Tech Support Forum - View Single Post

Ried · 06-06-2006, 11:29 PM

Hi,
That's fine. When we fix the entry in HijackThis, it also tries to delete the associated file. We list it for manual deletion 'just in case' as the infection will resurface if the file is left on the system.

We need to find out what's going on here. Every time we run a scan, or fix one entry with HijackThis, another one shows up.

-------------------------------------------

Please download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet.

-------------------------------------------

Reboot into Safe Mode.

-------------------------------------------

Run a scan in HijackThis. 'Check' the following entry:

O4 - HKLM\..\Run: [-] C:\WINDOWS\tfpdalk.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following File If it still exists:

C:\WINDOWS\tfpdalk.exe

---------------------------

Run the ISTBar removal tool.

---------------------------

Run CleanUp again. Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

---------------------------

Reboot into Normal Mode.

---------------------------

I'd like to use a different online scanner this time:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

06-06-2006, 11:29 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,117 OS: WinXP and Vista	Hi, That's fine. When we fix the entry in HijackThis, it also tries to delete the associated file. We list it for manual deletion 'just in case' as the infection will resurface if the file is left on the system. We need to find out what's going on here. Every time we run a scan, or fix one entry with HijackThis, another one shows up. ------------------------------------------- Please download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet. ------------------------------------------- Reboot into Safe Mode. ------------------------------------------- Run a scan in HijackThis. 'Check' the following entry: O4 - HKLM\..\Run: [-] C:\WINDOWS\tfpdalk.exe Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following File If it still exists: C:\WINDOWS\tfpdalk.exe --------------------------- Run the ISTBar removal tool. --------------------------- Run CleanUp again. Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. --------------------------- Reboot into Normal Mode. --------------------------- I'd like to use a different online scanner this time: Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."