Virus, Spyware.. Need Help? Here it is

reply to post by rulerofchaos


Must make 20 posts before you can start a thread, its usually there to prevent drive byers.

Thank you for the quick reply...im anxious to start , it weird because i v been looking for a forum like theese for so many years and i v just found out about this, i feel so dumb.

reply to post by rulerofchaos


you are alrdy 1/4 of the way there, just find some threads you are interested and post away! you will have 20 posts in a flash!

reply to post by luciddream


Already on my way , this site is overwhelming, i just want to read everything

Since I you y newest laptop about a year ago I stopped using norton and went the free route. I use avg anti virus advanced system care for all other cleaning and iobit malware and those three manage to keep my computer running perfectly so far.

a reply to: chissler

"The update is available before the virus is created" Hmm that kinda says a lot. Does windows make these virus's and say, well if you don't want to update our stuff we will get you.
Firepiston

I seem to have something accessing my system when my wifi activates during system start up and throughout my time while on the computer. I have random events occur that load any one of the listed processes below, two or three at a time, that within minutes (if i do not actively kill them within the task manager) load upwards of 200 to 500 megabites of data into my memory, causing my machine to lag and applications to lock up.

I did a resource monitor session that revealed hundreds of remote domains accessing my system, much of them from akaimi an amazon, as well as others belonging to advertising services. These are the files that load:

dllhost.exe (com surrogate)
dllhst3g.exe (com surrogate)
napstat.exe (network acess protection client ui)
rundll32.exe (windows host process)
svchost.exe (host process for windows services)
wiaacmgr.exe (windows picture acquizition wizard)
dplaysvr.exe (Microsoft DirectPlay Helper)
dpnsvr.exe (microsoft directplay8 server)
wextract.exe (Win32 Cabinet Self-Extractor)
ctfmon (ctf loader)
cmmon32.exe (microsoft connection manager monitor)
systray.exe stub
upnpcont.exe (upnp device host container)
fixmapi.exe (fixmapi 1.0 mapi repair tool)
msfeedssync.exe (microsoft feesd synchronization)
dvdupgrd.exe (dvdupgrd)

I've run Trend Micro's complete system scan and after a two hour scan they found nothing infected with known trojans or viruses.

does anyone know what could be causing this?

originally posted by: agentcyman
... processes below, two or three at a time, that within minutes (if i do not actively kill them within the task manager) load upwards of 200 to 500 megabites of data into my memory, causing my machine to lag and applications to lock up.

Maybe Windows is repeatedly trying to download a backlog of updates, but failing.
To see if it is Windows updates being downloaded, (before connecting to the internet), change the setting on windows update to ...
"Check for updates but let me choose whether to download and install them"
windows.microsoft.com/en-gb/windows/chan ge-windows-update-installation-notification

Then your machine won't download windows updates ( which could be 100's of megabytes ) without your permission , ( the default is to download updates automatically in the background as soon as connected to the internet ).

If that stops the download traffic choking your machine , then there is something wrong with the Windows update process which is usually fixable with DISM, see ... www.abovetopsecret.com...

I managed to actually resolve this issue... after 7 hours of fighting with it.... lol

the com surogate file rundll.exe kept loading itself - sometimes with about 30 separate loaders at a time in the task manager. then it would relax for a few minutes then begin popping up again and loading my temp caches with worthless load names after I'd shut it down in task manager so when I managed to lock a hold of it with the mouse cursor and then physically delete it again... it came right back up and loaded itself again so as I made the effort to continue fighting with these files I noticed one rundll.exe file which was a rather irrelevant file size of 5 megabites completely shut down all of the other files that kept loading for roughly a couple minutes`before once again they would start popping up again. When the 5 megabyte file loaded I quickly highlighted it with the mouse and left clicked it's properties then selected to save a dump file of the file's internal load parameters then left everything alone and opened the file in wordpad

The dump file had alot of DNS IP address that were loaded within the memory so I did a whois search for many of the numbers and discovered many of them were all coming from either the London area or theNetherlands. a couple of the lines of text that were saved also had xml code loaded into it that appeared to be a registry string installation so I took the domain name over to trend micro and discovered many of the DNS addresses as well as several of the domain names were all owned by one company heavily involved in cloud computing networks who evidently created a cloud networking cloud trojan that had a severity rating of moderate that was inserted onto my machine through a maliscious website's malformed url that most likely was enbedded into my cookie files first then when the trojan began performing it's wonderful magic on my system executables it began not only welcoming additional outside system vulnerabilities as well as loading up it's left over temp files everywhere which at several hundred megabytes each began loading up my drive space quickly.

On the trend micro site I ran a search for the very first domain name and what do ya know... up pops F0fff0.com along with it's other domain name variants and the grid appeared that showed the websites it loads to and from, the files it infects and then the registry settings that it installs. the trojan was called Win32/Poweliks.A - a "business trojan" created by a cloud advertising programmer that literally would load every single one of his clientele's advertisements in place of a web page's default advertisers so as to harvest the link revenues each loader registered on my machine... so I discovered that eset antivirus had a small dos based program called the eset poweliks removal tool that you could download and run then reboot and everything would be cleaned, which I did and all day long today my system has been running like a charm... the link to the technical data on this issue and the free download is kb.eset.com...

Your ESET product detects the threat Win32/Poweliks.A

You are trying to browse the Internet and the pages are being blocked

Multiple Dllhost processes are running on your system

When attempting to download files using Microsoft Internet Explorer, you receive the message "Your current security settings do not allow this file to be downloaded"

Win32/Poweliks.A is a trojan which tries to download other malware from the Internet, and can be controlled remotely.

I thank you for your help and I hope my efforts with this will be able to help someone else who suffers from this moderate threat from the information I've provided

a reply to: chissler

Hey guys there is a lot of good stuff in this thread posted by others. Beware the creator of the thread is trying to get you to call his number claiming its Microsoft and saying they give free support. I see clients get conned like this all the time. What happens is they remote into the users computer claiming they have a virus or some other problem. They say they can fix it. Then they ask for money once their in your computer. If you don't send them $300 or whatever they are asking they either lock you out of your computer, put porn popups everywhere, or reset your password to an unknown. They leave text file on the desktop with a list of software that they have installed and it contains their phone number. Most of them are from India. Some of what they do is good, but they are extremely over priced. All of the software that they install on a users computer is pirated and they charge you for it. So be careful guys! Go to someone local, if they jack your computer up, at least you can go yell at them and have them fix it.

I am kind of pushing my own thread here to, because it will take care of you. I don't want you all to get ripped off.

PS WindowsOneCarehas been discontinued since October 2009.

Edit: I forgot to mention that never in the history of Microsoft have they ever given free support. Usually you get no-charge phone support for 90 day when you buy a retail operation system, but you bought the operating system so you paid for it. This means you bought just the operating system CD's from a place like Best Buy. If you bought an OEM or it came with your computer its considered OEM(Original Equipment Manufacturer). Microsoft sells these to PC manufacturers for cheap. They also don't give support for these OS's besides Windows Updates. They refer you to the manufacturer, such as HP, Dell, Gateway etc.

a reply to: agentcyman

Usually Combofix will repair rundll.exe and remove the registry entries that are starting it over and over. Just FYI.

The only tool you need for most any of this is MalwareBytes. If it cannot fix your problems, your system has probably been compromised so bad, you will never be able to trust it again.

So just spend your valuable time re-installing the operating system rather than futzing around with the registry and using unproven tools if you do not know what your are doing.

If you keep your email, media and music on the system drive, well shame on you. Take the drive out and pull your files into another computer before you reinstall the OS and lose them forever.

I don't work for MB, just relaying years of experience.

a reply to: chissler

Ping www.cnn.com (It can be any website, however some are not pingable. Microsoft.com is not able to be pinged)

In the results you are looking for the statistics.

4 Packets will be sent and you are looking to see if 4 were recieved. If so the connection is stable and probably means the problem is within Internet Explorer.

If you get either Request Timed Out four times or 4 sent and 0 recieved, then it can be an issue with the connection itself.

Next I would try Pinging the IP address to the website. You can find the IP in the first line of the above reply. It will give you the address.

The IP may look like this... 68.142.197.82.

So you would type..

ping 68.142.197.82

Too long, if you ping the DNS name then you verify two things, one DNS works and two you can ping the IP. Remember computers don't use names to connect, they resolve the names to IP's and actually use those. So pinging CNN.com is all that is necessary to test DNS and IP connectivity. Sp you could edit your instructions down to be more concise.


V

a reply to: charlyv

The only tool you need for most any of this is MalwareBytes. If it cannot fix your problems, your system has probably been compromised so bad, you will never be able to trust it again.

So just spend your valuable time re-installing the operating system rather than futzing around with the registry and using unproven tools if you do not know what your are doing.

malwarebytes, ccleaner and and anti virus should keep you covered. You cannot stop idiots from installing junkware or opening malware. If the infection can be stopped or cleaned by the above, reinstalling is a good option. Plus it teaches there are repercussions for bad behavior. Back your stuff up people.


V

All spyware and viruses ever created are a product of Intelligence agencies. They make you think there are hackers and evil guys creating them, but in reality they are a tool of espionage, used by the western spy networks. The western unified intelligence apparatus is responsible for the creation and spread of computer viruses since the first days of computer viruses. The so-called hackers who broke into systems and brag about it on the internet are nothing more than agents who were paid by various western governments to do what they did.

You can now remover shortcut virus from pendrive
< a href="http://techgeekers.com/how-to-remove-shortcut-virus-from-pen-drive/"> shortcut virus remover

a reply to: techgeekers

link does not open!!!

found a good guide soft2secure.com...

Just stumbled on this sticky and last post is a year ago.. I'll just post my DIY first aid, I don't have personal experience with all tools:

Decryptors from Kaspersky: support.kaspersky.com...
from AVG: www.avg.com...
Rootkit remover also from Kaspersky: usa.kaspersky.com...
from Malwarebytes (also for keyloggers): www.malwarebytes.com...
Open source antivirus: www.clamav.net...
Trend micros' housecall: housecall.trendmicro.com...
MS Malicious software removal tool: www.microsoft.com...
Combofix antivirus: www.bleepingcomputer.com...

If all fails, download Rufus rufus.akeo.ie... and Ubuntu live ISO: www.ubuntu.com... and boot from pendrive. Either copy data and reinstall, use decryptors (no personal experience but should work) and/or ClamAV.