I got this Trojan (or worm) a couple of days ago and can not get rid of it. I thought it was cleaned but the symptoms are that I continue to get pop up windows (ad ware). It also seems that I am prevented from setting things like Google preferences to 100 (from the 10 default).

Essexboy offered a fix (unknown) to mr_metoo but don’t know if that worked. It seems to transmute into different file names that are infected (

Can anyone help in advice on how to get rid of this thing??!!

Thanks so much…

Download and run MalwareByte’s AntiMalware. Quarantine the trojan if found.

After you finish with MBAM, download HiJackThis and post a log.

ran mal-ware. it found 18 infected files. requested computer reboot. then ran hijack this. log attached. reran malware and it found nothing…not convinced it is completely gone. thanks for your help and input.

Close all browsers then start HijackThis then select the following then Fixed Checked

O4 - HKLM..\Run: [d4f6c946] rundll32.exe “C:\WINDOWS\system32\gfvmqnxv.dll”,b

The Sun Java is down level and has security exposures.

Go to Add/Remove Programs and un-install all Sun Java installations then reboot to insure that they are removed.

Download JavaRa then run it to have it remove any Sun Java remnants and update to its latest level:
http://raproducts.org

SP3 has been out over 5 months and it has several Security Updates so in IE go to Tools then Windows Update.

By the way, looks like you are still using the old IE6 that is quite vulnerable to infections.

IE7 is so much better and has much more security built in:
http://www.microsoft.com/windows/products/winfamily/ie/features.mspx

There’s still a lot of malware in the log. Try these scanners:

http://vundofix.atribune.org/

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

Hi kandue,

You did not update Microsoft to the latest MS ServicePack,
you may consider to just do that when you are malware free.
Start to run ftp://ftp.f-secure.com/anti-virus/tools/f-vmonde.zip
to get rid of your vundo infection. Win32.Monder.Gen resides in System Volume Information folder,where restore points are stored, you might have to turn off System restore and
return System Restore later: http://support.microsoft.com/kb/310405

Also could not see any active firewall running there.
Check on pmtyvn.dll ; qfvmqnxv.dll and cbxRHX0L.dll at virustotal and if malware fix.

Check on your active system tasks running:
Survey of active tasks:
smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
Ati2evxx.exe

Driver

ATI Display Adapter Assistant
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
tsircusr.exe Important: Some malware camouflage themselves as tsircusr.exe,
particularly if they are located in c:\windows or c:\windows\system32 folder.
Thus check the tsircusr.exe process on your pc whether it is pest at www.virustotal

Background task

TSIRCUSR
Explorer.EXE

System task

Microsoft Windows Explorer
spoolsv.exe

System task

Microsoft Printer Spooler Service
ehtray.exe

Background task

Microsoft Media Center Tray Icon
jusched.exe

Background task

Sun Java Update Scheduler
iaanotif.exe

Background task

Intel Raid event monitor
PhotoshopElementsFileAgent.exe

Background task

Adobe Photoshop Elements
CTSysVol.exe

Driver

Creative Volume Manager
CTDVDDET.EXE

Background task

CTDVDDet
CTHELPER.EXE

System task

CTHELPER is a background task that is a plug-in manager for Creative drivers.
DVDLauncher.exe

Background task

A process belonging to the Cyberlink PowerCinema video viewing software
which allows you to play DVDs upon insertion.
issch.exe

Application

InstallShield Update Service
CDAC11BA.EXE is part of the copy-protection software “Macrovision Safe Cast”.

Background task

cdac11ba

WFXSWTCH.exe is an application that does NOT appear to be a security risk

The Process Server database currently registers wfxswtch.exe to Symantec.

This is part of Symantec WinFax.

Unknown task

Unknown task
wfxsnt40.exe a non-essential process,
but should not be terminated unless suspected to be causing problems

Background task

Symantec WinFax
CTsvcCDA.EXE

Background task

Creative CD-ROM Services
pptd40nt.exe

Background task

ScanSoft PaperPort
ehRecvr.exe

Background task

Media Center Receiver Service
ehSched.exe

Background task

Microsoft Media Center Scheduler Service
iaantmon.exe

Background task

Intel Application Accelerator RAID Monitor
fpdisp4.exe

Background task

printer spooler process for FinePrint printers
VCDDaemon.exe

Background task

Elaborate Bytes Virtual CloneDrive
apdproxy.exe

Application

Adobe Photoshop Album
LSSrvc.exe

Background task

NERO Light Scribe Module
VersionCueCS2Tray.exe

Background task

Adobe Version Cue CS2
Acrotray.exe

Background task

Acrobat Traybar Assistant
tfswctrl.exe DirectCD.

Application

HP DLA Packet Writing Software
fppdis1.exe

Background task

With pdfFactory you can create PDF documents from any program printing to the virtual PDF printer.
fppdis3a.exe

Background task

FinePrint pdfFactory Pro
PnkBstrA.exe pnkbstra.exe is a process.
This is usually installed with latest games like Battlefield 2142 and America’s Army.
This is usually detected as malware
but if removed will effect the games installed especially when online.

Checked task

pnkbstra.exe
ashDisp.exe

Virusscan

Avast AntiVirus
Opware15.exe

Background task

OmniPage from Nuance (was Scansoft)
WrtMon.exe

Driver

WrtMon.exe
WrtProc.exe

Driver

WrtProc.exe
sprtcmd.exe

Background task

Internet Utility
THGuard.exe Some malware camouflage themselves as THGuard.exe,
particularly if they are located in c:\windows or c:\windows\system32 folder.
Thus check the THGuard.exe process on your pc whether it is pest at virustotal.

Anti Add/Spyware software

THGuard.exe
NMBgMonitor.exe

Background task

Nero Home
NMBgMonitor.exe

Background task

Nero Scout
AnyDVD.exe

Background task

AnyDVD is a driver, which descrambles DVD-Movies automatically in the background.
pg2.exe

Background task

Peer Guardian 2
RegistryRepairPro.exe

Background task

3B Software Windows Registry Repair Pro
DSAgnt.exe

System task

Dell Support Agent offers additional support and update features for your Dell computer or laptop
GoogleToolbarNotifier.exe

Background task

GoogleToolbarNotifier
isuspm.exe

Background task

InstallShield Automatic Updater
sprtsvc.exe

Background task

SupportSoft Agent Service
svchost.exe

System task

Microsoft Service Host Process
Tablet.exe

Background task

Wacom Win32 Tablet Service
SD Monitor.exe

Driver

Microtek Scanner Console

TSIRCSRV.EXE File tsircsrv.exe is located in the folder C:\Windows\System32.
Known file sizes on Windows XP are 102400 bytes (76% of all occurrence), 98304 bytes.
Some malware camouflage themselves as tsircsrv.exe,
particularly if they are located in c:\windows or c:\windows\system32 folder.
Thus check the tsircsrv.exe process on your pc whether it is pest at virustotal.

Unknown task

Unknown task
Some malware camouflage themselves as tsircsrv.exe, particularly if they are located in c:\windows or c:\windows\system32 folder.
Thus check the tsircsrv.exe process on your pc whether it is pest.

Background task

WinFax Service
qbupdate.exe

Background task

Quickbooks Update Agent
WFXMOD32.EXE

Background task

WinFax Serial Modem Driver

QuickScan.exe

Unknown task

Unknown task
TabUserW.exe Driver for Wacom Tablet

Background task

Wacom Pen Tablet Module
CALMAIN.exe

Driver

Canon Camera Access Library
pddlghlp.exe

Background task

Dialog Helper
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
ashWebSv.exe

Virusscan

avast! Web Scanner
ehmsas.exe

Background task

Microsoft Media Center State Aggregator Service
dllhost.exe

System task

Microsoft DCOM DLL Host Process
svchost.exe

System task

Microsoft Service Host Process
rundll32.exe

System task

Microsoft Rundll32
msmsgs.exe

Application

MSN Messenger

ZPlayer.exe

Unknown task

nknown task
firefox.exe

Application

Mozilla Firefox

hijackthis_sfx.exe

Unknown task

Unknown task

PDExplo.exe check the PDExplo.exe process on your pc whether it is pest

Unknown task

Unknown task
rundll32.exe

System task

Microsoft Rundll32
HijackThis.exe

Application

Hijackthis

polonus

thanks for the suggestions.

as an update, ran hijack but no entry for

O4 - HKLM..\Run: [d4f6c946] rundll32.exe “C:\WINDOWS\system32\gfvmqnxv.dll”

i enclosed the new log

ran vundofix 7.06, it did not find anything; f-monde did not find anything either

am not running internet explorer…firefox only

no firewall on windows but I thought that there was usually one running on the linksys router?

Hi kandue,

Fix with HJT this entry: O20 - AppInit_DLLs: pmtyvn.dll after you uploaded to virustotal.
Did you upload pmtyvn.dll ; qfvmqnxv.dll and cbxRHX0L.dll at virustotal? Can you give the scan results
for these as an attached file to your next posting,

pol

polonus

I did a search for pmtyvn.dll in my C drive but it is not there. Where is AppInit_DLLs: pmtyvn.dll?

Thanks

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.