Over 1 million tech questions and answers.

Infected with multiple win32.delf.uc and win32.TDSS.rtk

Q: Infected with multiple win32.delf.uc and win32.TDSS.rtk

Hello everyone and thank you.I've ran Malwarebyte's Antispyware, AVG8 and Spybot S&D, but these 2 trojans are still present.I've also done the scans in safe mode, all the same results.Whenever Spybot finishes scaning, tons of TeaTimer windows show up giving me prompts called "SpybotDeletingXXXX". I then run HijackThis and remove the entries associated with that name.Upon a reboot, both the trojans are back and nothing seems to have worked.Here's the DDS log:DDS (Ver_09-03-16.01) - NTFSx86
Run by Lucas at 13:20:06,32 on 07-04-2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.799 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~2\AVG\AVG8\avgrsx.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~2\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe C:\WINDOWS\TEMP\VRT20.tmp
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~2\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbama.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Lucas.PEDRO-617A9B4C5\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [Start WingMan Profiler]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4487b267-7fa7-fb7b-d7c4-b95d4f3e6dbd}: {dbd6e3f4-d59b-4c7d-b7bf-7af7762b7844} - c:\windows\system32\draeoo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lucas~1.ped\applic~1\mozilla\firefox\profiles\a2bchh3w.default\
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\lucas.pedro-617a9b4c5\application

data\mozilla\firefox\profiles\a2bchh3w.default\extensions\[email protected]\plugins\npiaplayer.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-10 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-10 107272]
R1 synsend;synsend;\??\c:\windows\system32\drivers\synsenddrv.sys --> c:\windows\system32\drivers\synsenddrv.sys [?]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~2\avg\avg8\avgemc.exe [2008-9-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~2\avg\avg8\avgwdsvc.exe [2008-9-10 298264]
R2 DhcpSrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-6 214016]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-30 55152]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-9-9 37376]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-6 38496]
S2 gupdate1c988c189e73e0e;Google Update Service (gupdate1c988c189e73e0e);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe

[?]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
S3 at1394;at1394;c:\windows\system32\at1394.sys [2008-4-14 2304]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [2005-11-22 45056]
SUnknown qqzogxyuinbj;qqzogxyuinbj; [x]

=============== Created Last 30 ================

2009-04-07 12:44 230,400 a------- c:\windows\system32\w.exe
2009-04-07 12:44 211,456 a------- c:\windows\system32\tpszxyd.sys
2009-04-07 12:44 194,048 a------- c:\windows\system32\afisicx.exe
2009-04-07 12:44 8 a------- c:\windows\system32\comsa32.sys
2009-04-07 12:43 208,744 a------- c:\windows\system32\muweb.dll
2009-04-07 12:43 69,765 a------- c:\windows\system32\drivers\str.sys
2009-04-07 12:43 35,328 a------- c:\windows\system32\reader_s.exe
2009-04-07 12:43 35,328 a------- c:\documents and settings\lucas.pedro-617a9b4c5\reader_s.exe
2009-04-07 12:43 80 a------- c:\windows\system32\21.tmp
2009-04-06 21:17 <DIR> --d----- c:\windows\ERUNT
2009-04-06 21:06 <DIR> --d----- C:\SDFix
2009-04-06 16:19 5,784 a------- c:\windows\wininit.ini
2009-04-06 15:37 <DIR> --d----- c:\docume~1\lucas~1.ped\applic~1\Malwarebytes
2009-04-06 15:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 15:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 15:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-06 06:23 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-06 06:22 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-06 06:22 20,480 a------- c:\windows\system32\AUTMGR.EXE
2009-04-06 06:22 989,696 a------- c:\windows\system32\kernel32_check.dll
2009-04-06 06:22 10,240 a------- c:\windows\system32\Packer.dll
2009-04-06 06:22 24 a------- c:\windows\system32\tcpd.dll
2009-04-06 06:22 9 a------- c:\windows\system32\iphy.dll
2009-04-06 06:22 3 a------- c:\windows\system32\fhpatch.dll
2009-04-06 06:22 0 a------- c:\windows\system32\fiplock.dll
2009-04-06 06:22 <DIR> --d----- c:\windows\system32\3361
2009-04-06 06:22 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-06 06:22 <DIR> --d----- c:\windows\dhcp
2009-04-06 06:22 <DIR> --dshr-- c:\program files\ThunMail
2009-04-06 06:21 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-04-06 06:21 21,704 a------- c:\windows\system32\vv.exe
2009-04-05 12:39 99,840 a------- c:\windows\system32\mcjufbop.dll
2009-03-30 08:18 <DIR> --d----- c:\documents and settings\lucas.pedro-617a9b4c5\Tracing
2009-03-30 07:55 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-30 07:54 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-30 07:53 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-30 07:51 <DIR> --d----- c:\program files\Microsoft
2009-03-30 07:51 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-30 07:45 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-27 23:12 <DIR> --d----- c:\program files\Steam
2009-03-27 22:27 <DIR> --d----- c:\program files\Garena
2009-03-27 21:50 <DIR> --d----- C:\L4d
2009-03-25 00:04 <DIR> --d----- c:\program files\StepMania CVS
2009-03-24 23:12 <DIR> --d----- c:\windows\Left 4 Dead
2009-03-24 23:12 <DIR> --d----- c:\program files\Left 4 Dead
2009-03-23 12:05 <DIR> --d----- c:\program files\mIRC
2009-03-23 12:05 <DIR> --d----- c:\docume~1\lucas~1.ped\applic~1\mIRC
2009-03-22 23:09 <DIR> --d----- c:\program files\Bits N Bytes
2009-03-21 19:15 <DIR> --d----- c:\windows\osu!
2009-03-21 19:15 <DIR> --d----- c:\program files\osu!
2009-03-20 14:43 <DIR> --d----- c:\program files\Core Services
2009-03-12 12:30 28 a------- c:\windows\Robota.INI
2009-03-12 12:30 <DIR> --d----- c:\docume~1\lucas~1.ped\applic~1\MAGIX
2009-03-12 12:30 420,240 a------- c:\windows\system32\mpg4c32.dll
2009-03-12 12:30 309,616 a------- c:\windows\system32\wmv8dmod.dll
2009-03-12 12:30 245,760 a------- c:\windows\system32\mp4sds32.ax
2009-03-12 12:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\MAGIX
2009-03-12 12:28 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-03-12 12:28 <DIR> --d----- c:\program files\MAGIX
2009-03-12 12:28 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-03-12 12:28 5,937 a------- c:\windows\mgxoschk.ini
2009-03-12 12:28 <DIR> --d----- c:\windows\system32\MAGIX
2009-03-12 09:04 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ALM
2009-03-12 08:50 45,392 a----r-- c:\windows\system32\AdobePDF.dll
2009-03-12 08:50 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-03-11 00:22 <DIR> --d----- c:\program files\SilentMusicBand
2009-03-10 13:51 <DIR> --d----- c:\program files\Bulk Rename Utility
2009-03-08 23:43 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-08 23:43 <DIR> --d----- c:\program files\MSECACHE

==================== Find3M ====================

2009-04-06 10:32 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-16 15:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 15:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 15:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 15:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 16:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 16:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 16:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-01 21:33 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-03-01 21:33 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-31 16:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 10:41 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-14 06:46 11,591,680 a------- c:\windows\system32\atioglxx.dll
2009-01-14 05:53 286,720 a------- c:\windows\system32\atiok3x2.dll
2009-01-14 05:49 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-14 05:47 323,584 a------- c:\windows\system32\ati2dvag.dll
2009-01-14 05:36 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-01-14 05:36 151,552 a------- c:\windows\system32\Oemdspif.dll
2009-01-14 05:36 45,056 a------- c:\windows\system32\Ati2mdxx.exe
2009-01-14 05:35 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-14 05:35 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-01-14 05:34 618,496 a------- c:\windows\system32\ati2evxx.exe
2009-01-14 05:32 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-01-14 05:22 4,009,152 a------- c:\windows\system32\ati3duag.dll
2009-01-14 05:05 2,500,224 a------- c:\windows\system32\ativvaxx.dll
2009-01-14 04:50 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-01-14 04:45 401,408 a------- c:\windows\system32\atikvmag.dll
2009-01-14 04:44 110,592 a------- c:\windows\system32\atiadlxx.dll
2009-01-14 04:44 17,408 a------- c:\windows\system32\atitvo32.dll
2009-01-14 04:37 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-01-14 04:37 577,536 a------- c:\windows\system32\ati2cqag.dll
2009-01-14 03:36 45,056 a------- c:\windows\system32\amdcalrt.dll
2009-01-14 03:36 45,056 a------- c:\windows\system32\amdcalcl.dll
2009-01-14 03:34 3,227,648 a------- c:\windows\system32\Amdcaldd.dll
2009-01-13 22:05 614,400 -------- c:\windows\system32\ati2sgag.exe

============= FINISH: 13:20:44,00 ===============I can also provide Hijackthis logs if needed.Thanks!

RELEVANCY SCORE 200
Preferred Solution: Infected with multiple win32.delf.uc and win32.TDSS.rtk

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected with multiple win32.delf.uc and win32.TDSS.rtk

Hello, lucasfWelcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.If you do not make a reply in 5 days, we will have to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself. Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.I have a suspicion that you are infected with Virut based on one of the files present on this machine. To make sure this suspicion is correct, please do the following:Kaspersky ScanPlease do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXT
Now click on Scan SettingsIn the scan settings make sure that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail BasesClick OKNow under select a target to scan:Select My ComputerThis will program will start and scan your system.The scan will take a while so be patient and let it run.Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:Save the file to your desktop.Copy and paste that information in your next post.

Read other 2 answers
RELEVANCY SCORE 110.4

Hi, here is my problem. Everytime I download some movies or other things by opening my computer overnight, it must pop out a error window said:-C:\Documents and setting\KkianN\Desktop is not accessible.Not enough quota is available to process this command.The icons only left on my screen were My computer,my network places and Internet explorer. When I refresh my computer, it came out the same message again.(this problem was occured when I opened my computer overnight by using Thunder5 this software to download things)When I tried to shut down, a message said You do not have permission to shut down this computer.When I tried to use windows task manager to shut down,once i click Ctrl+Alt+Del, an application error message came out said:-This application failed to initialize properly(0xc000012d). Click on OK to terminate the application.Then I just can reset my computer.Actually I have posted in BleepingComputer.com > Security > Am I infected? What do I do? there.Then I followed the instruction in "Preparation Guide For Use Before Posting A Hijackthis Log". Unfortunately,i can't finish all the steps there. For step 4, I can't remove win32.generic.pws,win32.trojan.psw.delf and Win32.trojan.pws.onlinegames by using Ad-aware 2007. While scanning by using spybot,it stuck while scanning.After that suddenly pop out a window said:-Spybot-Search and destroy has detected an important registry entry that has been changed. Category: System Startup global entr... Read more

A:Infected With Dropper.agent,logger.pcap.a,win32.generic.pws,win32.trojan.psw.delf And Win32.trojan.pws.onlinegames

Hello, I had reformatted my computer since it could not open and stuck in the welcome window few days ago. So, now my computer is alright..thanks for viewing and trying to help me to fix the problem.

Read other 1 answers
RELEVANCY SCORE 107.2

Hello, I was told to post here by the moderator. Here's the scoop: I was infected with a virus and didn't have any protection on my PC. I went out and bought Kaspersky Internet Security 2009. My original problem was that the virus was not allowing me to surf the internet with out popups and redirects. After running the Kaspersky software it cleaned up a bunch of issues but has gotten to a point were it cannot clean the last two issues. It recognizes them and marks them for deletion but asks me to reboot in order to delete. After I reboot it just finds the viruses again and I repeat the process endlessly.

I went through some troubleshooting steps with a Kaspersky rep and she decided that she had exhausted all options and asked me to format the computer. That is not an option and I don't believe that there is no hope of cleaning the virus. I am in need of someone with a little more expertise and vigilance.

The two issues are described below as listed by the Kaspersky software:
1. Trojan-Cliker.win32.delf.cbe - Object: C:\windows\system32\gznvqkei.dll
2. Rootkit.win32.Podnuha.a - Object: System Memory

When I try to manually delete the gznvqkei.dll file I get an "Access Denied" error.

The Kaspersky rep did have me run the combofix software but it did not solve the issue. She had me run a custom script from within the AV software that was designed to delete the troubled files to no avail. She also had me create a boot disk but when using the boot d... Read more

A:2 Infected - Rootkit.win32.Podnuha.a and Trojan-Cliker.win32.delf.cbe

Hello dmacc01.If you still have the same issues, you may consider the following. But first, be absolutely aware that having the system without an antivirus program is an extremely dangerous thing.Let's have you create a restore point (at this time). 1. Right click the My Computer icon on the Desktop and click on Properties.2. Click on the System Restore tab.3. If there is a check mark next to "Turn off System Restore on all drives", then click on the line to clear it.4. If C is your system drive (as it is in most cases) and you see other drives monitored in the list (like D, E, etc) click on the other drives, press Settings button, and get the other drives turned off.5. we only want to monitor the drive with Windows o.s.If you are unable to activate System Restore or if the service is disabled, then.....from the Start button > RUN option .... type in services.msclook for System Restore serviceIf it is listed as off or inactive, press on the link at top left to Start it.Next, See and do as outlined here http://bertk.mvps.org/html/createrp.htmlAfter that, also do this:1. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT... Read more

Read other 4 answers
RELEVANCY SCORE 107.2

Hello, I was infected with a virus and didn't have any protection on my PC. I went out and bought Kaspersky Internet Security 2009. My original problem was that the virus was not allowing me to surf the internet with out popups and redirects. After running the Kaspersky software it cleaned up a bunch of issues but has gotten to a point were it cannot clean the last two issues. It recognizes them and marks them for deletion but asks me to reboot in order to delete. After I reboot it just finds the viruses again and I repeat the process endlessly.

I went through some troubleshooting steps with a Kaspersky rep and she decided that she had exhausted all options and asked me to format the computer. That is not an option and I don't believe that there is no hope of cleaning the virus. I am in need of someone with a little more expertise and vigilance.

The two issues are described below as listed by the Kaspersky software:
1. Trojan-Cliker.win32.delf.cbe - Object: C:\windows\system32\gznvqkei.dll
2. Rootkit.win32.Podnuha.a - Object: System Memory

When I try to manually delete the gznvqkei.dll file I get an "Access Denied" error.

The Kaspersky rep did have me run the combofix software but it did not solve the issue. She had me run a custom script from within the AV software that was designed to delete the troubled files to no avail. She also had me create a boot disk but when using the boot disk it does not recognize my hard drive so ... Read more

A:2 Infected - Rootkit.win32.Podnuha.a and Trojan-Cliker.win32.delf.cbe

Probably you best chance is to submit a HJT logPlease read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another r... Read more

Read other 3 answers
RELEVANCY SCORE 107.2

According to AVG I'm infected with Clicker.AAFT which appears as c:\windows\fonts\services.exe. Task Manager always has at least 2 of these additional services.exe running.I used to have Norton antivirus running but the virus broke it and i couldn't re-install it. I bought the Kaspersky Labs virus scanner but that to would not install. it looks like this virus has changed the "rights" of some objects. The only virus scanner that would install and work was AVG.I tried to re-install service pack 3 thinking it would possibly overwrite some of the virus infected files but I got an "access denied" when I tried to start installing... ARRRRRRRGGGGHHHH!!!!Any help would be much appreciated!/Blair Here's my DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by Blair at 15:18:10.15 on 2009-07-11Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2127 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\sv... Read more

A:Infected with Clicker.AAFT Win32.Delf.rtk Win32.Agent.atta

I just noticed that I'm also infected with Virtumonde in
C:\WINDOWS\system32\sopidkc.exe

/Blair

Read other 15 answers
RELEVANCY SCORE 106.8

Problems:1) I keep getting pop-up and sometimes links redirect me to other sites, often ads.2) It makes my computer slow down drastically : Windows crashes most of the time when i change user and the gmer scan crashed 5times before i could get it done. 3) One pop-up in particular (that would be the trojan clicker) tries to lure me to download an antivirus because it simulates the window control pannel so that i think it's windows that's asking me to download an antivirus.What i've already done:1) Nod32 alerts me that there's a trojan every 10min but when I put in quarantine the trojan seems to duplicate and the alerts juste keep coming.2) I scanned with : Ad-aware, spybot : search and destroy, docor web (in safe mode), malwarebytes anti-malware, nod32It did a full scan with each.3) When i scanned with spydoctor in safe mode it crashed at the end and two infections could not be treated : C:/program files/eset/infected (quaratine of nod32) and c/documents and settings/username/local settings/Anplic/mozilla/firefox/profiles/2cpk5271.default/cache4) After the spydoctor scan nod32 detected a second infection (Olmarik) and nod32 can't get rid of itLogs:DDS (Ver_10-03-17.01) - NTFSx86 Run by Gilles at 18:47:41,28 on lun. 26/04/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP ?dition familiale 5.1.2600.3.1252.32.1036.18.2030.1342 [GMT 2:00]AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D3... Read more

A:Infected with win32/Olmarik.VM Patched and Win32/TrojanClicker.Delf.NJE

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 105.6

OK Nomally I goto google, and read past bleeping computer related topics to the three viruses I listed in the topic, or for anything. But this crap takes the cake. Ive never delt with garbage like this.

I just moved into a new neighborhood, and have been looking for an unsecured internet for a while. Someone just brought one online friday. But when I connected to it (which its what Im connected to now) Trojans started popping up out of nowhere. Ive run Hijackthis and SDfix and will put the logs at the bottom. SD Fix seems to find the viruses, but cannot delete them properly. Itll find them delete them then list hidden attributes, which are still viruses, and not delete them. These little buggers are tricky.

So if someone could please help me out here. It keeps trying to send mass loads of spam mails. Ive also reformated about 4 times now. Its giving false positives in the ask manager running proccesses. svchost, IEXPLORER (listed under system, its supposed to be listed under HP_Owner for me not to mention its in caps), random charactered trojans that google has no info on, winlogin.exe is all messed up. MY LoginUI wont work properly anymore. and all of them are listed as exe in places they shouldnt be. Anyways heres the logs, Im gonna TRY to play some runescape while I wait for an answer.

One more thing, Computer is running slow, dont know if i can run spybot or counterspy again. LOL speaking of which Counterspy's Safe mode scan wont even run. PERIOD. So yeah:
Edit. Runn... Read more

A:Infected with PWS.LDPinchIE, Win32.Delf.uc, Win32.Agent.pz

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTListIt2 ReportPlease download OTListIt2 from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

Read other 1 answers
RELEVANCY SCORE 105.6

I have tryed to scan computer with Spybot S&D, Ad-Aware, and AVG 8.0 but nothing changes. Pleas can anybody help me?
DDS (Ver_09-07-30.01) - NTFSx86
Run by Issi ja Inno at 19:28:12,59 on L 08.08.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1257.372.1033.18.511.290 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\Mess... Read more

A:Infected with Win32.Delf.uc , Virtumonde.sdn, Win32.Viru.bg

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 105.6

Hi I have been overrun with adware etc in the last month or so. Have run through the steps in your preperation guide. Any help much appreciated.Thanks DaveLogfile of HijackThis v1.99.1Scan saved at 12:59:22, on 16/01/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Dell\AccessDirect\dadapp.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\System32\DSentry.exeC:\WINDOWS\system32\pctspk.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\SMSC\Seticon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exeC:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exeC:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exeC:\Program Files�... Read more

A:Infected With Win32.delf.trojan.b And Win32.centim

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.Step #1Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:Daily Weather ForecastThen reboot your computer.Step #2Scan again with HijackThis and check the following items:O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~2.DLL (file missing)O2 - BHO: metaspinner GmbH - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL (file missing)O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exeAfter checking these items, close all browser windows except HijackThis and click "Fix checked".Step #3We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Step #4Reboot Your System in Safe Mode:Restart the computer.As s... Read more

Read other 9 answers
RELEVANCY SCORE 104.8

I tried posting a log for the Win32/Patched.dx, but couldn't. I pm'ed an admin, and he said that I was infected with TDSS, and should post here that I couldn't post the logs.

A:Infected with multiple things: Win32/Patched.dx and TDSS at least.

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for postin... Read more

Read other 17 answers
RELEVANCY SCORE 103.6

The infections have prevented Symantec from working, lavasoft adaware, redirects on the internet. Ran Spybot and Malewarebytes in safe mode removed what was found and still the problem exists. Ran spybot again in normal mode and both infections came back. Seems to be messing with my network authentications also. I uninstalled adaware and reinstalled it tried to run it and it crashed the program and now it won't work again.
DDS Log:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by mtalcott at 11:32:50 on 2011-09-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1285 [GMT -6:00]
.
AV: Windows System Defender *Enabled/Updated* {7ECB290C-0906-4B45-B485-362D38525C52}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Windows System Defender *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe&#... Read more

A:PC is infected with Win32.AVKillsvc.e and Win32.Delf.uc

Hi, Welcome to Bleeping Computer.My name is Shannon and I will be working with you to remove the malware that is on your machine.I apologize for the delay in replying to your post, but this forum is extremely busy.Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.Do Not make any changes on your own to the infected computer.Please set your system to show all files.Click Start, open My Computer, select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Now, let's look more thoroughly at the infected computer -We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL Report
Please download OTL from here:Main MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Change the "Extra Registry" option to "Use SafeList"Push the button.Two reports will open, copy and paste them into your reply:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedPlease note: You may have to disable any script protection running if the scan fails to run. After down... Read more

Read other 9 answers
RELEVANCY SCORE 102.8

A few days ago the Win32 Heur was showing up on my AVG8 Free software. It is also coming up with a trojan horse rootkit-pakes. Today I done a scan on spybot and it failed to remove Win32.fraudload.net, Win32.TDSS.rtk & Win32.TDSS.reg. In addition to that I read on a forum to download Registry Easy and I done a scan and fix thru that. It stated all the relivant issues had been resolved. But as I mentioned Spybot comes up with those 3 Trojans still. So I have these 5 issues, there is probably more. But I would appreciate if you can help.

Here is a copy of my log HiJackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:42, on 31/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome... Read more

Read other answers
RELEVANCY SCORE 101.2

My computer is infected with Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent. I've been trying to remove them with Ad-Aware but they re-install themselves. I've downloaded numorous other malware removers but the malware seems to disrupt / won't allow them to install or work. This includes the root repeal program mentioned in the preparation guide. When I attempt to run root repeal I get the following error:

04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)
04:03:06: DeviceIoControl Error! Error Code = 0x1e7
04:03:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d8)

The most annoying thing that is happening is when I go to google something, it will redirect me to somewhere else or will throw random pop-ups at me every now and then. Also, I tried to reformat / re-install a fresh copy of Windows Vista but it seems this piece of malware makes it impossible to boot from disk.

Thank you in advance for your assistance!

Attached below is my dds.txt log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Jeff at 3:59:19.84 on Fri 08/28/2009
Internet Explorer: 7.0.6000.16890
Microsoft? Windows Vista???? Home Premium 6.0.6000.0.1252.1.1033.18.2046.1362 [GMT 9:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\... Read more

A:Infected With Win32.Trojan.Tdss and Win32.TrojanDownloader.Agent

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 98.8

My Avast antivirus recently started detecting a whole host of viruses. I ran a thorough scan of all files and deleted every infected file until the scanner turned up a hit in the operating memory. It then suggested I run a boot sector scan - I did so. Upon rebooting Avast started detecting more viruses. This time I rebooted into Safe Mode and ran the scanner there, deleting everything I found. Apparently one of the files I deleted was important, because after that my computer Blue-Screened during boot-up and I had to do a system restore to a save point from a few days ago (before the virus was contracted). Since then the virus has continued to crop up, and I haven't the foggiest notion of how to get rid of it.

The title is a list of the virus descriptions that my Avast scanner gave me. I ran all the programs the walkthrough on this site instructed me to, but the RootRepeal program crashed and generated an error message and crash report, both attached (error message in .png image format - I took a screenshot of it).

Thanks for your help!

__________________________________________________________________________________
DDS (Ver_09-12-01.01) - NTFSx86
Run by Bryan at 18:56:06.09 on Wed 12/02/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1546 [GMT -5:00]
============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32&... Read more

A:Infected with js: downloader-FT Win32:Banload-GLR Win32:Malware-gen Win32:Refpron-AW Win32:Rootkit-gen Win32:VB-NWC

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 96

Hi,Please help me in getting rid of the pop ups which keep coming up.trojan downloader win32 agent bqtrojan clicker win32 tiny htrojan spy win32 key logger.aatrojan spy win32 green screentrojan spy html bankfraud.dqHijakThis log file.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:00:40, on 9/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Pac... Read more

A:Infected With Trojan Clicker Win32 Tiny.h / Downloader Win32 Agent Bq / Spy Win32 Key Logger.aa/spy Win32 Green Screen / Html B...

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

Read other 1 answers
RELEVANCY SCORE 95.6

Hello,My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more). Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.The virus listed by Defender was Trojan:Win32/Alureon.BT. Avast listed Win32:Jifas-CY, I didn't get the others in time.The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses we... Read more

A:Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t

Hello again.I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.Does no one have any ideas???

Read other 5 answers
RELEVANCY SCORE 94

Hello,Please help if you can .I ran free Avast! version 5.0.677 on my Windows XP desktop computer (Pentium 4, 1.5 Ghz CPU, 1 gb ram), and came up with the following virus warnings. Unfortunately the Avast! software internal tools to remove it are grayed out and not functioning. I tried a couple of things to remove viruses from help online and then realized I was in way over my head. I found this forum and am now requesting help.Avast! says I am affected with:JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and Win32:VirutAttached a screen shot of Avast! with viruses and partial path to them. Computer's Symptoms (not sure if these are all due to old slow processor or malware):Computer is freezing often;When it is in sleep mode it is turning itself on;Seems to be downloading stuff often and slowing down;Monitor is going black forcing reboots often;Couple weeks back I began getting floating ads that pop up when browsing online;I get an error message daily that says AdAware has shut down unexpectedly, do I want to send a report? I have been ignoring this, not knowing if it was important, been several weeks.Ok, I think that is all I can think of to share. Please help if you can. I appreciate it.Thanks,Dancer~~~~~~~~~~DDS (Ver_10-03-17.01) - NTFSx86 Run by ljk at 15:52:28.93 on Mon 09/20/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.102... Read more

A:Please Help ~ Infected with JS:Downloader-AT, Win32:Nimda, Win32:Small-GWM, Win32:VB-EIJ, Win32:WinSpy-CK, JS:ScriptSH-inf, and...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.I ask that you please refrain from running tools other than those I su... Read more

Read other 42 answers
RELEVANCY SCORE 93.6

Today, while attempting to open Mozilla Firefox, I received a message stating an error had occured.

Also, when opening the task manager, I received another error message. I had to restart my computer to fix this.

So I ran Spybot SD, ran a check, and Win32.Delf.uc that Spybot SD claims to be a Trojan. I'm sure that after deleting this it would come back after a startup.

I have no idea how this occured, can anyone here please help me?

Thank you.

A:HELP! I've been infected with Win32.Delf.uc!

http://www.bleepingcomputer.com/forums/ind...t&p=1097365Would you run MBAM, pay special attention to directions regarding teatimer

Read other 10 answers
RELEVANCY SCORE 93.6

Hey,

I have spybot on my computer and it found 101 entries of this Win32.Delf.uv. I had spybot fix the problems but I just want to make sure everything is gone before I install my antivirus

Here are the logs
.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by depot at 18:18:17 on 2012-05-20
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3062.1654 [GMT -10:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system... Read more

A:Infected with Win32.Delf.uv

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

Read other 19 answers
RELEVANCY SCORE 93.6

Hello, I've been getting alerts through avast of this trojan a few minutes after startup. I delete or quarantine the files I can, just so I can continue to the next task. The trojan alerts happen sporadically, usually when I use Myspace or Roxio Media Center. I've run Combofix and have the log upon request. I've also run HijackThis but after the fact. Need some assistance making heads or tails of the information. Thank you.

A:Infected With Win32:delf-idw [tri],

Hello Imperator and welcome to BC Sorry for the delayed response. We are all volunteers here and sometimes things slip past us.I've run Combofix and have the log upon requestComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.------------------In order to provide you with the proper disinfection instructions, we need a bit more information.What is your operating system: Windows XP, Vista, etc.?What security programs besides Avast do you have installed? Please name them.Does AVAST provide a file path for the infected files? If so, please copy them in your next reply.Orange Blossom

Read other 1 answers
RELEVANCY SCORE 93.6

DDS (Ver_09-03-16.01) - NTFSx86
Run by Rich Roach at 14:40:42.70 on 21/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.139 [GMT -4:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PMSveH.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\PMHandler.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\... Read more

A:Infected with win32.Delf.uc

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

Read other 7 answers
RELEVANCY SCORE 93.6

When I run Spybot - Search & Destroy it finds I am infected with Win32.Delf.uc, and I fix the problem. But the next time I seach it finds the same malware. Can you help me remove it permanently?
DDS (Ver_09-02-01.01) - FAT32x86
Run by Peter Kewley at 0:57:45.82 on 04/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.175 [GMT 0:00]

AV: 7.5.503 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files&... Read more

A:Infected with Win32.Delf.uc

Hi kewleyp,Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Set the list of files/folders created to 3 mount and click Continue at the disclaimer screen.Once it has finished, two logs will open. log.txt (<<will be maximized)info.txt (<<will be minimized).Please copy and paste the content of just log.txt to your reply. No need for info.txt

Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.You might want to save this page on your favorites, so you can find it again when you return.

Read other 5 answers
RELEVANCY SCORE 93.6

I've been having problems recently with both the performance of my computer and with the internet.In terms of performance: The computer has been both slow and has frozen quite frequently. Usually, it freezes as I put it to sleep or wake it up. The computer will also suddenly slow down randomly, though that may be because of the Norton AnitVirus I have installed.Internet pop-ups: Sometimes the browser I am working on redirects randomly to some webpage that has a little bar graph icon and usually says something like "NB88 SEARTH SITE". Usually, the url is something like nb88. Whenever I run Spybot S&D, it brings back these 2 error messages: "MicrosoftSecurityCenter_Disabled" and "Win32.Delf.uc". I always try to clean Win32.Delf.uc, but Spybot always finds it again after I've deleted it. I've always left MicrosoftSecurityCenter_Disabled alone for some reason lost to my memory, and I do it out of habit now.Here's the HJT log:Logfile of HijackThis v1.99.1Scan saved at 9:52:19 PM, on 4/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exec:\program files\internet explorer\iexplore.exeC:\WI... Read more

A:Infected With Win32.delf.uc (?)

Welcome to the BleepingComputer HijackThis forum Richard V Download SDFix and save it to your desktop.http://downloads.andymanchesta.com/RemovalTools/SDFix.zipPlease then reboot your computer into Safe Mode by doing the following :* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode, right click the SDFix.zip folder and choose Extract All,* Open the extracted folder and double click RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.* Also post a new Hijackthis log please.

Read other 2 answers
RELEVANCY SCORE 92.8

For a while now, I have had problems installing Microsoft Updates. The two same updates would pop back up every time I turn my computer on. I've been running AdWare and Zone Alarm to see if there were any bugs preventing me from installing the updates. Yesterday, while running a virus scan, it caught the bug Backdoor.Win.Delf.uzu. After searching the web for this, I found out that it was actually only discovered yesterday (june 8, 2010). Everything on my computer has been slow, especially the last two days. When running your "Gmer" program, my computer pretty much froze up. I waited about 3 hours and nothing was happening.DDS (Ver_10-03-17.01) - NTFSx86 Run by HP_Administrator at 7:38:52.79 on Wed 06/09/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1074 [GMT -7:00]AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CheckPoint\ZAForceField\IswSvc.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program... Read more

A:Infected with Backdoor.Win32.Delf.uzu

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 20 answers
RELEVANCY SCORE 92.8

Hi,

Since my computer has been infected it often shuts down, getting consecutively trying to start up without success.
I ran straight away Karpersky which detected and eliminated the Trojan.Win32.delf.zd but the problem keeps going on.
I followed the steps of your forum and I?m sending the txt files.

Thanks for your attention.

DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by LC at 10:04:45.31 on 2009-11-03
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.351.1033.18.1023.735 [GMT 0:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.pt/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283... Read more

A:Infected with Trojan.Win32.Delf.zd

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

Read other 18 answers
RELEVANCY SCORE 92.8

Hello everyone, I'm new in this forum.
So, my laptop just got infected my Win32/Delf.NRJ worm. They infect my programs .exe and they're spreading. I don't know what the exactly my laptop just got infected. So, I'm here to get help to clean my laptop from Win32/Delf.NRJ worm. Am I infected? What do I do?

A:I'm infected by Win32/Delf.NRJ worm

Wellcome SanholoThis infection is considered a bacckdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.To clean.....MiniToolBoxPlease download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 E... Read more

Read other 9 answers
RELEVANCY SCORE 92.4

Hello,My name is Raj and I am a new member to this forum. Let me thank you, first of all, for all the help you all provide with solving these nasty issues. Now here is my situation.My problems started when my IE web pages did not load inspite of having good wireless connection. I ran AVG free and got the web browsing back. But then my CMD and regEdit tools would not work. I ran Spybot S&D but it did fix my issue. In addition my desktop stopped loading. I could use ctrl+alt+delete to get task manager and then use File -> Create New task to run explorer.exe. This would get my desktop back but only intermittently. Then I decided to buy Kaspersky. I was totally disappointed with it. It detected several malware but it could not cure Trojan-Clicker.win32.delf.cbe and Rootkit.win32.podnuha.a infections. It would try to delete these files, ask me to restart the computer and would not delete the files after the restart. Each time I restart the computer, it would detect these, try to delete, ask me to restart and the cycle continued. On top of the I lost my CMD and reggedit tools again. I tried to run dds.scr with the hope of getting you all the dds logs but my CMD tool does not work. In addtion whenever I tried to run 'cmd' I would lose my desktop (if I happend to get it back comehow).So instead of giving you attach.txt I can only give HT logs at this point. Hope you can help me out and I appreciate your help very much.ThanksRaj P.S : I could not attached the log... Read more

A:Trojan-Clicker.win32.delf.cbe and Rootkit.win32.podnuha.a infections

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTListIt2 ReportPlease download OTListIt2 from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

Read other 12 answers
RELEVANCY SCORE 92

system spec

intel 6320
2gig ram
ATI HD240
unkown MB


recently i noticed my pc getting a lot slower than normal IE scrolling down on an email would cause the window to stutter where normaly it would be smooth. i ran a virus scan useing AVG (paid version) and it didnt come up with anything i also ran adaware and i tried to install spybot but it unable to connect to the server to install. i tried the same spybot exe on a seperate machine and it installed fine

the computer was still slow so i ran a kaspersky online scan which found a few trojans and backdoors (see attached txt) that AVG fails to detect.


DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by L.HALL at 20:30:22.25 on 24/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1443 [GMT 1:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceSer... Read more

A:Trojan.Win32.Agent.dkai, Backdoor.Win32.Delf.nut plus others

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

Read other 13 answers
RELEVANCY SCORE 91.6

HeyI consider myself a very experienced user, and hence can usually get rid of most stuff on my own but this time I seem to have come across a particularly elusive virus/trojan on my system. Yes I got it from P2P file sharing and I understand the risks involved.Anyway, I noticed this first start when I opened a keygen -- Kaspersky noticed the virus and tried to stop it -- and then a mysterious processes tried to start sending data and I used Kaspersky to disallow that and to terminate the processes. However -- it's unable to keep the processes terminated permanently....the process just restarts itself again and trys to get through. So what I get is a fight between my anti-virus and this trojan for a period of a few minutes and then the trojan goes inactive for an unknown interval before it tries to fight Kaspersky again. The reason why kaspersky and the virus "fight" is because I told it to perform the same action (terminate and deny internet access) everytime it detected the trojan.Also of note: Ive seen mozilla firefox open a window on its own a few times (not often) but thats all that happens.I am going to post my kaspersky log as well as the logs in the "pre-post" instructions because I think the kaspersky notes will be helpful. KASPERSKY LOGSdeleted: Trojan program Trojan-Downloader.Win32.Zlob.knt File: C:\Users\Brian\AppData\Local\Mozilla\Firefox\Profiles\93x9ahv1.default\Cache\EC46F395d01deleted: Tro... Read more

A:Infected With Trojan-downloader.win32.delf.gas

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Download Combofix to your Desktop.Double click combofix.exeFollow the prompts that are displayed. Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt. Post that in your next reply with a fresh HijackThis log.

Read other 5 answers
RELEVANCY SCORE 91.6

Hi,My laptop is infected with the Trojan-Clicker.Win32.Delf.cbe virus. Kaspersky keeps popping up with this message that it is infected and deletes the file C:\Windows\System32\midehqjw.dll. But after every reboot the file is there again.I also got some kind of rootkit virus, kaspersky reporting strange files starting with names like kung*.tmp and kung*.dll and kung*.sys. I couldn't find these files anywhere on my harddrive though (some in memory virus?). It seems UnHackMe tool was able to remove those.I'm not sure if these two viruses are related though.I've attached the DDS and attach.txt. log. Any help on how to remove this would be greatly appreciated.***********DDS (Ver_09-05-14.01) - NTFSx86 Run by A.C. Ypil at 10:14:04,17 on za 06-06-2009Internet Explorer: 7.0.5730.13============== Pseudo HJT Report ===============uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.commStart Page = hxxp://www.yahoo.com/mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dllBHO: : {197811d7-bd2e-4de4-b17e-66a912e63ccd} - c:\windows\system32\veplsvp.dll... Read more

A:Infected with Trojan-Clicker.Win32.Delf.cbe

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may ta... Read more

Read other 2 answers
RELEVANCY SCORE 91.2

WAS using IE browser w/o any anti-virus/malware protection. Ive since downloaded Spybot, AdAware and AVG removing many problems but WIN32.delf.rtk, Win32.TrojanSpy.Pophot come back. Ive cleared all history, deleted files, disconnected from internet, run the three programs 2xs and still it remains. Ive backed up my files as prior experience has proven that I probably shd, just in case. What do I need to do to clear this? Txs

Shoulda(known better)
Scan Results
Ad-Aware 2008 Free Edition
Log File Created on:
2008-09-2413:21:57
Using Definitions File:
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdef
Computer name:
OWNER-BF7B2CB99
Name of user performing scan:
SYSTEM
Name of user ordering scan:
Owner
Scan completed successfully
? System Information
? File Version Information
? Ad-Aware 2008 Settings
? Extended Ad-Aware 2008 Settings
? Database Information
? Scan Statistics
? Scan Detailed Statistics
? Infections Found
? Listing of running processes
System Information
Number of processors:
2
Processor type:
Intel? Core™2 CPU 6300 @ 1.86GHz
Memory Available:
55%
Total Physical Memory:
2119970816 Bytes
Available Physical Memory:
1163042816 Bytes
Total Page File Size:
4104978432 Bytes
Available On Page File:
3359449088 Bytes
Total Virtual Memory:
2147352576 Bytes
Available Virtual Memory:
1756745728 Bytes
OS:
Microsoft Windows XP 5.1 (Build 2600)
[to top]
File Verion... Read more

A:Win32.delf.rtk Win32.trojanspy.pophot Wont Go Away!

Try this scan:Please download Malwarebytes Anti-Malware and save it to your desktop.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.Mak... Read more

Read other 3 answers
RELEVANCY SCORE 90.8

I have had 3 viruses or infections show up during virus scans. The only things out of the ordinary I have noticed is my homepage of comcast has a couple of sections that say loading and it never loads (including a display of how many emails I have), a pop-up of Trend Micro website continually pops up on my screen, and the computer seems to be running a little slower. I ran the Kaspersky scan and the DSS and posted below. Thanks,JamesKASPERSKY ONLINE SCANNER 7 REPORTThursday, August 7, 2008Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Thursday, August 07, 2008 18:37:50Records in database: 1067337Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerC:\D:\E:\F:\G:\H:\I:\J:\K:\L:\M:\Scan statisticsFiles scanned 308319Threat name 2Infected objects 3Suspicious objects 0Duration of the scan 04:25:06File name Threat name Threats countC:\Program Files\Iexplorer\Iexplorer.rmvb.vzr Infected: Trojan-Downloader.Win32.Delf.ixg 1 C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE.vzr Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 F:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE.vzr Infected: not-a-virus:AdWare.Win32.SearchIt.t 1Deckard's System Scan... Read more

A:Infected With Trojan-downloader.win32.delf.ixq And Adware

Hello hazegrey,Welcome back to Bleeping Computer Click Start Menu > Run > type (or copy and paste)%SystemRoot%\System32\restore\rstrui.exePress OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.Next goto Start Menu > Run > typecleanmgrClick OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.Please download Malwarebytes' Anti-Malware from one of these places:http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlhttp://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * Whe... Read more

Read other 15 answers
RELEVANCY SCORE 90.8

I was frequently getting the blue screen of death. Downloaded ad-aware. Up pops win32.trojan.delf. It was removed, and I frequently restarted and re scanned. It didn't pop up again. I have norton anti-virus installed also. I thought that was the last of it. I tried installing zone alarm for extra protection, upon restarting my computer to complete installation, my computer froze and did this 10 times and I wasn't able to even get my computer past start up. I rebooted in safe mode and did a system restore to yesterday (just after virus was removed). Computer was working fine. Now, all of a sudden msconfig wont run. I have been googling for hours now and I've managed to figure out that the virus affected my registry files. I know there's stuff I have to delete and do to completely remove the after affects but I dont know what to delete.I downloaded hijack this. Here's the log report. Please tell me step my step what to do, I'm not that great on computers!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 00:49:13, on 02/11/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WI... Read more

A:Was infected with win32.trojan.delf, now msconfig wont run

Hi juicyjen ukWelcome to Bleeping Computer.I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.Please do this.Download RSIT by random/random and save it to your desktop.Double click RSIT.exe to start the tool.At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.If prompted by your firewall to allow RSIT to access the internet, please allow it. It will be updating yourr version of HijackThis.When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.Please post the contents of those logs here in your next reply.Thanksmaranatha

Read other 15 answers
RELEVANCY SCORE 90.8

Hi,I have some kind of worm on my computer, which i believe i got from a website trying to force me to fill out a survey and i somehow clicked the wrong button.What happens. I occasionally get random popups where a funny looking browser launches and goes to MSN, Yahoo and is obviously signing up for email accounts. I can see the typing process live, then i close the browser and it goes away for a few hours or at random times happens again.I also get an error often saying : runtime error 216 at 7c9100e8I ran malwarebytes yesterday and it removed 6 infected registry keys. I will post the logs if you ask me to, just not sure if you need or want them.Sense running malwarebytes it appears to have the same problems as before, only now malwarebytes shows no errors.DDS TxtDDS (Ver_10-03-17.01) - NTFSx86 Run by Trader at 17:32:07.21 on Wed 09/01/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.1462 [GMT -6:00]AV: avast! antivirus 4.8.1356 [VPS 100901-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Alwil So... Read more

A:Infected - win32:delf-hpr & runtime error 216 at 7c9100e8

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 90.8

HiI'm hoping someone will be able to help me with thisI ran Spybot and found that I had Virtumonde and win32.delf.ucI tried to remove them with S&D, then ran Adaware and ComboFix.I think they've mostly gone now, but it would be great if someone could check my HTJ log, belowSince cleaning them, I can't get IE6 to access the internet, so I'm guessing that there might still be some nasties lurking in there. Other programs can access it fine, so I know the connection and hardware setup is not at fault.I have Norton 360, but this appears to have stopped running and the UI wont load.(d.bat is what I've currently named HJT)Thanks a lotDavidLogfile of Trend Micro HijackThis v2.0.2Scan saved at 04:31:59, on 08/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXEC:\WI... Read more

A:Infected By Virtumonde And Win32.delf.uc, Now Can't Access Internet

Hi David, Welcome to the forum,

We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like. If you still require help please post a new HijackThis log into this topic and I'd be happy to assist.

Thanks

Andy

Read other 3 answers
RELEVANCY SCORE 90.8

I was frequently getting the blue screen of death. Downloaded ad-aware. Up pops win32.trojan.delf. It was removed, and I frequently restarted and re scanned. It didn't pop up again. I have norton anti-virus installed also. I thought that was the last of it. I tried installing zone alarm for extra protection, upon restarting my computer to complete installation, my computer froze and did this 10 times and I wasn't able to even get my computer past start up. I rebooted in safe mode and did a system restore to yesterday (just after virus was removed). Computer was working fine. Now, all of a sudden msconfig wont run. I have been googling for hours now and I've managed to figure out that the virus affected my registry files. I know there's stuff I have to delete and do to completely remove the after affects but I dont know what to delete.

I downloaded hijack this. Here's the log report. Please tell me step my step what to do, I'm not that great on computers!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:49:13, on 02/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:... Read more

Read other answers
RELEVANCY SCORE 90.8

When I start my computer, I receive notice that my windows firewall is off. When I click on the icon, it tells me my firewall is on. I have pieces of icons (font.exe) on my desktop, which will not move into my recycle bin. An hourglass remains on my desktop whether I am on the internet or working offline (and the computer is slow; for example, when I type in a password, the letters do not appear on the screen right away). NOD 32 virus scan detects the trojan and quarantines it, but if I run a malwarebytes', super antispyware, or lavasoft scan, the worm and trojan are detected. Scans indicate I must restart my computer to completely remove traces of these malicious objects, which I do. When restarting my computer, a windows boot cleaner appears on a blue screen with a list of deleted internet explorer files. Then the whole process starts again, with NOD detecting an Internet Explorer Trojan agent and downloader. How can I get rid
of this trojan and worm once and for all? Any help is much appreciated.

A:Infected with Win32 Trojan Delf & Worm Archive

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 89.6

Here's my DDS log. I've tried a few programs to get rid of these programs and Kaspersky says it can do it, but I need to upgrade Windows XP to at least SP2 first, but the trojans seem to be stopping the update process... Argh!! It's sending me crazy.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 14:52:46.51 on 22/03/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.511.232 [GMT 0:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Nero\Nero 9\InCD\InCD.exe
C:\Program Files ... Read more

A:DDS Log, please help: Windows XP infected. Possibly Win32.Delf/Virut and/or Vundo.

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

Read other 2 answers
RELEVANCY SCORE 89.2

Have Avast Home. Archive files are infected with lrofer, Delf, Trojano. files cannot be repaired, or moved to chest. If I scan without scanning archives. No viruses are found, only scanning archives. This was the initial scan when received used computer. All that is left is the three listed above. You help would be appreciated. Thank you.
Initialization of Chest files
------------------------------------------------------------------------------------------
Program will try to load all Chest files from the following server: (null)
FileID: 0000000001 Original file name: C:\WINDOWS\system32\kernel32.dll File category: 0
FileID: 0000000002 Original file name: C:\WINDOWS\system32\winsock.dll File category: 0
FileID: 0000000003 Original file name: C:\WINDOWS\system32\wsock32.dll File category: 0
FileID: 0000000004 Original file name: c:\explorer.exe File category: 1
FileID: 0000000005 Original file name: c:\program files\media gateway\mediagateway.exe File category: 1
FileID: 0000000006 Original file name: C:\Documents and Settings\Family Computer\bootctrl.exe File category: 1
FileID: 0000000007 Original file name: C:\Documents and Settings\Family Computer\Local Settings\Temp\tsinstall_4_0_3_7.exe File category: 1
FileID: 0000000008 Original file name: C:\Documents and Settings\Family Computer\windows.exe\HIDDEN32.exe File category: 1
FileID: 0000000009 Original file name: C:\Documents and Settings\Owner.RONDA-FZ2RDRR2S\Local Settings\Temp\Del5B7.tmp ... Read more

Read other answers
RELEVANCY SCORE 89.2

Hi folks, it seems that i've somehow caught a bunch of trojans and other annoying malware which seem quite stubborn. i've scanned using malwarebytes and it hasnt found anything. Spybot 1.6.2 found a handful of stuff

Upon bootup/login, i keep getting error messages about "Realtek HD Audio data rerouter" having encountered a problem and needs to close. The box is one of those which ask u to send it to Microsoft for crash evaluation. In the error signature it mentions appname: rtkbtmnt.exe, and Modname: ntdll.dll
This crashes at least 4 tiems (4 instances of the malware running?)

here's a DDS log:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Julian at 2:33:26.03 on Tue 17/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.619 [GMT 11:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS&... Read more

A:win32.delf.uc and win32.jolee.K, and possibly others :(

Hi,I have bad news for you I see you're dealing with Virut (or variant). In that case, it's unfortunately a lost case - Game over situation. This virus called Virut is a File infector and (mis)infects legitimate files - so these infected files may not be deleted, but disinfected instead. Only an Antivirus Scanner is able to disinfect files. There's nothing you can do about this manually.The problem with File infectors is, even though Antivirus scanners can disinfect the files, in a lot of cases, the files become corrupted anyway, including needed system files. Especially if you're dealing with Virut since it actually "misinfects" the files in most of the cases, so scanners cannot disinfect them either. Also read here: http://www.sophos.com/security/blog/2009/02/3130.htmlThat's why I call this a lost case. Because it's really not worth to clean this up manually since a format and reinstall is the fastest and especially the SAFEST solution.And, in case you want to clean this up manually (although I do not recommend this), there's no way we can guide you here, because there's nothing that can be done about this manually. It's up to the scanners here to disinfect the files if possible. Keep in mind that your Windows may be damaged afterwards, many programs won't work anymore and many errors may appear. And, on top, it's still no guarantee that your computer will be clean again, because 1 leftover may reinfect.So please don't bother with a manual cleanup and format and... Read more

Read other 4 answers
RELEVANCY SCORE 89.2

I have a nasty infection that has taken over my machine and which I cannot remove. The infection seems to hijack the google page and any links that I click from this page take me to what appears to be rogue websites, which want me to download their stuff.

I am currently running ESET Nod 32 and Ad-aware Anniversary Edition. Both these programs are picking up the trojan infections but are unable to clean.

I have tried to install malwarebytes but have been unable to do so. I did try changing the exe name of malwarebytes (as advised on this site) but the program does not fully complete the installation.

I have downloded the DDS tool, ran the scan and have now attached the lod to this post.

Also here is a copy of the Ad-aware scan log (I did not complete the scan due to the computer constantly crashing):

Logfile created: 10/06/2009 18:19:4
Lavasoft Ad-Aware version: 8.0.5
Extended engine version: 8.1
User performing scan: SYSTEM

*********************** Definitions database information ***********************
Lavasoft definition file: 148.49
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 70104
Objects detected: 7
Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 6
Folders.........: 0
LSPs............: 0
Cookies............ Read more

A:Infected with WIN32 Trojan Agent and WIN32 trojan TDSS

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.Disable Realtime ProtectionAntimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.Download and Run ComboFixDownload Combofix by sUBs from any of the links below, and save it to your desktop.Link 1, Link 2, Link 3 Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.If you did not have it installed, you will see the prompt below. Choose YES.
When the Recovery Console has been installed, you will see the prompt below. Choose YES.
When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.Download and Run Scan with GMERWe will use GMER to scan for rootkits.Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.Close all other ope... Read more

Read other 7 answers
RELEVANCY SCORE 87.6

I use AGV, Ad-aware, and sometimes run Spybot. AGV was missing this virus all together. Spybot was catching it but it kept coming back. I did some research on the net and found a manual removal process but didn't get very far with it. I only disabled the Win32.tdss.rtk in the task manager. I was supposed to do several other steps but I could not find the file where they told me to look for it. I ran spybot again and it said my computer was clean of malware???? I'm totally confused. Is this virus still on my computer? I did all of the steps required before coming here and have the reports saved to my desktop. Please help if you can. Thank you very much.DDS (Ver_09-10-13.01) - NTFSx86 Run by HP_Administrator at 23:11:34.10 on Tue 10/20/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.959 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:... Read more

A:Infected with WIN32.TDSS.RTK

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 25 answers
RELEVANCY SCORE 87.6

Hello!My problems began with the appearance of ?Malware Defense? on my home computer, which I was able to remove with Malwarebytes. I then scanned my system with Spybot S&D and found the rootkit Win32.TDSS.rtk. I have been unable to remove this bugger but have seen in these forums that you guys have cured others of this same affliction. Could you please help me? Thank you in advance!Below is my DDS log as requested by your posting instructions:DDS (Ver_09-12-01.01) - NTFSx86 Run by Tom George at 14:10:38.48 on Fri 01/08/2010Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ============================= Pseudo HJT Report ===============uInternet Settings,ProxyOverride = local.;*.localBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dllBHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dllBHO: Adobe PDF Reader Link Help... Read more

A:Infected with Win32.TDSS.rtk; please help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 20 answers
RELEVANCY SCORE 87.6

Hello, this past week I have noticed my search engine searches redirect to unrelated sites! One site that keeps showing up is the clickken.cn redirect. As well, sometimes during startup ,I get many command prompts popping up then closing. I have done spybot scans many times and it is only able to pick this malware up, but when removing it, it only shows up on the scanner again. Any help will be greatly appreciated.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Hon at 19:47:26.92 on Tue 08/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.865 [GMT -7:00]

AV: F-Secure Anti-Virus 2009 9.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Hon\Alexa TB\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
D:\Hon\Alexa TB\F-Secure Internet Security\Common\FSMA32.EXE
D:\Hon\Alexa TB\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
D:\Hon&#... Read more

A:Infected with win32.tdss.rtk

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 86.8

I have two problems that I think are a result of one virus. The fist problem and most annoying is when connected to internet my system will pop up with an general error message: ?Generic host Win32 Services has encountered and error? and then the system will display a shutdown prompt under the ?NT AUTHORITY? and the system shutsdown in 60 seconds. The system doesn?t shut down when not connected to the internet and it only has to be connect to the net not when I?m actively using the connectionThe other problem is when I run kaspersky internet security 2009 that is completely updated it comes up with the virus ?Rootkit.win32.tdss.d? but it is unable to remove this virus.Also I noticed when I look at the system properties from the general tab in the control panel it says Window XP media center 2002 edition SP3 but when I look at system information in the system tools it says the following:OS Name Microsoft Windows XP ProfessionalVersion 5.1.2600 Service Pack 3 Build 2600OS Manufacturer Microsoft CorporationSystem Name IKEBOWLSystem Manufacturer TOSHIBASystem Model Satellite A100System Type X86-based PCProcessor x86 Family 6 Model 14 Stepping 8 GenuineIntel ~1729 MhzBIOS Version/Date Phoenix Technologies LTD 1.70, 5/11/2006SMBIOS Version 2.31Windows Directory C:\WINDOWSSystem Directory C:\WINDOWS\system32Boot Device \Device\HarddiskVolume1Locale United StatesHardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"User Name IKEBO... Read more

A:Win32 generic Error/NT Authority Shutdown & Rootkit.win32.tdss.d virus

Also here is the Hijackthis LOG:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:54:37 PM, on 2/6/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\system32\TDispVol.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\Kodak\printer\center\KodakSvc.... Read more

Read other 3 answers
RELEVANCY SCORE 86.8

HiWanted to start off by saying you guys in this forum are awesome. Thanks for all your help and expertise, you guys are honestly a godsend. I say this because following someone else's case in the forums has helped me. I was on the verge of formatting and re-installing and now my computer is usable. Beginning with viruses that have been causing blue screens for the last three days, they have pretty much all stopped now. The only issue I have now is sometimes my computer would slow right down. Watching videos or listening to audio it would drag, stagger, pause. I have not used any other programs yet, so I haven't seen the effects in anything other than my internet browser. Perhaps the GMER scan took longer as well. Task manager shows cpu and mem usage as quite normal and not peaking.The steps I have used up to this point:1. Scanned with Microsoft Security Essentials. Detected Trojan:Win32.RimecudA2. Scanned with Kaspersky Rescue Disk. Removed quite a few things. I think I have logs.3. Scanned with Malwarebyte's Anti-Malware.It couldn't remove Trojan.Bubnix which appeared as a chmnoti.sys file in my Windows/System32/drivers folder. It would say it needed to restart the computer and upon restarting the file would still be in there.I moved it onto my Ubuntu desktop and it's still there atm. Probably not the best way to do it, but I'm going to assume it's not going to do anything sitting there for now.After this, the blue screens would still appear when... Read more

A:Disinfected Trojan.Bubnix and Rootkit.Win32.TDSS.tdl4. Still have Win32.Palevo

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 18 answers