I think I have a trojan

Open My computer / open the c drive ....now drag MGTools.exe onto that window. It will now be C:\MGTools.exe. Now double click it and wait for it to finish running ( not forgetting to make the agreement for HJT).

We will review your logs as you come up in the quece.

 

Other than seeing this:

Code:

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.

You need to re-run SAS and have it fix what it finds.

You also need to use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 1"

Reboot, and download and install:
Java Runtime 6

Attach the new SAS log.

 

My bad....I did mean MBAM, not SAS. And you can either leave the items in quarantine or delete them, it doesn't matter.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   • Delete the C:\combofix folder from combofix (if it exists)
   
   
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
8. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!
   
   

 

You can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created. Or in whatever subfolder they were put in.

 

Hi, Nessie

Did you do a system wide search for nircmd.exe, combofix.txt, and ComboFix-quarantined-files.txt logs... and delete them if found?

dr.m

 

Hi, Nessie-

Just delete the one you can find, then continue with TimW's Final Steps instructions.

Thanks,
dr.m

 

http://en.wikipedia.org/wiki/Sunjava

Please install the latest Java Runtime 6 via the link given at the bottom of post#6.

Thanks!

 

Go HERE and scroll down to find the jpeg association fix.

 

I would suggest that you pursue this in the software section for further help.