Experts, Please Help

[LISpeedyG]

Hi,

I have been recently gettign many pop-ups when in IE. Also, I have been gettign excessive CPU processing classified under "system" to the point where the computer is unusable. So, I happened on your site and am now, after several days of un-productive work, am asking for some help from the experts.

I have followed the directions on the preliminary cleaning procedure up to step 8b. Once I completed step B all the icons, including the task bar dissapeared and I had to use the task manager to restart the system. As I attempted to restartan application called "sample" would not terminate normally so I had to terminate it manually. On restarting, again, in safe mode, it appeared as normal startup untill all the icons and task bar appeared then all were apparently hidden and had to terminate as above. So, I could not run Defender in safe mode.

1. I am running Kaspersky 6.0 updated and current.
On the initial Kaspersky run it found and deleted nnnlmjk.dll and found nothign else.
2. I Ran ATF cleaner without incident
3. I ran AVG on the comlete system and found 3 items
a. Trojan.small.edz
b. Dialer.generic
c. Not a Virus RemoteAdminWin32 RemotelyAnywhere.a (Note I use LogMeIn and this, I believe, is a part of that program.
I Pressed apply all actions (to Quaranteen) the items found and it appeard to apply the actions. However, I could not save the report as the button was grayed out.


4. I am attaching the HijackThis Log performed after the above..

Thank You for your Help!

Gus
Please note I have removed zip file and replaced it with text file of HJT log. Makes it easier for others to be able to read it.
Judy

[jholland1964]

Enable Viewing of Hidden Files and Folders

Please download VundoFix.exe to your desktop.
Make certain that unnecessary programs, like browsers, are NOT running. Disconnect from the internet then follow the instructions below.

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

When you have completed all then reboot to normal again. Run a new HiJackThis scan and post BOTH the Vundo log and the HiJackThis log.

[LISpeedyG]

Hi,

Thanks for getting me this far. I ran VundoFix and it then allowed me to run the remaining portion of the preliminary fix, i.e. Defender. Once finally completed it found a browser modifier (see attachments) that I had delete.

Unfortunately, I am still getting pop-ups. I am including a new Hijack listing as well as the logs from both defender (cut/paste) and VundoFix..

If you could please look at them and direct me as to the next steps.

Thanks,
Gus

[jholland1964]

I am still going through your logs Gus, but may I ask that you not attach the files via zip files. Either copy/paste the text directly into your posts or attach them as .txt files.
You stated earlier that you are running Kaspersky 6.0 but according to your Windows Defender log AND the HiJackThis log you are running both Kaspersky 6.0 AND Norton Anti-virus programs. This is an absolute no-no. If you previously had Norton and thought it was all removed, this is not the case, it is still running on your machine, as evidenced by these entries in your logs;

Windows Defender:
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\52265CCD.exe->(CryptFF)

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\52265CCD.exe

HiJackThis:
Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

You need to go through the Uninstall process for Norton/Symantec. If there is none available via Add/Remove then you need to do a file search for all files named Norton and All named Symantec and remove them all.

[LISpeedyG]

Hi,

Norton AV is un-installed the only remaining fragments relate to Norton Utilities only..

Also, sorry about the files, but for some reason the files were not uploadable if not in zip format.

thanks
Gus

BTW, I can and will remove the other elements, if you think it important..

[jholland1964]

Yes, remove all Norton/Symantec. These do show as Anti-virus related when doing the searches for specific files.
As far as uploading the files they must have valid file extensions in order to upload. The defender and vundofix logs were correctly saved with the .txt extension and should have uploaded without difficulty. The hijackthis log shows it is saved as hijackthis log, that is not a correct file extension. When you save the files to your computer be sure to save them as text files. This will give them that proper extension for upload.

[LISpeedyG]

OK.. Removed all of Symantec and re-ran the HJT.
Please see attached..

Thanks for your help
Gus

[jholland1964]

It appears the VundoFix did work, though there is still one file showing that I question.
However let's try the AVG Anti-spy once more.
I want you to reboot to SAFE MODE.
Run the ATF-Cleaner one more time;
Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.
Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

• Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.

• Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".

• AVG will now begin the scanning process, be patient this may take a little time to complete.

Once the scan is complete do the following:

• If you have any infections you will prompted, then select "Apply all"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
• Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode

Click Start - Run - and type in:

services.msc

Click OK.

In the services window find WinTrust32 - Unknown owner
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.
Exit the Services utility.


Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped then just exit the Services utility.
Next run HJT again and place a checkmark next to the following entries if they still exist;
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\apexktlc.dll
O2 - BHO: (no name) - {32391C4F-148B-4477-A109-B689B3A3E870} - C:\WINDOWS\system32\vtuvw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: nnnlmjk - nnnlmjk.dll (file missing)

O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)
Once you have placed the checkmark then click the FIX button.
Exit HJT.
Reboot and run a new HJT scan. Save the log and post it back here along with the AVG Scan log.
Judy

[LISpeedyG]

Hi again,

I ran AVG again and it found a "Adware.generic" and applied Quarentine. Howevet I was not able to save a log file. Once again it was grayed ot and in the rports tab it said no reports available..

Also, in trying to reboot the system was once again unable to terminate an application "sample" and I had to manually terminate before I could reboot.

Once rebooted in normal mode:

1. In services -- Was unable to find "WinTrust32 - Unknown owner" Only "WinTrust32" was available and it was stopped with automatic enabled. So, I did not change it.
2. In runnign HJT I successfully deleted the items you specified. Also, there was one other item that I deleted that was part of the original Kaspersky scan "O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\nnnlmjk.dll (file missing)" that you had not identified. I trust that this was ok.

Anyway, I am now running the computer on the net and it finally seems to be behaving "more normal". Do you see any other issues in the attached log that I should be concerned about?

Thanks,
Gus

[jholland1964]

Hello Gus,
Yes, you were absolutely correct to fix that entry;
O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\nnnlmjk.dll (file missing)
That was an omission on my part, actually a bad copy/paste. I do my "HJT fix recommendations" on Wordpad and then copy/paste them to the thread, I just didn't copy/paste that one.

You should go back into services and see if that WinTrust32 is still there and set it to disabled. That is a remnant of a trojan on the system which is/was set to always run at start up. You want to be sure that it is set to disabled if it is still there.That "might be" your constant "sample" program starting or attempting to start.


Also, even though it is not showing in your new HJT log you should do a file search for C:\WINDOWS\system32\apexktlc.dll.
Go to C:\WINDOWS\system32\ and see if you can find that file noted in red. If you do find it, delete it. It may not be there but do this just to be sure.

One thing you must do is update your java to the latest version which is version 6 update 1. You will need to uninstall all previous versions via Control Panel, Add/Remove. Download the newest version here Download Java software
Follow instructions there including verification after the install.

All in all your newest HJT log looks pretty good.

You do have some items automatically starting which are unnecessary and can easily be run manually. These are up to you really but some can slow your start up;

TrueImageMonitor.exe>>> Part of Acronis True Image - backup software. Can be disabled without affecting TrueImage.

igfxtray>>>Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. Available via Start -> Settings -> Control Panel

IntelliPoint>>>Microsoft_Intellipoint software for their Intellimouse series of mice - only required if you use non-standard Windows driver features

Mediafour XPlay Tray Notification Icon>>>Mediafour Xplay - allows you to use an Apple iPod digital music player with a PC running Windows. If not used regularily start manually before connecting the iPod

MDDiskProtect.exe>>>MediaFour MacDrive for Windows - easily open, edit and save files from Mac-formatted disks, format Mac disks and burn Mac CDs and DVDs

QuickTime Task>>>System Tray access to Apple's "Quick Time" viewer

icq.com>>>ICQ Lite - compact version of the popular messaging program

MMReminderService>>>Related to Mind_Manager from Mindjet

MsnMsgr>>>MSN Messenger, can easily be run manually

NMBgMonitor>>>related to Nero Home, can be run manually if needed.
swg>>>Google Toolbar notifier

DellSupport>>>Agent which offers additional support for the Dell computer but can easily be run manually

X1FileMonitor.exe>>>Related to X1's_Enterprise_Desktop Search Resource Center

X1Systray.exe>>>Related to X1's_Enterprise_Desktop Search Resource Center

YPOPs>>>Related to YPOPs! an application that provides POP3 access to Yahoo! Mail. Yahoo! Mail disabled free access to its POP3 service in 2002. This application emulates a POP3 server and enables popular email clients like Outlook, Netscape, Eudora, Mozilla, etc., to download email from Yahoo! account.

Adobe Acrobat Speed Launcher>>>Supposedly speeds up the launch of Adobe (Acrobat) Reader 7. Really doesn't add much speed and can easily be launched manually

Adobe Acrobat Synchronizer>>>Related to Adobe_Synchronizer component installed along with Adobe Acrobat Reader or other products. Doesn't need to run at Start.

All of the above programs are really user choice on whether to run at start. Can easily be started manually. I recommend using Mike Lin's StartUp ControlPanel to easily manage start programs. It is free and a very small download. Once downloaded it can be found in the Control Panel.

With all of the removals and scans I also recommend that you do a simple cleanup of the registry using RegCleaner. Another free program, very easy to use. Download the program. Click to open. Choose Tools, Registry Cleanup, Do them All. Let the program scan. It will find unnecessary or "dead" registry entries. Once the scan is complete then choose Select, Select All. Then click Remove Selected.

I also recommend using SpywareBlaster to better protect the computer. Blocks malicious ActiveX installs by implementing a “kill bit” to prevent those ActiveX programs with known CLSIDs from being executed. Highly recommended! From Javacool Software.

Finally, you should set a new, clean restore point for the computer.
Right click the My Computer icon on the Desktop and click on Properties.
Click on the System Restore tab.
Put a check mark next to 'Turn off System Restore on All Drives'.
System Restore will turn off.
Wait a few minutes and then turn it back on doing the reverse.
Judy