WinAntivirus and other popups

I’ve recently spent a considerable amount of time attempting to rid my computer of irritating WinAntivirus and other popups, some of which are not appropriate for my young children. I run McAfee Antivirus and purchased McAfee Antispyware in a futile attempt to stop the popups. I then tried CWShredder, Ad-Aware, Spybot, and Windows Defender, all in normal and safe modes, to no avail. At this point McAfee was recognizing a Trojan virus at startup, but was not able to correct it. After further digging into various forums, which are really helpful (thanks to all who take the time to help out those with less of an aptitude for computers), I downloaded and tried VundoFix which found nothing. I then downloaded Trojan Hunter which identified and renamed an infected module (C:\Windows\system32\pmkhi.dll) and found and supposedly removed a Vundo virus. This seems to have solved my popup problem, however, now when I open two of the three accounts and my computer a window opens on login saying “Error Loading C:\Windows\system32\pmkhi.dll – The specified module could not be found.” If the virus was removed why then is something still looking for this module. Do I have a disabled virus which could eventually resurrect itself? I’ve included the log from HijackThis. Thanks in advance for any help!

 

Please look in Add/Remove Programs for the following and uninstall if found:

Logitech Desktop Messenger

WinAntivirus

Next we need to disable or close McAfee AntiSpyware and Windows Defender to that they will now block anything we attempt to fix.

Please run the below two online scanning tools and make sure you save and attach the logs later to any request for help that you post. You will need to use Internet Explorer to run these online scans.

*** MAKE SURE YOU RUN BITDEFENDER BEFORE PANDA ACTIVE SCAN ***

• Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:
  
  Click-on the Detected Problems tab. Then select Click here to export the scan report
  
  When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
  
  If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.
  
  Post the bdscan.txt file as an ATTACHMENT. See: HOW TO: Attach Items To Your Post

You MUST attach the Bitdefender log even it it indicates no problems. We want to see it anyway!!!!

• Panda ActiveScan It will only fix certain viruses and trojans. Most items found will not be fixed. When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help. If you have any problems trying to get a PandaActiveScan log, see the following link with more detail and follow it step by step: Using PandaActiveScan

If you use Avast antivirus and it gives you and error like below when trying to use Panda, just disable Avast while your run the scan. The error is a false positive:

Now, please download and run SysProtect Remover. Once it is running click the "Remove Now" button and follow the on screen instructions.

After running these scans, reboot and attach a fresh HJT log from normal mode.

 

bjgarrick: Thanks so much for your quick reply. I think I'm beginnng to see a light at the end of the tunnel. I uninstall Logitech Desktop Messenger and did not find WinAntivirus. I ran BitDefender followed by Panda ActiveScan in Safe Mode with Networking Support. BitDefender appears to have found a virus and a potential Trojan. Panda found some cookies. I also ran HJT in normal mode (it appears to be smaller - I hope that's a good sign). I've attached the three logs as requested.

Thanks again for your help - I really do appreciate it! I think I'll start sleeping better.

Jay

 

Did you run the "SysProtect Remover" as requested in my previous post? If not, please do so, reboot and attach a fresh HJT log.

 

bjgarrick: Sorry! I missed the SysProtect Remover step as I was using a printed copy of the embedded message in an e-mail I received, and this step was not included. I ran SysProtect Remover both in the normal and safe modes, rebooted in normal mode, and run HJT. See attached log.
Thanks for your help!!!
Jay

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O11 - Options group: [INTERNATIONAL] International*

O15 - Trusted Zone: http://www.comcast.net

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

bjgarrick: I ran HJT from the admin account (I have 2 Limited User accounts also) and fixed the entries you listed. I then ran CCleaner, Ad-Aware SE, Spybot S&D, and cleanmgr first in normal mode and again in safe mode. I rebooted, did a system restore, rebooted again, and ran HJT (hijackthis1, see attached log). On all three accounts, on login, I'm getting an Unable to Locate a CameraAssistant.exe because MFC71.dll was not found. This appears to be associated with my Logitech webcam which I will reinstall. I'm also still getting the Error Loading C:\Windows\system32\PMKHI.dll, Specified Module Could not be Found on login for the 2 Limited User accounts. I ran HJT on both these accounts and attached the logs (hijackthis2 and hijackthis3). These logs appear to be different. Will I need to make both these accounts admin and run all these things we did the past couple of days for each of these accounts?
Thanks for your patience and help!!!
Jay

 

I would recommend running Ad-Aware, Spybot and CCleaner on each account because each account has it's on settings.

Your HJT log #1 is clean, however log #2 is not completely so follow the fix below for HJT log #2.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\system32\pmkhi.dll,CreateProtectProc

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Once you complete the fix above for HJT log #2 procede to the next fix. The entries below may not appear in this account but as a precaution check and see.

Login to the account where HJT log #3 came from and scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\system32\pmkhi.dll,CreateProtectProc

O15 - Trusted Zone: http://www.neopets.com
O15 - Trusted Zone: http://play.toontown.com

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Once you complete this post, reboot and let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

bjgarrick: I cleaned the other two HJT logs and ran CCleaner, Ad-Aware, and Spybot in both accounts in Safe Mode. I followed this by a system restore. Everything appears to be working find!!! The system is running faster than it has in months. I and my children are truely grateful!
Cheers!
Jay

 

Great! Glad things are running good.

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

bjgarrick:
Great article. I'll keep it handy. Thanks again for all your help!
Jay

 

Your Welcome!