none
Please help me with this HijackThis Log

    Question

  • Computer contracted the SecurityTool Virus.
    Steps/Actions/Results so far:
    -Taskmanager, to stop Security Tool processes [random numbers].exe, but wasnt listed
    -Boot into Safe Mode with Networking, failed
    -LKGC, successful
    -Boot into Safe Mode with Networking, successful
    -Ran MalwareBytes Anti-Malware Full System Scan, 125 items found
    -Removed items
    -Scan again, 1 item found
    -Removed item
    -Scan once more, no items found
    -msconfig, start up files, remove [random numbers]
    -C:\Documents and Settings\All Users\Application Data\[random numbers]\ - deleted file
    -regedit to delete *HKEY_CURRENT_USER\Software\Security Tool  -- but was not listed
    -regedit to delete *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Tool  -- but was not listed
    -Startup programs via Run Box %userprofile%\Start Menu\Programs\Startup -- Found wwwpos32 -- attempted to delete the file but failed - access denied, currently in use by another person or program
    -Disabled System Restore
    -Boot into Normal
    -Ran MalwareBytes -- no risks found
    -Downloaded HijackThis and did a Scan

    Here is the Log from HijackThis:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:26:32 PM, on 1/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Aqarojebuqage] rundll32.exe "C:\WINDOWS\ebavuwox.dll",Startup
    O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [P2kAutostart] V506
    O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
    O4 - Startup: wwwpos32.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: APC UPS Status.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://fs-ads/connectcomputer/nshelp.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199379641093
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/Acadm%206/AcDcToday.ocx
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/Acadm%206/InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/Acadm%206/InstFred.ocx
    O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://shoptech.webex.com/client/T25L/support/ieatgpc.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/Acadm%206/AcPreview.ocx
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AmityDie.local
    O17 - HKLM\Software\..\Telephony: DomainName = AmityDie.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AmityDie.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AmityDie.local
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AmityDie.local
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Update Service (gupdate1c9beb9168ccd39) (gupdate1c9beb9168ccd39) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

    --
    End of file - 12530 bytes


    Please look through this and help me decide which registry entries need to be deleted.

    I deleted the following after saving the log file:
    R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
    O4 - Startup: wwwpos32.exe


    Thank you!
    Katy K.
    Krause.kathryn@gmail.com

    Wednesday, January 27, 2010 7:26 PM

Answers

  • If the Rogue application is the same as whats below, then you need to delete the files and registry keys that are listed


     

    Created Files

    • %Desktop%SecurityTool
    • %Desktop%Security Tool..lnk
    • %Desktop%Security Tool.lnk
    • %StartMenu%Programs\Security Tool
    • %StartMenu%Program\Security Tool

    Created Folders

    • %CommonPrograms%SecurityTool
    • %ApplicationData%73668737

    Registry Entries

    • Key: HKEY_CURRENT_USER\Software\Security Tool
    • Value:
    • Data:
    • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Value: Install
    • Data: C:\Documents and Settings\%userprofile%\Application Data\3552748893\3552748893.bat
    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Value: 3552748893
    • Data: C:\Documents and Settings\%userprofile%\Application Data\3552748893\3552748893.exe
    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Value: 73668737
    • Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\73668737\73668737.exe

     


    Dennis ,, Owner: HTML tutorial Please dont forget to mark any post(s) that helped as helpful or answered EMAIL ME:: PERSONAL EMAIL :: BUSINESS EMAIL
    • Marked as answer by KatyK03 Friday, January 29, 2010 1:48 PM
    Wednesday, January 27, 2010 7:45 PM
  • I am having problems finding these things. I physically deleted SecurityTool from both my start menu and desktop previously but could locate them using the run box today. I also cannot find these entries in the registry using regedit from the run box. Nothing is listed in there that match any of the entries you are saying to delete. Maybe I am not looking the right way or in the right spot?? HELP! Could you maybe copy and paste the entries from my HijackThis log that I should delete? Maybe that way I could find them easier.



    You said in your first post that you had already ran malwarebytes and possibly some other scanners, with malwarebytes finding over 125 items, most of those could have very well been deleted by malwarebytes itself. my advice would be to boot into safe mode with networking, then download and run at least two of these tools, letting them clean anything they find. from whats already been run on there that should get rid of the rest of the infection. all of these are portable which means they dont have to be installed, just download and double click and run
                                      
                                                          "DrWebCureIT"
                                            http://www.freedrweb.com/cureit/?lng=en

                                                    "Normans Malware Cleaner"
                                       http://norman.com/support/support_tools/58732/en-us

                                                  "Kaspersky Virus Removal Tool"
                                  http://support.kaspersky.com/viruses/avptool2010?level=2

                                                     "VIPRE Rescue Program"
                                               http://live.sunbeltsoftware.com/

                                             "Microsft's Malicious Software Removal Tool"
                               http://www.microsoft.com/security/malwareremove/default.aspx

                                                    "F-Secure Easy Clean"
                            http://www.f-secure.com/en_US/security/security-center/easy-clean/ 

                                               
    Dennis ,, Owner: HTML tutorial Please dont forget to mark any post(s) that helped as helpful or answered EMAIL ME:: PERSONAL EMAIL :: BUSINESS EMAIL
    • Marked as answer by KatyK03 Monday, February 1, 2010 3:50 PM
    Friday, January 29, 2010 7:10 PM

All replies

  • If the Rogue application is the same as whats below, then you need to delete the files and registry keys that are listed


     

    Created Files

    • %Desktop%SecurityTool
    • %Desktop%Security Tool..lnk
    • %Desktop%Security Tool.lnk
    • %StartMenu%Programs\Security Tool
    • %StartMenu%Program\Security Tool

    Created Folders

    • %CommonPrograms%SecurityTool
    • %ApplicationData%73668737

    Registry Entries

    • Key: HKEY_CURRENT_USER\Software\Security Tool
    • Value:
    • Data:
    • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Value: Install
    • Data: C:\Documents and Settings\%userprofile%\Application Data\3552748893\3552748893.bat
    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Value: 3552748893
    • Data: C:\Documents and Settings\%userprofile%\Application Data\3552748893\3552748893.exe
    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Value: 73668737
    • Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\73668737\73668737.exe

     


    Dennis ,, Owner: HTML tutorial Please dont forget to mark any post(s) that helped as helpful or answered EMAIL ME:: PERSONAL EMAIL :: BUSINESS EMAIL
    • Marked as answer by KatyK03 Friday, January 29, 2010 1:48 PM
    Wednesday, January 27, 2010 7:45 PM
  • I am having problems finding these things. I physically deleted SecurityTool from both my start menu and desktop previously but could locate them using the run box today. I also cannot find these entries in the registry using regedit from the run box. Nothing is listed in there that match any of the entries you are saying to delete. Maybe I am not looking the right way or in the right spot?? HELP! Could you maybe copy and paste the entries from my HijackThis log that I should delete? Maybe that way I could find them easier.


    Friday, January 29, 2010 4:17 PM
  • I am having problems finding these things. I physically deleted SecurityTool from both my start menu and desktop previously but could locate them using the run box today. I also cannot find these entries in the registry using regedit from the run box. Nothing is listed in there that match any of the entries you are saying to delete. Maybe I am not looking the right way or in the right spot?? HELP! Could you maybe copy and paste the entries from my HijackThis log that I should delete? Maybe that way I could find them easier.



    You said in your first post that you had already ran malwarebytes and possibly some other scanners, with malwarebytes finding over 125 items, most of those could have very well been deleted by malwarebytes itself. my advice would be to boot into safe mode with networking, then download and run at least two of these tools, letting them clean anything they find. from whats already been run on there that should get rid of the rest of the infection. all of these are portable which means they dont have to be installed, just download and double click and run
                                      
                                                          "DrWebCureIT"
                                            http://www.freedrweb.com/cureit/?lng=en

                                                    "Normans Malware Cleaner"
                                       http://norman.com/support/support_tools/58732/en-us

                                                  "Kaspersky Virus Removal Tool"
                                  http://support.kaspersky.com/viruses/avptool2010?level=2

                                                     "VIPRE Rescue Program"
                                               http://live.sunbeltsoftware.com/

                                             "Microsft's Malicious Software Removal Tool"
                               http://www.microsoft.com/security/malwareremove/default.aspx

                                                    "F-Secure Easy Clean"
                            http://www.f-secure.com/en_US/security/security-center/easy-clean/ 

                                               
    Dennis ,, Owner: HTML tutorial Please dont forget to mark any post(s) that helped as helpful or answered EMAIL ME:: PERSONAL EMAIL :: BUSINESS EMAIL
    • Marked as answer by KatyK03 Monday, February 1, 2010 3:50 PM
    Friday, January 29, 2010 7:10 PM
  • My suggestion. Download AnVir Task Manager [/url]. When you run it, AnVir shows you all startup programs and Windows processes, so you’ll find harmful file in a minute. I always use it when I clean one’s PC. Sorry for the offtopic.
    Saturday, May 22, 2010 9:36 AM