honey_sucker7814 Posted December 27, 2008 Report Share Posted December 27, 2008 I installed MAMB..Ran full scan...rebooted...no luck. Tried in safe mode...deleted the reg entries given in other forums...no luck. I am posting my hizackthis log...Please help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:34:33, on 12/27/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\Program Files\AccessManager\Client\AMBroker.exeC:\Program Files\LANDesk\Shared Files\residentagent.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2mgmtsvc.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeC:\Program Files\LANDesk\LDClient\LocalSch.EXEC:\WINDOWS\system32\CBA\pds.exeC:\Program Files\LANDesk\LDClient\tmcsvc.exeC:\PROGRA~1\LANDesk\LDClient\issuser.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\lotus\notes\ntmulti.exeC:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exeC:\ODI\OStore\BIN\OSCMGR6.EXEC:\ODI\OStore\BIN\OSSERVER.EXEC:\oracle\ora92\bin\omtsreco.exeC:\Program Files\McAfee\Common Framework\naPrdMgr.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\SiebelAnalytics\web\Bin\sawjavahostsvc.exeC:\SiebelAnalytics\Bin\NQSComGateway.exeC:\SiebelAnalytics\Bin\nqsserver.exeC:\Program Files\LANDesk\LDClient\softmon.exeC:\Program Files\AccessManager\PMAC\sp_SWIns.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\Program Files\AccessManager\Client\sygman.exeC:\WINDOWS\system32\kktools\userdump.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Citrix\ICA Client\ssonsvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\SiebelAnalytics\SQLAnywhere\dbeng8.exeC:\WINDOWS\system32\winscenter.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\stsystra.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\AccessManager\Client\AccessMgr.exeC:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Sun\SDK\jdk\bin\javaw.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\system32\regsvr32.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.merck.de/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.21.1.117:8080O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [McAfeeFireTray] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exeO4 - HKLM\..\Run: [MerckPrivateDataCheck] cachedos C:\Windows\System32\MyLocalDataShorcutcheck.vbsO4 - HKLM\..\Run: [sDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDISCN32.EXE" /NTT=USSE1LDMSNA01.na.merckgroup.com:5007 /S="USSE1LDMSNA01.na.merckgroup.com" /I=HTTP://USSE1LDMSNA01.na.merckgroup.com/ldlogon/ldappl3.ldz /NOUI /W=900O4 - HKLM\..\Run: [intelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /to=30O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /norebootO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logonO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: SDK Tray Menu.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeO4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exeO4 - Global Startup: VPN Client.lnk = ?O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.merckgroup.com (HKLM)O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex/contr...ce/outlctlx.CABO16 - DPF: {00D9C306-6B11-492A-9AFC-C53CE30849CF} (Siebel SmartScript) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Smartscript.cabO16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://quickr02.merck.de/qp2.cabO16 - DPF: {06314967-EECF-11D2-9D64-0000949887BE} (Siebel ERM eBriefings Offline Content Synchronization Control) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_ERM_ContentSync.cabO16 - DPF: {0D68687A-A2A3-46EB-9ED9-956C83875A6C} (Siebel Marketing HTML Editor) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_HTML_Editor.cabO16 - DPF: {169ADD4B-EE8B-4B27-B332-2941A82DA7E2} (Siebel Microsite Layout Designer) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Microsite_Layout.cabO16 - DPF: {16C7BBB7-738A-47D7-956E-52DD9A166A9A} (Siebel Event Calendar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_Calendar.cabO16 - DPF: {1D922C61-16AB-4179-8302-6B8A688C88D0} (CSSAxContainerCtrl Class) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Container_Control.cabO16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) - O16 - DPF: {353F130D-72DB-4F14-B750-625F90D75D1B} (Siebel Test Automation) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Test_Automation.cabO16 - DPF: {3E8C4740-70C5-439E-AE2F-16234083E248} (Siebel High Interactivity Framework) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_HI_Client.cabO16 - DPF: {4514F46B-308B-401B-969D-B62E288158ED} (CSSFlexAxContainerCtrl Class) - http://localhost/19238/applets/SiebelAx_Co...ner_Control.cabO16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/42.20/uploader2.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cabO16 - DPF: {48CE1C1F-092D-461C-A385-A0C3D19FE052} (Siebel iHelp) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_iHelp.cabO16 - DPF: {5FCAD8CF-85C1-4FD9-BD04-995CBEBA5BEB} (Siebel Hospitality Gantt Chart) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Hospitality_Gantt.cabO16 - DPF: {73EF83D1-DA75-4F58-8DB6-1CD6D8F9C8A1} (Siebel Calendar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Calendar.cabO16 - DPF: {756E01C3-2CF9-4364-8724-B8C850CB0D50} (UInboxDynBtn Class) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_UInbox.cabO16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Desktop_Integration.cabO16 - DPF: {96A3E5AB-C228-4D1D-B31F-712BA35EE470} (Siebel Gantt Chart) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Gantt_Chart.cabO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O16 - DPF: {C5FEEC93-506D-4B41-A38B-3A59BF5B41AB} (Siebel Callcenter Communications Toolbar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_CTI_Toolbar.cabO16 - DPF: {C657D5D2-D725-4F0E-91A9-EA74647DCF84} (Siebel Marketing Allocation) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_Allocation.cabO16 - DPF: {D6CC2526-859B-40C0-8515-1A47946478B6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_OutBound_mail.cabO16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://uscallcenter.us-siebel.us-bos01.ser...x_HI_Client.cabO16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://ch1tt031.ch-gva01.serono.com/pam_us...x_HI_Client.cabO16 - DPF: {E1E65027-5BB8-4186-A619-81E219274CC8} (ExecuteViewer2 Class) - http://usse1ldmsna01/common/ENUrcviewer.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ch2.serono.com/dana-cached/setup/JuniperSetupSP1.cabO16 - DPF: {EFA4D912-2A19-4E6F-B681-4DC0C796FBD8} (Siebel SmartScript) - http://us1tt063/epharma_enu/19230/applets/...Smartscript.cabO16 - DPF: {EFB7D763-97A3-11CF-AE19-00608CEADE00} (CIC Ink Control) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\iTools.cabO16 - DPF: {FB8A6B20-09DD-43D5-BF33-676DF96767F3} (Siebel High Interactivity Framework) - http://localhost/19238/applets/SiebelAx_HI_Client.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.merckgroup.comO17 - HKLM\Software\..\Telephony: DomainName = na.merckgroup.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.merckgroup.comO21 - SSODL: ieModule - {3A530F59-69CF-46B0-A6F9-AC1CBCB631A1} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dllO21 - SSODL: InternetConnection - {73E4214D-5483-4D82-AEFA-611C2EAB914A} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\rledtcblog.dllO23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exeO23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exeO23 - Service: DB2 Management Service (TAEVAL20) (DB2MGMTSVC_TAEVAL20) - International Business Machines Corporation - C:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2mgmtsvc.exeO23 - Service: DB2 Security Server (TAEVAL20) (DB2NTSECSERVER_TAEVAL20) - International Business Machines Corporation - C:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2sec.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeO23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXEO23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exeO23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exeO23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exeO23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exeO23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exeO23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXEO23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXEO23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exeO23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXEO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Siebel Analytics Java Host (sawjavahostsvc) - Unknown owner - C:\SiebelAnalytics\web\Bin\sawjavahostsvc.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Siebel Analytics Server - Siebel Systems, Inc. - C:\SiebelAnalytics\Bin\NQSComGateway.exeO23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exeO23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exeO23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 18127 bytes Link to post Share on other sites
Andro1d Posted December 27, 2008 Report Share Posted December 27, 2008 Hello and Welcome to the forums. I am MoNsTeReNeRgY22 and I will be assisting you with your computer problem today. Please download SmitfraudFix (by S!Ri) to your Desktop.Double-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm Link to post Share on other sites
honey_sucker7814 Posted December 27, 2008 Author Report Share Posted December 27, 2008 Here is the requested log..********************************************************************************* ** FixIEDef Log ** Version 1.7.20.7201 ** *********************************************************************************Created at 13:30:22 on Saturday, December 27, 2008Time Zone : (GMT-05:00) Eastern Time (US & Canada)Logged On User : m157236Operating System : Microsoft Windows XP Professional Service Pack 2OS Version : 5.1.2600System Langauge : English (United States)Keyboard Layout : English (United States)Processor : X86 Intel® Core2 Duo CPU T7250 @ 2.00GHzSystem Drive : H:\Windows Directory : C:\WINDOWSSystem Directory : C:\WINDOWS\system32System Drive Type : NetworkSystem Drive Status : READYSystem Drive Label : OfflineSystem Drive Size : 76.31 GBSystem Drive Free : 16.39 GBTotal Physical Memory: 3062 MBFree Physical Memory : 2216 MBTotal Page File : 3062 MBFree Page File : 3608 MBTotal Virtual Memory : 2048 MBFree Virtual Memory : 1970 MBBoot State : Normal boot--------------------------------------------------------------------------------!!! userinit.exe is Clean !!!--------------------------------------------------------------------------------!!! Files that have been deleted !!!C:\WINDOWS\system32\tmp.regC:\WINDOWS\system32\tmp.txt--------------------------------------------------------------------------------!!! Directories that have been removed !!!No malicious directories to be removed--------------------------------------------------------------------------------!!! Registry entries that have been removed !!!No malicious Registry entries found================================================================================All Done ShadowPuterDudeSafe Surfing!!! Link to post Share on other sites
Andro1d Posted December 27, 2008 Report Share Posted December 27, 2008 Hello again,Please look back at post#2 with its updated instructions. Link to post Share on other sites
honey_sucker7814 Posted December 27, 2008 Author Report Share Posted December 27, 2008 Here is the output from SmitfraudfixSmitFraudFix v2.387Scan done at 15:38:17.23, Sat 12/27/2008Run from C:\Documents and Settings\M157236.DNNA\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AccessManager\Client\AMBroker.exeC:\Program Files\LANDesk\Shared Files\residentagent.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2mgmtsvc.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeC:\Program Files\LANDesk\LDClient\LocalSch.EXEC:\WINDOWS\system32\CBA\pds.exeC:\Program Files\LANDesk\LDClient\tmcsvc.exeC:\PROGRA~1\LANDesk\LDClient\issuser.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\lotus\notes\ntmulti.exeC:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exeC:\ODI\OStore\BIN\OSCMGR6.EXEC:\ODI\OStore\BIN\OSSERVER.EXEC:\oracle\ora92\bin\omtsreco.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\SiebelAnalytics\web\Bin\sawjavahostsvc.exeC:\SiebelAnalytics\Bin\NQSComGateway.exeC:\SiebelAnalytics\Bin\nqsserver.exeC:\Program Files\LANDesk\LDClient\softmon.exeC:\Program Files\AccessManager\PMAC\sp_SWIns.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\Program Files\AccessManager\Client\sygman.exeC:\WINDOWS\system32\kktools\userdump.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\SiebelAnalytics\SQLAnywhere\dbeng8.exeC:\Program Files\Citrix\ICA Client\ssonsvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\winscenter.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\AccessManager\Client\AccessMgr.exeC:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exeC:\Program Files\LANDesk\LDClient\LDISCN32.EXEC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\cidaemon.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» H:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWSC:\WINDOWS\reged.exe FOUND !C:\WINDOWS\spoolsystem.exe FOUND !C:\WINDOWS\sys.com FOUND !C:\WINDOWS\syscert.exe FOUND !C:\WINDOWS\sysexplorer.exe FOUND !C:\WINDOWS\vmreg.dll FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\M157236.DNNA»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\M15723~1.DNN\LOCALS~1\Temp»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\M157236.DNNA\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start MenuC:\DOCUME~1\M15723~1.DNN\STARTM~1\Programs\Spyware Guard 2008 FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\M15723~1.DNN\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» DesktopC:\DOCUME~1\M15723~1.DNN\Desktop\Spyware Guard 2008.lnk FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\Spyware Guard 2008\ FOUND !»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components»»»»»»»»»»»»»»»»»»»»»»»» o4Patch!!!Attention, following keys are not inevitably infected!!!o4PatchCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» IEDFix!!!Attention, following keys are not inevitably infected!!!IEDFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix!!!Attention, following keys are not inevitably infected!!!Agent.OMZ.FixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» VACFix!!!Attention, following keys are not inevitably infected!!!VACFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» 404Fix!!!Attention, following keys are not inevitably infected!!!404FixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,""System"=""»»»»»»»»»»»»»»»»»»»»»»»» RK»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler MiniportDNS Server Search Order: 68.87.71.226DNS Server Search Order: 68.87.73.242DNS Server Search Order: 68.87.64.146HKLM\SYSTEM\CCS\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS1\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS3\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
Andro1d Posted December 29, 2008 Report Share Posted December 29, 2008 Hello again,You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, double-click on SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background. Link to post Share on other sites
honey_sucker7814 Posted December 29, 2008 Author Report Share Posted December 29, 2008 Thanks a lot for your help...SmitFraudFix v2.387Scan done at 23:16:16.89, Sun 12/28/2008Run from C:\Documents and Settings\M157236.DNNA\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts127.0.0.1 localhost»»»»»»»»»»»»»»»»»»»»»»»» VACFixVACFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\WINDOWS\reged.exe DeletedC:\WINDOWS\spoolsystem.exe DeletedC:\WINDOWS\sys.com DeletedC:\WINDOWS\syscert.exe DeletedC:\WINDOWS\sysexplorer.exe DeletedC:\WINDOWS\vmreg.dll DeletedC:\DOCUME~1\M15723~1.DNN\STARTM~1\Programs\Spyware Guard 2008 DeletedC:\DOCUME~1\M15723~1.DNN\Desktop\Spyware Guard 2008.lnk DeletedC:\Program Files\Spyware Guard 2008\ Deleted»»»»»»»»»»»»»»»»»»»»»»»» IEDFixIEDFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.FixAgent.OMZ.FixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» 404Fix404FixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» RK»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler MiniportDNS Server Search Order: 68.87.71.226DNS Server Search Order: 68.87.73.242DNS Server Search Order: 68.87.64.146HKLM\SYSTEM\CCS\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS1\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS3\Services\Tcpip\..\{B47068E3-65C6-4A42-BE30-5529802422EC}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry CleaningRegistry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» EndOnce i rebooted, the Spyware guard came right away. Once i reboot, i get the Windows Security center window and then comes the spyware guard stuff.Really appreciate your help... Link to post Share on other sites
Andro1d Posted December 29, 2008 Report Share Posted December 29, 2008 Hello again,Download Roguescanfix.Double-click roguescanfix_setup install automatically to C:\Program Files\Roguescanfix.Accept the agreement and click Next.Under additional icons, check "create a desktop icon", click Next, then Install.You will be prompted to launch roguescanfix now. Click "Finish"At the DOS window that opens "Press any key to continue..."Note: This tool needs internet connection because it downloads an additional file to let the tool work properly. If your firewall gives an alert, allow it instead of blocking it.In case you still get the message "BFU.exe is not present", download BFU.zip from here.Unzip it and place BFU.exe inside the Roguescanfix folder. Then double-click Run.bat again.The tool will uninstall some programs and delete related files and registry keys.When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.Please make sure the uninstall of the programs are finished before you click Yes to reboot.A textfile wil open. Place the contents of that file in your next reply, along with a new Hijackthis logfile. (The textfile can also be found at C:\Program Files\Roguescanfix\task.txt) Link to post Share on other sites
honey_sucker7814 Posted December 29, 2008 Author Report Share Posted December 29, 2008 I cannot find BFU.exe in the link that you provided me. Link to post Share on other sites
Andro1d Posted December 29, 2008 Report Share Posted December 29, 2008 Sorry about that, here is an updated link.http://majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html Link to post Share on other sites
honey_sucker7814 Posted December 29, 2008 Author Report Share Posted December 29, 2008 Here you go my friend....task.txtExport SharedTaskScheduler key ------------------------------ REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"HijackthisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:36:39, on 12/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AccessManager\Client\AMBroker.exeC:\Program Files\LANDesk\Shared Files\residentagent.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2mgmtsvc.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeC:\Program Files\LANDesk\LDClient\LocalSch.EXEC:\WINDOWS\system32\CBA\pds.exeC:\Program Files\LANDesk\LDClient\tmcsvc.exeC:\PROGRA~1\LANDesk\LDClient\issuser.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\lotus\notes\ntmulti.exeC:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exeC:\ODI\OStore\BIN\OSCMGR6.EXEC:\ODI\OStore\BIN\OSSERVER.EXEC:\oracle\ora92\bin\omtsreco.exeC:\Program Files\Citrix\ICA Client\ssonsvr.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\SiebelAnalytics\web\Bin\sawjavahostsvc.exeC:\SiebelAnalytics\Bin\NQSComGateway.exeC:\SiebelAnalytics\Bin\nqsserver.exeC:\Program Files\LANDesk\LDClient\softmon.exeC:\Program Files\AccessManager\PMAC\sp_SWIns.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\Program Files\AccessManager\Client\sygman.exeC:\WINDOWS\system32\kktools\userdump.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\SiebelAnalytics\SQLAnywhere\dbeng8.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\AccessManager\Client\AccessMgr.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exeC:\Program Files\LANDesk\LDClient\LDISCN32.EXEC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\system32\winscenter.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.merck.de/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.21.1.117:8080O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [McAfeeFireTray] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exeO4 - HKLM\..\Run: [MerckPrivateDataCheck] cachedos C:\Windows\System32\MyLocalDataShorcutcheck.vbsO4 - HKLM\..\Run: [sDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDISCN32.EXE" /NTT=USSE1LDMSNA01.na.merckgroup.com:5007 /S="USSE1LDMSNA01.na.merckgroup.com" /I=HTTP://USSE1LDMSNA01.na.merckgroup.com/ldlogon/ldappl3.ldz /NOUI /W=900O4 - HKLM\..\Run: [intelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /to=30O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /norebootO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logonO4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeO4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exeO4 - Global Startup: VPN Client.lnk = ?O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.merckgroup.com (HKLM)O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex/contr...ce/outlctlx.CABO16 - DPF: {00D9C306-6B11-492A-9AFC-C53CE30849CF} (Siebel SmartScript) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Smartscript.cabO16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://quickr02.merck.de/qp2.cabO16 - DPF: {06314967-EECF-11D2-9D64-0000949887BE} (Siebel ERM eBriefings Offline Content Synchronization Control) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_ERM_ContentSync.cabO16 - DPF: {0D68687A-A2A3-46EB-9ED9-956C83875A6C} (Siebel Marketing HTML Editor) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_HTML_Editor.cabO16 - DPF: {169ADD4B-EE8B-4B27-B332-2941A82DA7E2} (Siebel Microsite Layout Designer) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Microsite_Layout.cabO16 - DPF: {16C7BBB7-738A-47D7-956E-52DD9A166A9A} (Siebel Event Calendar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_Calendar.cabO16 - DPF: {1D922C61-16AB-4179-8302-6B8A688C88D0} (CSSAxContainerCtrl Class) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Container_Control.cabO16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) - O16 - DPF: {353F130D-72DB-4F14-B750-625F90D75D1B} (Siebel Test Automation) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Test_Automation.cabO16 - DPF: {3E8C4740-70C5-439E-AE2F-16234083E248} (Siebel High Interactivity Framework) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_HI_Client.cabO16 - DPF: {4514F46B-308B-401B-969D-B62E288158ED} (CSSFlexAxContainerCtrl Class) - http://localhost/19238/applets/SiebelAx_Co...ner_Control.cabO16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/42.20/uploader2.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cabO16 - DPF: {48CE1C1F-092D-461C-A385-A0C3D19FE052} (Siebel iHelp) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_iHelp.cabO16 - DPF: {5FCAD8CF-85C1-4FD9-BD04-995CBEBA5BEB} (Siebel Hospitality Gantt Chart) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Hospitality_Gantt.cabO16 - DPF: {73EF83D1-DA75-4F58-8DB6-1CD6D8F9C8A1} (Siebel Calendar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Calendar.cabO16 - DPF: {756E01C3-2CF9-4364-8724-B8C850CB0D50} (UInboxDynBtn Class) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_UInbox.cabO16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Desktop_Integration.cabO16 - DPF: {96A3E5AB-C228-4D1D-B31F-712BA35EE470} (Siebel Gantt Chart) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Gantt_Chart.cabO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O16 - DPF: {C5FEEC93-506D-4B41-A38B-3A59BF5B41AB} (Siebel Callcenter Communications Toolbar) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_CTI_Toolbar.cabO16 - DPF: {C657D5D2-D725-4F0E-91A9-EA74647DCF84} (Siebel Marketing Allocation) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_Marketing_Allocation.cabO16 - DPF: {D6CC2526-859B-40C0-8515-1A47946478B6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\SiebelAx_OutBound_mail.cabO16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://uscallcenter.us-siebel.us-bos01.ser...x_HI_Client.cabO16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://ch1tt031.ch-gva01.serono.com/pam_us...x_HI_Client.cabO16 - DPF: {E1E65027-5BB8-4186-A619-81E219274CC8} (ExecuteViewer2 Class) - http://usse1ldmsna01/common/ENUrcviewer.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ch2.serono.com/dana-cached/setup/JuniperSetupSP1.cabO16 - DPF: {EFA4D912-2A19-4E6F-B681-4DC0C796FBD8} (Siebel SmartScript) - http://us1tt063/epharma_enu/19230/applets/...Smartscript.cabO16 - DPF: {EFB7D763-97A3-11CF-AE19-00608CEADE00} (CIC Ink Control) - file://C:\Siebel1\7.8\client\PUBLIC\enu\19213\applets\iTools.cabO16 - DPF: {FB8A6B20-09DD-43D5-BF33-676DF96767F3} (Siebel High Interactivity Framework) - http://localhost/19238/applets/SiebelAx_HI_Client.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.merckgroup.comO17 - HKLM\Software\..\Telephony: DomainName = na.merckgroup.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.merckgroup.comO21 - SSODL: ieModule - {3A530F59-69CF-46B0-A6F9-AC1CBCB631A1} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dllO21 - SSODL: InternetConnection - {73E4214D-5483-4D82-AEFA-611C2EAB914A} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\rledtcblog.dllO23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exeO23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exeO23 - Service: DB2 Management Service (TAEVAL20) (DB2MGMTSVC_TAEVAL20) - International Business Machines Corporation - C:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2mgmtsvc.exeO23 - Service: DB2 Security Server (TAEVAL20) (DB2NTSECSERVER_TAEVAL20) - International Business Machines Corporation - C:\Program Files\Quest Software\Toad for Data Analysis Trial 2.0\DB2 Client\BIN\db2sec.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeO23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXEO23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exeO23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exeO23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exeO23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exeO23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exeO23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXEO23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXEO23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exeO23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXEO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Siebel Analytics Java Host (sawjavahostsvc) - Unknown owner - C:\SiebelAnalytics\web\Bin\sawjavahostsvc.exeO23 - Service: Siebel Analytics Server - Siebel Systems, Inc. - C:\SiebelAnalytics\Bin\NQSComGateway.exeO23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exeO23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exeO23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 17093 bytesFYI:::The spyware keeps coming up... Link to post Share on other sites
Andro1d Posted December 30, 2008 Report Share Posted December 30, 2008 Hello again,Please download the OTMoveIt3 by OldTimer. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")Copy the fix below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::processesexplorer.exe:regHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\spywareguardHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spywareguardHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008:filesC:\WINDOWS\system32\winscenter.exeC:\Program Files\Spyware Guard 2008C:\Windows\reged.exeC:\Windows\spoolsystem.exeC:\Windows\sys.comC:\Windows\syscert.exeC:\Windows\sysexplorer.exeC:\Windows\vmreg.dllC:\Documents and Settings\M157236.DNNA\Desktop\Spyware Guard 2008.lnkC:\Documents and Settings\M157236.DNNA\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnkC:\Documents and Settings\M157236.DNNA\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnkC:\Documents and Settings\M157236.DNNA\Application Data\Microsoft\Internet Explorer\olesys.dll:commands[purity][emptytemp][start explorer] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt3If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Link to post Share on other sites
honey_sucker7814 Posted December 30, 2008 Author Report Share Posted December 30, 2008 When i pasted into the yellow box and clickde on MoveIt button. I am waiting for the past 10 mins and nothing seems to be happening. I saw the Process explorer.exe killed successfully.After that there is REGISTRY and it is staying there for the past 10 mins.Should this be taking so long. Link to post Share on other sites
honey_sucker7814 Posted December 30, 2008 Author Report Share Posted December 30, 2008 Looks like it is stuck at the Registry. Looks like it is not able to unregister the vmreg.dll.If it helps - I tried to unregister the vmreg.dll earlier.But i could not. Maybe your application is also not able to uninstall.I am comfortable with unregistering dll's,playing with regedit etc. Let me know Link to post Share on other sites
Andro1d Posted December 30, 2008 Report Share Posted December 30, 2008 Hello again,Please download the Killbox by Option^Explicit.Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: "Delete on Reboot then Click on the "All Files" button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + CC:\Windows\vmreg.dll[*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".[*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.If your computer does not restart automatically, please restart it manually Link to post Share on other sites
honey_sucker7814 Posted December 30, 2008 Author Report Share Posted December 30, 2008 Hi,I cannot run KillBox on the infected PC. The application failed to start because !@#$%^&*(.dll was not found.Re-installation the app will fix the problem. Link to post Share on other sites
Andro1d Posted December 30, 2008 Report Share Posted December 30, 2008 What is the name of the dll that cant be found? Link to post Share on other sites
honey_sucker7814 Posted December 30, 2008 Author Report Share Posted December 30, 2008 It doesnt tell the dll name.There are weird characters like @#$bxo....dll in the "Unable to Locate Component" box. Link to post Share on other sites
Andro1d Posted December 31, 2008 Report Share Posted December 31, 2008 Mhmm,Please click here to download AVP Tool by Kaspersky.Save it to your desktop. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.Double click the setup file to run it.Click Next to continue.It will by default install it to your desktop folder.Click Next.Hit ok at the prompt for scanning in Safe Mode.It will then open a box There will be a tab that says Automatic scan.Under Automatic scan make sure these are checked. System MemoryStartup ObjectsDisk Boot Sectors.My Computer.Also any other drives (Removable that you may have) After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.Then choose OK again then you are back to the main screen.Then click on Scan at the to right hand Corner.It will automatically Neutralize any objects found.If some objects are left un-neutralized then click the button that says Neutralize allIf it says it cannot be Neutralized then chooose The delete option when prompted.After that is done click on the reports button at the bottom and save it to file name it Kas.Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.Note: This tool will self uninstall when you close it so please save the log before closing it. Link to post Share on other sites
honey_sucker7814 Posted January 1, 2009 Author Report Share Posted January 1, 2009 i ran MAMB and deleted the spyware in safemode.Used CCCLeaner to clean the registry. In safe mode i restored my pc to a week before and the virus is gone. I ran MAMB to clean up the System Volume Information drive as the spyware is still showing up in the system restores. Used AVG and MAMB to clean up everything.This spyware comes back when started in normal mode along with the Windows Security center. Windows security center doesnt start in safe mode. I can access the System restore in safe mode.Now my system is spyware free.Thaanks for your help my friend.Much appreciated. Link to post Share on other sites
honey_sucker7814 Posted January 4, 2009 Author Report Share Posted January 4, 2009 Can someone change the title topic - with Resolved word. Link to post Share on other sites
Andro1d Posted January 5, 2009 Report Share Posted January 5, 2009 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts