• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
marcovan65

Possible Virus / Trojan?

4 posts in this topic

Hello there,

 

I was doing regular mainteanace of my pc and came across a folder that was unfamiliar to me. There were 2 mp3's and 2 jpg's in that folder. I never saw those files before. I went to delete the folder and it said it was in use by another process. I exited explorer and came back in and did delete and the file was deleted. After about 5 minutes, the folder popped up again, i went through the same process and the folder stayed off. I then rebooted my pc and the folder showed up again, I went to delete and said it was in use. NAV did not find anything.

 

Here is my HJLog,

 

Thanks!

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 7:23:11 AM, on 1/21/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\WINDOWS\system32\F5InstallerService.exe

C:\WINDOWS\system32\gearsec.exe

C:\WINDOWS\java\JavaIFX4\services.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\java\javaifx4\spoolsv.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

C:\WINDOWS\ProPatches\Scheduler\stAgent.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\DSentry.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

C:\Program Files\YPOPs\YPOPs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Prepare\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {AE10F8AA-A108-489F-94E9-C3D572FCE4F1} - (no file)

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: YPOPs.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://away-beta.sungard.com/vdesk/cachecl...,2007,0223,0315

O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://away-beta.sungard.com/vdesk/termina...,2007,0223,0327

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - file://c:/Program Files/F5 VPN/F5_TMP/InstallerControl.cab

O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://away-beta.sungard.com/vdesk/termina...,2007,0223,0317

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186451958734

O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://away.sungard.com/vdesk/terminal/urT...,2007,0530,2303

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe

O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://away-beta.sungard.com/vdesk/termina...,2007,0223,0320

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://away.sungard.com/vdesk/terminal/urx...,2007,0524,2120

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp

O17 - HKLM\Software\..\Telephony: DomainName = internal.sungard.corp

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungar

.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.

ungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,int

rnal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.ne

.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comc

st.net.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.c

.comcast.net.,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,i

ternal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,internal.sungard.

orp,hsd1.ca.comcast.net.,internal.sungard.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungar

.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.

ungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,int

rnal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.ne

.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comc

st.net.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.c

.comcast.net.,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,i

ternal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,internal.sungard.

orp,hsd1.ca.comcast.net.,internal.sungard.corp

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungar

.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,internal.

ungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.net.,int

rnal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comcast.ne

.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.ca.comc

st.net.,internal.sungard.corp,internal.sungard.corp,internal.sungard.corp,hsd1.c

.comcast.net.,internal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,i

ternal.sungard.corp,hsd1.ca.comcast.net.,internal.sungard.corp,internal.sungard.

orp,hsd1.ca.comcast.net.,internal.sungard.corp

O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll (file missing)

O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: F5 Networks Component Installer - F5 Networks - c:\WINDOWS\system32\F5InstallerService.exe

O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: JavaIFX4 - Unknown owner - C:\WINDOWS\java\JavaIFX4\services.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Shavlik Remote Agent Service (stAgent) - Unknown owner - C:\WINDOWS\ProPatches\Scheduler\stAgent.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 16988 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi marcovan65, and Welcome to SWI

 

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

 

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Pleas perform the instruction in the order listed <-- Important

 

Your version of HijackThis is outdated.

Please download the current version of 'Hijack This!:

http://www.trendsecure.com/portal/en-US/th...p?page=download

Please save it in a convenient permanent folder such as C:\HJT\,

and be sure the next log is with the newer version.

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with your next reply.

Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINDOWS\java\JavaIFX4\services.exe

C:\WINDOWS\java\javaifx4\spoolsv.exe

Exit the Task Manager when finished.

 

* Click here to use the F-Secure Online Scanner

  • Then click the Start Scanning button below.
  • You should get a notification (blue bar on top) to install an ActiveX control. Click on it and select to install the ActiveX control.
  • Once the ActiveX control is installed, you should accept the License terms by clicking OK below to start the scan.
  • If you have problems installing the ActiveX control/starting the scan, please read the F-Secure Online Virus Scanner - FAQ.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases; this can take a while.
  • The main scan will start.
  • When the scanner is finished scanning, click the Automatic cleaning (recommended) button
  • If your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under Results in your next reply.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: (no name) - {AE10F8AA-A108-489F-94E9-C3D572FCE4F1} - (no file)

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll (file missing)

O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)

O23 - Service: JavaIFX4 - Unknown owner - C:\WINDOWS\java\JavaIFX4\services.exe

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

 

Using Windows Explorer, locate the following files/folders, and delete them (if still there):

C:\WINDOWS\java <-- folder

C:\WINDOWS\system32\pmnll.dll <-- file

C:\WINDOWS\system32\pmnmnmk.dll <-- file

 

Please go to VirusTotal and submit the following file for a scan and post the results in your next reply:

c:\WINDOWS\system32\F5InstallerService.exe

 

Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.

Double click combofix.exe & follow the prompts.

Don't click on the ComboFix window while its running; that could cause it to stall.

When finished, and after reboot, it should open a log, combofix.txt.

Post that log in your next reply.

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u4-windows-i586-p.exe that you downloaded to install the newest version.

I went to delete the folder and it said it was in use by another process. I exited explorer and came back in and did delete and the file was deleted. After about 5 minutes, the folder popped up again, i went through the same process and the folder stayed off. I then rebooted my pc and the folder showed up again, I went to delete and said it was in use. NAV did not find anything.

What is the full path to the folder, and did it say what the other process was?

 

Please post a new HijackThis log, the log from SDFix (Report.txt), the log from F-Secure's online scan, and in a second reply (due to length) the log from ComboFix (combofix.txt), the results of scanning the file at VirusTotal, and note any errors encountered.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0