malware program which seemed to do the job.

Looking for something free to download and get rid of this.

Was afraid to try ComboFix.exe due to posts warning about this program

Read other answers

I've tried almost everything to get rid of this trojan and I alway end up with one of two results. First either when the computer reboots it automatically reboot through a continous cycle once it hits the window screen. Second, I log onto windows and start to run a program, a physical memory dump occurs. I also think my external hard drive has the virus on it, although none of the hundreds of virus scans I've completed show a virus on the drive. Please give me some insite on what to do. Thanks

DDS (Ver_09-07-30.01) - NTFSx86
Run by paul at 19:41:12.95 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT 4.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\WINDOWS\system32\ZuneBusEnum.exe ... Read more

A:generic rootkit.d rootkit NTOSKRNL-HOOK problems

Hi there,

Looks a lot better, but lets run a few more checks.

1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


c:\program files\My-Proxy
c:\users\NetworkService\Application Data\lsptttiq

[HKEY_USERS\S-1-5-21-436374069-1715567821-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{52432C9E-AC35-115A-59A8-20D2B4352033}*]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.


Please download RegQuery by Noviciate to your desktopCopy the following registry keypath by highlighting the text an pressing CTRL and C at the same time
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogonDouble click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Cli... Read more

Read other 5 answers

Malware has been detected on my computer and I cannot seem to to get rid of it. AdAware detected the rootkit specified in the post title, and what sound like radio ads are playing even when I have no programs running. I downloaded and ran the DDS program but the dds.txt file did not generate. The attach.txt file did generate but I can't attach it since I had to write this on my iPad (see below).
I'm trying to give as much information as possible, so here are two more issues that I believe are related:
1. IE was barraged with unrequested cookies from random websites until I changed the settings to reject all cookies. IE and Firefox also now take 1-2 minutes to load a page, and in some cases never load it. This is also what happened when I tried to submit this post from my computer (I'm now typing this on my iPad).
2. McAfee has blocked about 25 executions of svchost.exe as mass mailing worms. I can upload that log file if needed.
Please help me get rid of the malware on my computer, and adjust my settings to increase security and prevent future infections.
Thank you!

A:Rootkit detected [Rootkit.MBR.Mayachok.B (Boot image)]

Hello, I am a Computer Software Technician. I will help with your rootkit. There is a few different solutions to your rootkit. (I GAVE EXTRA INFO TO HELP YOUR COMPUTER SPEED INCREASE.)
1. Install and Run TDSS Killer (download from bleepingcomputer.com)
2. Install and Open MalwareBytes DO A THREAT SCAN (malwarebytes.org) download it from there and make sure you go into settings and then detection and protection and set it to scan for rootkits. Fix anything it finds. Restart computer. There is manual ways of removing viruses but that I will not tell you. You can damage your computer. You have to be highly skilled to know what to delete.
3. Run Hitman Pro (download from surfright.nl) and delete what it finds and restart your computer. It will find what Malwarebytes did not. If anything was not found.
4. Download from bleepingcomputer.com AdwCleaner and run it and delete anything it finds. That will speed up your computer. Will delete adware and registry issues. Restart Computer
5. Download CCleaner free version from piriform.com. Run the cleaner and registry cleaner and delete everything it finds.
6. Click the Start Orb type run in the search box and click it. Type temp and clear everything out of that folder and then repeat opening run and type %temp% and delete everything in that folder. Run once more and type prefetch and delete everything in that folder. Restart computer. This will speed up your computer as well. MalwareBytes may hav... Read more

Read other 8 answers


I am here to ask for help with removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit infection that appears to be redirecting most browser search attempts indicating 'www.clickover.cn' within the url.

I have run DDS and included the resulting .txt and Attach as instructed.

Thank you for your support!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Norm at 1:38:45.54 on Thu 07/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1287 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\p... Read more

A:Please Help Removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello and welcome to TSF!

Regarding the rootkit and backdoors in general:

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you wish to continue follow the steps below, otherwise let me know

We are going to start with Combofix.

Download and Run ComboFix

Note to readers of t... Read more

Read other 19 answers

64 bit, Windows 7I was having issues with youtube. Streaming was very slow and would often times stop altogether. At first, I thought I had an issue with flash player and so I uninstalled it, installed it again, and checked on updates. I still had the same issues.I ran Spyware Doctor and Malwarebytes to see if the issue was malware. Previously, when I ran either program, it would show a lot of infections, but now there were none. I then thought that it could be a browser issue so I downloaded Google Chrome. Though it downloaded, Google Chrome would not open any sites. I got an error code. This is what it says:"This webpage is not available. The webpage at http://google.com/ might be temporarily down or it may have been moved permanently to a new web address. Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error."It said a couple of times that I wasn't connected to the server, but to me that didn't make sense because I was online and surf the web with Firefox.I downloaded other types of anti virus and malware programs to see if it would help. This is a list: spybots, ad aware, bitdefender, avg, kaspersky.None downloaded. I received messages saying that the files were corrupted. There would be a bunch of programs opening while doing this. They were moving so fast so I couldn't catch any of them.I tried to do online scans. Those didn't work either. Same message.I tried to download these programs in safe mode with networks. They did not download. I trie... Read more

Read other answers

Malwarebytes, and more specifically Malwarebytes Anti-Rootkit finds these two on every scan after a reboot, even though I clean 'em up:
Apparently they are some sort of registry keys, but I have no idea what is causing them on every restart (especially if the computer is connected to the internet).
I've struggled with this for months now, and I thought I had it fixed by resetting the router but apparently didn't solve it. So, the question goes: What is this, how do I fix it and what causes it?
(I've tried running the following programs and the problem still remains:
Malwarebytes anti-rootkit
Norton stuff
and few more.)
Much appreciated!

A:What is this? I've struggled with this for months now!

Welcome aboard  MBAR fixes are not allowed in this forum so you need to get elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 1 answers

Got the blue screen while only reading a message board. Had problems with user acct so I made new one. Did a few scans on my own. Security message about setting for IE. Now got a message about illegal operation for something that was sceduled for deletion in system 86 when I tried to use IE or chrome. i switched users to use IE.

A:Unbelievable! Third one hit in 2 months.

You may close this topic already received help.

Read other 1 answers


I have noticed that over time my computer has begin to run very slow, especially when i am on the internet. On any occasions i have had stop loading the page to try it again and i dont lose any what i was working on it comes right back to the page. My has also been shutting down of it's own, but once i reboot it does not do it again for a while. i have heard about P2P sharing and yes i was one of the idiot who was involve in it. i was using limewire but has now removed it from my machine. if you could help me get my system up and running the way it should i would greatly appreciate it.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Fred and Tiffany at 21:07:31.17 on Sat 07/18/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2494.1277 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService ... Read more

A:I post three months ago please help

Please read ?Virus/Trojan/Spyware Removal Help ? and follow the instructions very carefully; then, post all the requested logs and information in the Virus Help Forum

If you cannot complete any step, just miss it out and do what you can, but be sure to include this information in your post.
Please ensure that you create a new thread in the Virus Help Forum; not back here in this one.

Please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

Because of recent changes in the way malware affects the computer and the way it incorporates itself into the operating system we no longer allow users that are NOT a part of the security team to post a reply or fix to a users thread, nor to offer specific malware removal advice in any section of the forums.

Read other 5 answers

Hi, I'm coming here because everytime I format my computer into Windows 7, it'll show up a BSOD of uncorrectable hardware error while playing games, but in this case, it's Grand Theft Auto - San Andreas.

Any ideas?

I tried replacing the hard drive, RAM, and updating my graphics card.

A:BSOD for over a few months

Quote: Originally Posted by Tony1990

Hi, I'm coming here because everytime I format my computer into Windows 7, it'll show up a BSOD of uncorrectable hardware error while playing games, but in this case, it's Grand Theft Auto - San Andreas.

Any ideas?

I tried replacing the hard drive, RAM, and updating my graphics card.

Hello Tony & welcome,
If you are getting BSOD's & want them analyzed please follow the directions below -

To enable us to assist you with your computer's BSOD symptoms, upload the contents of your "\Windows\Minidump" folder.

The procedure:

* Copy the contents of \Windows\Minidump to another (temporary) location somewhere on your machine.
* Zip up the copy.
* Attach the ZIP archive to your post using the "paperclip" (file attachments) button.

To ensure minidumps are enabled:
** Until a .dmp file is generated, the Minidump folder may not exist.**

*Go to Start, in the Search Box type: sysdm.cpl Press Enter.
*Under the Advanced tab, click on the Startup and Recovery Settings... button.
*Ensure that Automatically restart is unchecked.
*Under the Write Debugging Information header select Small memory dump (256 kb) in the drop down box (the 256kb varies).
*Ensure that the Small Dump Directory is listed as %systemroot%\Minidump.
Reboot if changes have been made.

Read other 7 answers


Been meaning to write a note here for perhaps some tips and suggestions on what to do to get my 8.0 upgraded successfully to 8.1.

Months ago I was very excited to upgrade as I read of all the great improvements and now there is a note on line that 8.1 will get more upgrades in April.

So I got the banner across my desktop asking me if I wanted to upgrade so eventually I gave in and allowed the process to happen. I was very excited until the final reboot and well... I booted into a very grave mess.

I had NO background image, black screen. No task bar, no icons, only "a cursor in the dark" as I like to call it. Yea, I actually had a cursor I could move around and click but I couldn't "see" what I was clicking on. So upon trying what I could I called up Microsoft and after a while they asked permission to take over my machine and after 4 HOURS we both gave in and I had to do a full reinstall. At least the newer Windows saves all the older stuff in a Windows.old folder so not all was lost but enough to know I didn't want to go through that again.

Apparently the video drivers became corrupt along with Windows Explorer (that's what the MS tech was able to figure out). She was just as amazed as I was.

Anyway, I've laid off the upgrade again in hopes I could get here and ask what it was I should do before trying again? My video drivers are all up to date (as they were the day all that happened). The only thing I had running was the scrip... Read more

A:Tried and failed with 8.1 months ago

Have had mixed results with 8.1 here, had to revert to 8 on some laptops, am postponing any more upgrade until some time after 8.1.1 is out and has been discussed\reviewed.

But in all circumstances, IMO move nr1 in any upgrade process is to 1st do some good imaging (easeus here for xp\w7, macrium for w8).

Read other 9 answers

For around the past three months I have been getting the bsod. I have changed hds and reformatted twice to load the os but still get this bsod. Whats strange is that the puter may work fine for days and then crash or then start to crash over and over (reformat). I am getting tired of reinstalling the os so is ther anyone here who can read these minidumps and maybe tell me what to look at first, thanks.

A:BSOD 3 months

For some reason I cant read the minidump files. What errors are you
getting when it bluescreens? When you format are you using the
xp format utility?, if so bad idea, xp does a very poor job at that. If
you had os problems before the format, you will more than likely
have the same problems after the format.

Read other 19 answers

So what will happen with my:

Windows 8 Release Preview
Evaluation Copy. Build 8400

Is there a way to turn it from a preview into Windows 8 Pro?
Can I install over it? (and keep everything the way it is: programs, settings, etc.)
Can I continue to use it as a preview or will my computer evaporate into a cloud of smoke if I do that?

Read other answers

I'll start off with my specs: -
OS: Windows 7 Home Premium x64 SP1
CPU: Intel Core i5 4690K @ 3.5GHz (Replaced in Jan 2015)
RAM: 2 x 4GB sticks (replaced in March 2015)
Motherboard: ASUSTeK COMPUTER INC. Z87-A (SOCKET 1150) (Replaced in Jan 2015)
Graphics: 1023MB NVIDIA GeForce GTX 560 Ti (Came with computer in 2011)
Storage: 232GB Samsung SSD 840 EVO 250GB ATA Device (SSD)(Replaced in Aug 2014) and 298GB Western Digital WDC WD3200AAJS-22L7A0 (HDD)(Came with computer in 2011, used for storage)
PSU: Corsair CX750 (replaced in April 2015)
Had my computer sicne 2011 and it always worked perfectly. In August 2014 I upgraded to a SSD and put in a newer and better PSU as well as replacing the case. No issues with PC at all and it ran perfectly. In Jan 2015 I had some spare cash and decided to upgrade the CPU and Motherboard. I took the PC to my local shop to have them install these new components for me. They tested it and re-installed windows for me and gave it back. I live my PC on overnight sometimes and when I'd wake up in the morning I'd see that the PC had crashed and restarted. I thought nothing of it and carried on like normal. After a week or two the PC started to crash during use when I was playing a game, browsing the internet or when it was idle. The error code was always 0x000000F4.
I took it back to the shop and they took a look at it and found no errors so they gave it back. As soon as I bro... Read more

A:BSOD for 5 months - F4 and 7A

Please download MiniToolBox  , save it to your desktop and run it.
 Checkmark the following checkboxes:  List last 10 Event Viewer log  List Installed Programs  List Users, Partitions and Memory size.
 Click Go and paste the content into your next post.
 Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.

Read other 2 answers

Hello all. I have recently bought this laptop in February. In the past week it has decided to start crashing on me.... I am not using strenuous software, only youtube, microsoft word and google chrome.  It happens very randomly, the screen will freeze on the current page and then a buzzing noise for 10 seconds will follow.The noise will stop but the screen continues to stay frozen... Only resolved by holding the power button down as both mouse and keyboard are frozen/inactive.  I have searched for solutions.... updating drivers.... reinstalling drivers.... scanning for viruses.... however nothing has come up or resolved this.I am in desperate need of the laptop at the moment due to University deadlines, however the freezing continues to hamper my progress, whilst losing work between saves.  Any solutions would be much appreciated! Thanks in advance! P.S. I do have the HP 1 Year warranty? Aswell as a John Lewis 7 Year warranty.

Read other answers

About 6 months ago I was infected w Trojan/Vundo and the BC gang helped me get back on my feet. I ran ComboFix, use Ad-Aware, AVG, Malwarebytes, Spybot, Spyware Blaster.

I enjoyed 6 worry-free months and now I'm stuck again. Windows will not complete loading--freezes. I tried to use my windows recovery in safe mode and clicking "next" prompts no further action after I've chosen a previous date. I have done a HJT log in safe mode only.

Symptoms when windows was working still:

Google results were links to other ad sites.
IE would not allow me to go to BC.com and other helpful forums but would allow me to go to youtube, google, yahoo, etc.
Updating Ad-Aware, Spybot, and AVG was not allowed.
Malwarebytes would no longer load (would show to load in the Task Manager but nothing further.)

So I feel frustrated because I can't use any malware/virus programs to clean. And I can't load windows in anything but safe mode.

Any advice would be extremely appreciated. Thank you in advance!!

A:Seems Worse than 6 months ago

Hi and welcome back. I am sending you a private message with instructions. Please follow those first and then run malwarebytes according to these instructions.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list of any malware that was found.Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply and exit MBAM.Note:-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. -- MBAM may make changes to your registry a... Read more

Read other 12 answers

For a while I had no trace of BSOD (since 30 July). After a while (few months) it occurs again, today for four times I get BSOD. I made a rar file of the minidump files. I think maybe the problem is the video card, but I don't know for sure, please help somebody, blueelvis, I hope you can help me again. Thanks all for now.

A:BSOD again after a few months...

Yes, the video card drivers are the issue here. Please follow these instructions: atikmdag.sys error BSOD on startup [Solved] - Graphics Cards - Graphics & Displays

Read other answers

Hi all,

Never tried using a forum before so please excuse me if I do something wrong.
I'm desperate.
I built this PC with a little help from a computer savant. He helped me chose the pieces and I put it together. It's about 15 months old. Recently it fried the main SSD from which the OS booted (after 11 months of use). It was of course my fault for filling the SSD more than 80% (I have no computer certifications, I go by instinct most of the time and then learn the hard way) ... so it wouldn't surprise me if I have something to do with the computer failing so much now.
I've also had the feeling that my system has never really ran at full potential.
I think my BIOS settings need seen to as well. It's all on "default", when I think they can be tuned according to the components... but I don't know how to do that

Anyway, I'll do my best to answer and follow the guide you provide;

? OS - Windows 7
? x64
? What was original installed OS on system? Nothing, I built the tower from scratch
? Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? No, pirated version of Windows Ultimate 7
? Age of system (hardware) 15 months
? Age of OS installation - have you re-installed the OS? Twice, because fried the SSD in January-ish this year

? CPU AMD Phenom II X4 980 Quad-Core Black Edition 3.70 GHz
? Video Card AMD Radeon HD 6800 Series
? MotherBoard Asus M5A88-M EVO AM3+
? Power Supply - brand &... Read more

A:50 or so BSODs in the last 2 months

Welcome to TSF!

? Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? No, pirated version of Windows Ultimate 7

We're not allowed to help with illegal software here as per the TSF Rules:

You may not ask for assistance with any deemed illegal activities such as but NOT restricted to the following::

software pirating

When you have a legit version of Windows installed, please return and start a new Thread if you still have problems.


Read other 1 answers

I had to shut down my ISP, laptops cannot use and even Iphone was told by apple to turn off and contact authorities.  Nobody seems to want to help.  I have been cut off.  I have a new cell phone but it is already giving me problems and am using my hot spot right now.  Please please tell me what is going on.
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537
Run by CASEY J at 2:35:50 on 2015-03-29
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3986.2291 [GMT -4:00]
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Intel\i... Read more

A:Please help!!! I have been trying to fix for over 2 months. Have lost everything

# AdwCleaner v4.113 - Logfile created 29/03/2015 at 03:43:36
# Updated 22/03/2015 by Xplode
# Database : 2015-03-28.1 [Server]
# Operating system : Windows 8  (x64)
# Username : CASEY J - KCHP
# Running from : C:\Users\CASEY J\Desktop\AdwCleaner.exe
# Option : Cleaning
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****
-\\ Internet Explorer v10.0.9200.16537

AdwCleaner[R0].txt - [679 bytes] - [29/03/2015 03:28:15]
AdwCleaner[S0].txt - [607 bytes] - [29/03/2015 03:43:36]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [665  bytes] ##########

Read other 4 answers

As the subject line implies, I've now had 2 HD crashes in 4 months. I'm running a Lenovo PC with SATA drives. Here's the thing...both times it was my secondary drive. The original drive is fine...so far.

The first time this happened, I had 3 drives hooked up. My C drive, a 2nd drive connected to the SATA connection on the MB, and then I had an external drive enclosure (USB). First, the drive in that enclosure stopped. The bios could find no sign of it, even when I connected it directly to the MB. It will spin for a few seconds and then stop.

The second time this happened (today), the drive was my 1T Seagate that is relatively new. I had earlier performed a Photoshop batch script that adjusted about 700 photos on that drive. All went well. And hour later, I got a BSOD. I allowed Windows to perform the startup thing (I forget exactly what it said) and it couldn't because it could not access the drive. Every time I would try to start the PC, it would go BSOD. Until I disconnected that 2nd drive. Then the PC started right up...no problems. Tried connecting the 2nd drive again and it can't see it. The drive spins up but can't be found.

So my question is, could the onboard controller, or something else (power supply?) be causing this or is it simply a coincidence that I've lost 2 drives in 4 months. I don't think I've lost 2 drives in the previous 10 years

Ideas? Thanks in advance....

A:two HD crashes in 4 months?

Read other 11 answers