Avast found an instance of Win32:Pakes-AKM [trj] on my machine quite some time ago in C:
Windows\system32\consol.dll. Of course, it could not delete it or move it to chest, and nothing else has been able to work. I also could not wipe/shred it using Glary Utilities. I noticed it only while using IE, so simply just stopped using it and used only Firefox. Now, I just want to get rid of it once and for all. I have noticed through my searches that many people have posted their HijackThis log and someone has been nice enough to help them through the process, and I was hoping somebody might be able to do that for me to! I am not very wise in the ways of this kind of stuff, so please be patient with me and let me know if you need anything more from me.
I appreciate everyone’s help in advance!
My log is attached as pasting it exceeded maximum characters allowed.
Why couldn’t it be moved to the chest, what errors are displayed, file in use by another program, etc. ?
Have you tried a boot-time scan - If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
I have indeed done a boot time scan on a couple of occasions, and that did not remove it. When I attempt to remove to chest, the message received is:
Access Denied: Cannot process “C:\Windows\system32\consol.dll” file
I also received an Access Denied message when trying to wipe it with Glary Utilities. I attempted to delete it upon re-boot through HijackThis, and that did not work either. I ran HouseCall on it, in which it was recognized, but also could not be removed.
Try Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
If it is a process in Task Manager then it may be that which blocks it, try ending the process first before trying to move to the chest.
I have been able to take a quick look at your HJT log.
Obviously:
Unknown - FIX:
O2 - BHO: (no name) - {43113ACD-C9D0-4007-93AA-29786D4BB0FD} - C:\WINDOWS\system32\consol.dll
Unknown:
This and all other entries for DisplayLinkManager.exe look suspect is this something that you are aware of and installed ? - Also see http://www.prevx.com/filenames/3367555367709079075-0/DISPLAYLINKMANAGER.EXE.html. Pretty difficult to find any info on DisplayLink Core Software which in itself could be suspicious and the main thing is do you know what it does.
Unknown - Redundant:
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
Do you use this if not FIX:
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
Thank you DavidR! I fixed those that you stated, except the DisplayLinkManager (which I use). However, it did not remove the O2-BHO for consol.dll. I will also try the other link you provided for Unlocker.
Edit: I downloaded Unlocker, but when I tried to unlock that file, it told me that the consol.dll file was not locked.
Now SuperAntiSpyware also detects several variants of Vundo (as does avast) you could also try running SAS from safe mode (usually by pressing the F8 key during boot). This stops many programs running and getting into memory (including some viri), once in run the SAS scan.
Problems getting into safe mode, USB Keyboard, etc. Press Windows Start > Run > type msconfig into the run box and press Enter. When MSConfig starts, click the BOOT.INI TAB and put a check mark against /SAFEBOOT. Next time you boot, Windows will automatically start in Safe mode without any need to press F8. Remember later to take out the check mark otherwise your PC will always boot in Safe Mode. Also see http://support.microsoft.com/kb/310560.
Thanks! Renamed HJT, but that still did not work. Downloaded Vundo and ran a scan, but it found no infected files. I find it strange that Avast finds this file, but other programs do not. Will download SAS and run a scan with that to see if it finds anything.
The only thing SAS found was 10 cookies. Ran the test in safe mode, and that was all that came up. Any ideas of what else I should try? Could Avast just be mistaken in that it is finding something that nothing else seems to be able to?
JTaylor, here is my Malwarebytes log. I have tried removing these files and a reboot is required for a few of them to delete during boot up…will do that now to see if it works.
Malwarebytes’ Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 2
After reboot, re-scanned with Malwarebytes, with the three BHO entries a problem, along with the other three Agent keys that had not been found by any other scanner. I cannot delete any of the registry keys.
Malwarebytes’ Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 2
In this case you need to manually find the entry in the registry and take ownership (permissions) of it and you can them manually delete the key.
Windows, Start, Run and type regedit, you need to be using an account with administrator privileges and navigate to this Key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings.
First export this key (right click menu) before doing anything else, give it a meaningful name that you can remember what it is for. Right click on this key, select Permissions, choose your account name and then tick Full Control, Allow in the bottom half of the window and click OK. This ensures you have permission to do what is necessary.
You will see the bf, bk and iu sub sections, it is those and only that you need to remove so you need to exercise care as the remainder of the main key is important. First highlight (select) the bf part, right click and select delete, repeat for the bk and iu parts.
The same needs to be done for these (see below), navigate to the key, first export a copy, take ownership and finally delete the elements, {43113acd-c9d0-4007-93aa-29786d4bb0fd} and {43113acd-c9d0-4007-93aa-29786d4bb0fd} in their respective keys (again exercise care and only delete these values and not the entire key.