[Essexboy]

Can you go start > run > and type in regedit if the registry editor appears then close it

Re-run your scan to see if it has gone

If not let me know

[Advertisements]

hi there scanned a few times and it didn't come back. however i restarted my pc and it found it once again

[jotter1]

hi there scanned a few times and it didn't come back. however i restarted my pc and it found it once again

[Essexboy]

Lets clear all your caches then re-run the reg fix, to see if that cures it

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Never had one this stubborn before

[jotter1]

restarted pc after using atf cleaner and it still came back its really annoying

[Essexboy]

Totally annoying - lets try an online scan

None of my other scans detected it though - I removed the initiators so it should no longer be there

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[jotter1]

heres the results of f secure scan thanks




Scanning Report
Saturday, March 29, 2008 23:51:36 - 00:36:02

Computer name: PC
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 2 malware found
RiskTool.Win32.Reboot (spyware)

* System

Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 25908
* System: 3178
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-03-29
* F-Secure AVP: 7.0.171, 2008-03-29
* F-Secure Pegasus: 1.20.0, 2008-02-26
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

[Essexboy]

OK lets have a look at that reg key

@echo off
regedit.exe /e C:\look.txt hkey_users \S-1-5-21-220523388-299502267-725345543-1004\software\install
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type look.bat

This will create a batch file

Then run look.bat by double clicking this should then place a text file of the key on your root c: drive please post the contents here

[jotter1]

tried to do as you said but a box appears for a sec then goes off thats it no log to be seen any ideas thanks

[jotter1]

sorry to be a noob but were should this file be exactly looked on c:\ cant find it cheers

[Essexboy]

It should be at C:\look.txt

[jotter1]

its not there.i deleted the first look.bat and tried again but the file says look now not look.bat and still not there cheers

[Essexboy]

Maybe I made an error in the batch file I need to check that - but it looks OK

Could you open regedit (start >run >regedit)
When opened select EDIT
Select find
Paste in hkey_users \S-1-5-21-220523388-299502267-725345543-1004\software\install
Select find next
Right click the key install and select export.
In the drop down box for file type select .txt
Save to your desktop
Post that in your next post

[jotter1]

did as you asked and it just came up finished searching registry didnt show me anything.

[Essexboy]

To me that would suggest that the key is not there and would also explain why there was no text file. Could this be a glitch with your programme that you use to scan as nothing else I have used has shown that key, or any associated files to be present. I will see if that is a known false positive

[jotter1]

just ran a quick scan with spyware doc and it found this application.nircmd 4 infections but think it could be combofix it didnt find adclicker.i use pc guard from virgin media and upgraged to get the spyware with it dont know if its any good. pc guard only finds it after i restart my pc. but does find it everytime cheers