Quote:
Could not delete:
lsass.exe (currently in use)
svchost.exe (currently in use)
|
Hmm..just to verify. The files you went after. They should be located at the root of drive C.
Do NOT touch the files located at system32. Those are core Windows files.
* * * * * *
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose Yes at the Warning prompt.
- Expand the Tools menu.
- Click Resident.
- Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
- In the File menu click Exit to exit Spybot Search & Destroy.
* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *
Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:
- SirSearch \ PowerSearch
Ebates_MoeMoneyMaker
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *
Do a HijackThis scan & place a check next to these items and select "Fix checked":
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O4 - HKLM\..\Run: [Microsoft Decryption Technology] MSXENOR.EXE
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSMND1\Cache\SelectedContextSearch.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
* * * * * *
Download & launch
KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)
Run KillBox & paste the following locations into KillBox one at a time:
- C:\lsass.exe
C:\svchost.exe
c:\windows\system32\MSXENOR.EXE
c:\windows\system32\ptmg1v.dll
c:\windows\MSXENOR.EXE
c:\windows\ptmg1v.dll
- Checkmark the following boxes :
- Click the RED X button
- Answer YES when asked to confirm file deletion
- Answer NO when prompted to reboot now
- Proceed with the next file by repeating the above steps.
- Once you get to the last entry, click YES when prompted to reboot.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * *
After you have rebooted locate/delete these folders, if present:
C:\Program Files\PWRSMND1\
C:\Program Files\Ebates_MoeMoneyMaker\
* * * * * *
In your next reply, please furnish the following logs:
1. Hijackthis
2. ComboFix.
__________________
Question - what have you done for the community today?