2 Trojan Viruses found by Bitdefender

I followed the steps in the Malware removal. I have run the Bitdefender virus scan twice and it has shown the same 2 trojan viruses even after it said they had been removed after the first scan.

I have attached my counterspy scan log, bitdefender and hijack this log.

How can I get rid of the 2 trojan viruses that seem to reappear after the Bitdefender scan and removal?

Thanks for your help.

Kevin

 

Please attach logs from ShowNew and GetRunKey from the READ ME.

 

Here are the two files you requested. Sorry I didn't post yesterday.

Also, I tried removing Logitech Desktop Messenger through the 'Add/Remove' programs but it won't let me remove. I click on remove and it does nothing. I was able to remove a few other of the suggested programs to be removed.

Thanks

 

Please look in Add/Remove Programs for the following and uninstall them if found:

J2SE Runtime Environment 5.0 Update 9

CounterSpy
(If you purchased it, you can leave it)

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

HL4554.EXE

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O14 - IERESET.INF: START_PAGE_URL=http://companyweb

O18 - Protocol: bw+0 - {B563B28C-D04A-4D81-BC80-6D311AA558CC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
(Fix everyone of these entries)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks for the help and information. Attached is my HiJack This log again. It looks like the R1 HKLM's are still present even though i fixed them. When I reset my web settings, there was no "Reset Web Settings" tab on my Programs tab (after right clicking my explorer icon and selecting Properties, then the Programs tab). I did "Reset Internet Explorer Settings" on the Advabced tab.

I followed all of the instructions from your last post.

I did not find the HL4554.EXE in my Task Manager.

Also, my computer will not let me delete 'Logitech Desktop Messenger'. When I try to click remove (in the Add/Remove Programs) it does nothing.

Here is the updated HiJackThis file:

• Edit by bjgarrick: Inline HJT log attached!

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate Logitech Desktop Messenger and uninstall this way. Once you are complete with this you can uninstall Your Uninstaller! and procede with the next step.


After you complete the above, read very carefully and procede with these few scans.

• Download Gromozon Removal Tool from Pevx1 to your desktop.
• Disconnect from the internet by unplugging the cable and disable your antivrus
• Run prevxremovaltool.exe from the Desktop by double clicking on it.
• Click the scan and follow the intructions on screen,
• once complete reboot and make sure you AV is reenable

Next, pleae download Sophos Anti-Rootkit 1.1 and save to your desktop. Run a scan and if it finds anything try to remove them.


Now, let's run one more scan using advanced rootkit technology.

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Once you have completed the above scan, I need the results from all scans and logs from all if possible.

 

I completed all of the tasks from your last post. I have attached to 2 logs you requested (Gromozon and blbeta's fsbl...... logs). Sophos scan did not detect anything and did not leave a log report. None of the 3 processes found anything.

Also, the Uninstaller DID remove the logitech desktop messenger for me as well.

Please let me know if I need to do anything else.

Thanks so much for your help.

 

That's odd, I guess it's not what I thought.

Please attach a fresh HJT log.

 

Here is the new HijackThis Log:

Thanks

 

I attached the HJT log on this reply, the last reply I "cut and pasted". Not sure which way you prefer it.

 

I would like you to completely shut down TrendMicro and without restarting attach a fresh HJT log.

 

I temporarily removed Trend from my computer, then I ran the attached HJT log.

Thanks

 

Your log looks good, I would however reboot into Safe Mode and delete the following folder.

C:\Program Files\Logitech\Desktop Messenger

Once you complete this reboot back to normal mode and let me know how things are running.

 

I deleted the Logitech\Desktop Messenger file during Safe Mode.

My computer seems to be running good. Thanks so much for all of your help.

Let me know if I need to do anything else.

 

That's all, are you having any current problems?

 

I don't think so. My computer seems to be running fine. I really do appreciate your help. I'll let you know if anything weird happens.

Thanks

 

Good deal, glad things are running well.

You should see this article on How to Protect yourself from malware!

Surf Safely!