surfsidekick,vx2,targetsaver,AND trojan,help!

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

I did not ask for a HijackThis log as the first step. You must run ALL steps in the procedure I gave to you. HijackThis is the last step and you must install it properly too. Please follow the directions already given. Use IE to run the online scanners when you get to step 6 but steps 0 thru 5 must be run before 6.

 

Complete the instructions as given in message # 2.

 

You must attach the logs from the scanners! No logs! No help! And you need a bunch! I need the other logs to workup a complete cleaning procedure.

Did you run Windows Defender?
Did you install HJT properly yet?
Did you uninstall Messenger Plus 3 like step 0 of the READ ME recommends?

 

I need exactly what I requested in message # 2 along with a HijackThis log that was obtained AFTER running the online scanners, after installing it correctly, and after all other steps in the READ ME have been completed including Windows Defender.

Step 0 of the READ ME has a blurb about Messenger Plus!

 

The below shows that step 7 was still not followed. This is exactly where we do not want HJT installed and it is stated in step 7.
C:\Documents and Settings\Kyle\My Documents\HijackThis.exe

Hmmm! I thought you said

Clearly not the case.

 

You also did not obtained the Bitdefender log properly as the directions in step 6 indicate. The file should be an HTML file with a .txt extension which is much easier to read than what you posted. Please follow directions properly to avoid delays in getting help. It will now take me longer to read thru this file to see what was fixed and what remains.

 

The procedure tells exactly how to save it to a .txt file that maintains the HTML code. And .txt files can be attached. Then all I have to do is rename the .txt to .html after downloading and I can read a nicely formatted file. It also requires no work on your part to edit the file.

 

Read the directions!
Create a folder named C:\Program Files\HJT

Then move or copy the hijackthis.exe file into the above folder. Run Windows Explorer and locate C:\Program Files\HJT\hijackthis.exe and double click! That's all it takes! If you want a shortcut to it on your Desktop you can do that to but it must reference the C:\Program Files\HJT\hijackthis.exe

 

No problem! Just hang in there! I've been working up a fix! I'll be posting soon. There's a bunch to do.

 

Uninstall Zenosearch if found in Add/Remove programs

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Command Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

cmdService

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\defender1.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\\keyboard18.exe
O4 - HKLM\..\Run: [newname] c:\\newname18.exe
O4 - HKLM\..\Run: [defender] C:\\defender1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinpqaf.exe CORN004
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinpqaf.exe
O16 - DPF: {00000000-0000-0000-0000-100000000002} - http://code.jcash.biz/l/900bfa571675...a24fc4f_13.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...36342D2D2D.exe
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\zepfldr.dll (file missing)
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (some of these may not be found, just continue):
C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\Zeno.lnk
C:\Program Files\winupdates <--- delete this folder
C:\WINDOWS\temp <--- delete all files in this Temp folder
c:\windows\keyboard181.dat
C:\WINDOWS\installerwnus.exe
C:\WINDOWS\visfx500.exe
C:\WINDOWS\S3lsZQ\ma5Ptk.vbs
c:\windows\system32\MYDLL.dll
C:\WINDOWS\system32\winmfu32.dll
C:\WINDOWS\system32\pwinpqaf.exe
C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\reglogs.DDD
C:\WINDOWS\system32\mvn2l95o1.dll
C:\WINDOWS\system32\atmclk.exe
C:\ZICORN004.exe
C:\keyboard18.exe <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
c:\newname18.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\mousepad18.EXE <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\defender1.exe <--- delete any files using the starting with the text defender and ending in .exe (like defender1.exe, defender2.exe...etc)

Also look for files named keyboardxx.dat, newnamexx.dat, mousepadxx.dat, defenderxx.dat (where xx is any number).


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Note that one item may give us trouble. This:
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll

It may note go away. Sometimes we need a slightly different procedure to delete this kind of infection. We will see. If it comes back, we will get it in the next procedure!

 

Just continue thru ALL steps! It had been in one of your logs (not ALL logs) so a kept a procedure in to fix it it was still hiding.

As I said, just run ALL steps now from beginning to end no matter what happens. When you come back you can tell me of any other problems and then attach a new HJT log.

I have to run now! 2:15 am and I have to get up at 6 am tomorrow! G'night!

 

I did not notice earlier that you had skipped step 3 in the READ ME. You have both Avast and Symantec antivirus applications installed. You must pick the one you prefer and uninstall the other.

Other than the above and MessengerPlus! 3, you are clean.

How are things working?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link! Make sure you do all steps. You don't need to uninstall MS Java. You already have Sun Java but your version is out of date.

How to Protect yourself from malware!

 

Okay! As long as you have a working antivirus and you only have one installed, then all is good. Norton can be as difficult to remove as malware is. So be ready for problems in fully removing it from your PC.

Can I now assume you have no more malware problems?

 

You're welcome. Surf safely!