Experts, Please Help

[jholland1964]

Yes, remove all Norton/Symantec. These do show as Anti-virus related when doing the searches for specific files.
As far as uploading the files they must have valid file extensions in order to upload. The defender and vundofix logs were correctly saved with the .txt extension and should have uploaded without difficulty. The hijackthis log shows it is saved as hijackthis log, that is not a correct file extension. When you save the files to your computer be sure to save them as text files. This will give them that proper extension for upload.

[LISpeedyG]

OK.. Removed all of Symantec and re-ran the HJT.
Please see attached..

Thanks for your help
Gus

[jholland1964]

It appears the VundoFix did work, though there is still one file showing that I question.
However let's try the AVG Anti-spy once more.
I want you to reboot to SAFE MODE.
Run the ATF-Cleaner one more time;
Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.
Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

• Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.

• Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".

• AVG will now begin the scanning process, be patient this may take a little time to complete.

Once the scan is complete do the following:

• If you have any infections you will prompted, then select "Apply all"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
• Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode

Click Start - Run - and type in:

services.msc

Click OK.

In the services window find WinTrust32 - Unknown owner
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.
Exit the Services utility.


Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped then just exit the Services utility.
Next run HJT again and place a checkmark next to the following entries if they still exist;
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\apexktlc.dll
O2 - BHO: (no name) - {32391C4F-148B-4477-A109-B689B3A3E870} - C:\WINDOWS\system32\vtuvw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: nnnlmjk - nnnlmjk.dll (file missing)

O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)
Once you have placed the checkmark then click the FIX button.
Exit HJT.
Reboot and run a new HJT scan. Save the log and post it back here along with the AVG Scan log.
Judy

[LISpeedyG]

Hi again,

I ran AVG again and it found a "Adware.generic" and applied Quarentine. Howevet I was not able to save a log file. Once again it was grayed ot and in the rports tab it said no reports available..

Also, in trying to reboot the system was once again unable to terminate an application "sample" and I had to manually terminate before I could reboot.

Once rebooted in normal mode:

1. In services -- Was unable to find "WinTrust32 - Unknown owner" Only "WinTrust32" was available and it was stopped with automatic enabled. So, I did not change it.
2. In runnign HJT I successfully deleted the items you specified. Also, there was one other item that I deleted that was part of the original Kaspersky scan "O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\nnnlmjk.dll (file missing)" that you had not identified. I trust that this was ok.

Anyway, I am now running the computer on the net and it finally seems to be behaving "more normal". Do you see any other issues in the attached log that I should be concerned about?

Thanks,
Gus

[jholland1964]

Hello Gus,
Yes, you were absolutely correct to fix that entry;
O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\nnnlmjk.dll (file missing)
That was an omission on my part, actually a bad copy/paste. I do my "HJT fix recommendations" on Wordpad and then copy/paste them to the thread, I just didn't copy/paste that one.

You should go back into services and see if that WinTrust32 is still there and set it to disabled. That is a remnant of a trojan on the system which is/was set to always run at start up. You want to be sure that it is set to disabled if it is still there.That "might be" your constant "sample" program starting or attempting to start.


Also, even though it is not showing in your new HJT log you should do a file search for C:\WINDOWS\system32\apexktlc.dll.
Go to C:\WINDOWS\system32\ and see if you can find that file noted in red. If you do find it, delete it. It may not be there but do this just to be sure.

One thing you must do is update your java to the latest version which is version 6 update 1. You will need to uninstall all previous versions via Control Panel, Add/Remove. Download the newest version here Download Java software
Follow instructions there including verification after the install.

All in all your newest HJT log looks pretty good.

You do have some items automatically starting which are unnecessary and can easily be run manually. These are up to you really but some can slow your start up;

TrueImageMonitor.exe>>> Part of Acronis True Image - backup software. Can be disabled without affecting TrueImage.

igfxtray>>>Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. Available via Start -> Settings -> Control Panel

IntelliPoint>>>Microsoft_Intellipoint software for their Intellimouse series of mice - only required if you use non-standard Windows driver features

Mediafour XPlay Tray Notification Icon>>>Mediafour Xplay - allows you to use an Apple iPod digital music player with a PC running Windows. If not used regularily start manually before connecting the iPod

MDDiskProtect.exe>>>MediaFour MacDrive for Windows - easily open, edit and save files from Mac-formatted disks, format Mac disks and burn Mac CDs and DVDs

QuickTime Task>>>System Tray access to Apple's "Quick Time" viewer

icq.com>>>ICQ Lite - compact version of the popular messaging program

MMReminderService>>>Related to Mind_Manager from Mindjet

MsnMsgr>>>MSN Messenger, can easily be run manually

NMBgMonitor>>>related to Nero Home, can be run manually if needed.
swg>>>Google Toolbar notifier

DellSupport>>>Agent which offers additional support for the Dell computer but can easily be run manually

X1FileMonitor.exe>>>Related to X1's_Enterprise_Desktop Search Resource Center

X1Systray.exe>>>Related to X1's_Enterprise_Desktop Search Resource Center

YPOPs>>>Related to YPOPs! an application that provides POP3 access to Yahoo! Mail. Yahoo! Mail disabled free access to its POP3 service in 2002. This application emulates a POP3 server and enables popular email clients like Outlook, Netscape, Eudora, Mozilla, etc., to download email from Yahoo! account.

Adobe Acrobat Speed Launcher>>>Supposedly speeds up the launch of Adobe (Acrobat) Reader 7. Really doesn't add much speed and can easily be launched manually

Adobe Acrobat Synchronizer>>>Related to Adobe_Synchronizer component installed along with Adobe Acrobat Reader or other products. Doesn't need to run at Start.

All of the above programs are really user choice on whether to run at start. Can easily be started manually. I recommend using Mike Lin's StartUp ControlPanel to easily manage start programs. It is free and a very small download. Once downloaded it can be found in the Control Panel.

With all of the removals and scans I also recommend that you do a simple cleanup of the registry using RegCleaner. Another free program, very easy to use. Download the program. Click to open. Choose Tools, Registry Cleanup, Do them All. Let the program scan. It will find unnecessary or "dead" registry entries. Once the scan is complete then choose Select, Select All. Then click Remove Selected.

I also recommend using SpywareBlaster to better protect the computer. Blocks malicious ActiveX installs by implementing a “kill bit” to prevent those ActiveX programs with known CLSIDs from being executed. Highly recommended! From Javacool Software.

Finally, you should set a new, clean restore point for the computer.
Right click the My Computer icon on the Desktop and click on Properties.
Click on the System Restore tab.
Put a check mark next to 'Turn off System Restore on All Drives'.
System Restore will turn off.
Wait a few minutes and then turn it back on doing the reverse.
Judy

[LISpeedyG]

Hi Judy,

I spent the weekend fixing this problem...
And without your help I could not have done it. I am in your debt..

FYI:
1. C:\WINDOWS\system32\apexktlc.dll -- was there and is now deleted..
2. I cannot update to the current version of Java as one of the companies I work with will only allow specific versions. So, I will have to take my chances for now unti I can convice them otherwise..

Thanks Again,
Gus

[jholland1964]

Gus you really need to run a new HiJackThis scan and post the log here. We really need to see if the machine is truly clean.
I cannot imagine what your employers are thinking not allowing java updates. Of course that is their business...but really this is their business they are taking chances with...but also their employees machines...
To convince them to update their machines to the latest java version, which is version 6, update 1 then why not have them read this blog of Brian Krebs on Computer Security from the Washington Post, dated June 8, 2007 entitled;
Sun Issues Java Security Update
The first few sentences tell all....

Sun Microsystems has issued an update to plug a pair of security holes in its Java Runtime Environment software....One of the security holes could be exploited to break into Windows machines by convincing a user to visit a corrupt Web site.

Please run the new HJT scan and post back with the log.
Judy