Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
719 Posts
Discussion Starter · #1 ·
I've don a virus scan on a WinXP Home system from the McAfee web site. It identifies 2 files as being infected with the PWS-Sysme virus. However, I can't find any information on that virus anyplace on the net using Google or checking the McAfee and Symantec web sites. Any ideas how I can eliminate this virus, if it is a virus?
 

·
Registered
Joined
·
46,353 Posts
What were the exact names of the files and the path to the files that are infected?

Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

·
Registered
Joined
·
719 Posts
Discussion Starter · #3 ·
The files were:

C:\WINDOWS\SYSTEM32\sysme.exe
C:\WINDOWS\SYSTEM32\sysme1.exe

I have deleted them and will run HJT and post the log in a few minutes.

Thanks
 

·
Registered
Joined
·
46,353 Posts
What happens if you just doubleclick it? Are your other .exe files working?
 

·
Registered
Joined
·
719 Posts
Discussion Starter · #8 ·
That fixed it. Kind of reassuring to know that I'm not the first to suffer that problem. Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:05:40 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\$compwell\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rogers.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\3.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - windec.ohb (file missing)
O2 - BHO: (no name) - {88C88FCE-EBE2-45D5-932C-A35085E22BFC} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {F3AA9FBB-9EAA-4762-A418-BC30E9D3201F} - C:\WINDOWS\system32\sjckmlv.dll
O3 - Toolbar: &My Way Speedbar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077680264156
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3734A957-FBD5-4F87-A404-4289C6F3DDFF} (DownloadScanEngine.ctlDSE296315) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://ultimateplugin.com/tl4000.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab
 

·
Registered
Joined
·
46,353 Posts
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - - (no file)

O1 - Hosts: 209.132.200.78 auto.search.msn.com

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\3.bin\MYSRCHAS.DLL

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - windec.ohb (file missing)

O2 - BHO: (no name) - {88C88FCE-EBE2-45D5-932C-A35085E22BFC} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {F3AA9FBB-9EAA-4762-A418-BC30E9D3201F} - C:\WINDOWS\system32\sjckmlv.dll

O3 - Toolbar: &My Way Speedbar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab

O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://ultimateplugin.com/tl4000.dll

O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab

O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab


Restart your computerand delete:

The C:\Program Files\MyWay folder
The C:\Program Files\WebSavingsfromEbates folder

Now re-enable all the items you have disabled in msconfig and post another log.
 

·
Registered
Joined
·
719 Posts
Discussion Starter · #10 ·
EVERYTHING!!? Here goes....

Logfile of HijackThis v1.97.7
Scan saved at 9:19:37 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\program files\primesoft\safesearch\safesearch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Kazaa Upgrade Suite3.exe
C:\$compwell\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rogers.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\safesearch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zehqb] C:\WINDOWS\zehqb.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gl32app] C:\windows\system32\gl32app.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGKTAH] C:\WINDOWS\AGKTAH.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00095\gd-dial.exe -remove
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1034.dll,InstantAccess
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Register Kazaa Upgrade Suite3.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077680264156
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3734A957-FBD5-4F87-A404-4289C6F3DDFF} (DownloadScanEngine.ctlDSE296315) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
 

·
Registered
Joined
·
46,353 Posts
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\safesearch.dll

O4 - HKLM\..\Run: [zehqb] C:\WINDOWS\zehqb.exe

O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe

O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe

O4 - HKLM\..\Run: [gl32app] C:\windows\system32\gl32app.exe

O4 - HKLM\..\Run: [AGKTAH] C:\WINDOWS\AGKTAH.exe

O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00095\gd-dial.exe -remove

O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1034.dll,InstantAccess

O4 - Global Startup: Register Kazaa Upgrade Suite3.exe


Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The c:\program files\GlobalDialer folder
The c:\program files\primesoft folder
The C:\Program Files\WebSavingsfromEbates folder
The C:\WINDOWS\AGKTAH.exe file
The C:\WINDOWS\zehqb.exe file
The C:\WINDOWS\mslagent file
The C:\WINDOWS\System32\sysme.exe file
The C:\WINDOWS\System32\msbb.exe file
The C:\windows\system32\gl32app.exe file

In Safe Mode Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders". In the "Look in" box choose "Drive C:"
In the "All or part of the file name" box type:

EGCOMLIB_1034.dll

Click Search. Right click and delete the file when found.

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top