Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected...


  • This topic is locked This topic is locked
59 replies to this topic

#1 LAB811

LAB811

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 28 December 2012 - 12:09 AM

Hi if you check my other blue screen posts you will see that I had been infected before and got the blue screen. This time I really screwed up my system after I was unable to get in and did a system restore. Big mistake and still some virus. I ran Malwarebytes but for some reason it did not save the log. I think I quarantined the detections but will run malwarebytes again. I did write down the 2 detections both were PUM disabled
HKLM/SoftwareMicrosoft/Security Center. I will run the Malwarebytes again and post a log if it still detects a threat.

Please reply with simple instructions. I don't know much about computers but do follow instructions well. I will not be back on the computer until after 5 PM tomorrow night. Thanks

I then ran HiJack this and here is the log:


HiJack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:33 AM, on 12/28/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [PinInit] c:\hp\bin\cloaker.exe c:\hp\bin\PinToStart.bat
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PCDrProfiler] "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SetDefaultPrinter] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd
O4 - HKLM\..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /run
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PMLreset] c:\hp\bin\cloaker.exe cmd /c c:\hp\drivers\pmlreset.bat
O4 - HKLM\..\Run: [HPSUreset] c:\hp\bin\cloaker.exe cmd /c c:\hp\drivers\hpsu\HPSULastRunReset.bat
O4 - HKLM\..\Run: [RBreset] c:\hp\bin\cloaker.exe cmd /c c:\hp\drivers\hpsu\RBLastRunReset.bat
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AT&T Self Support Tool.lnk.disabled
O4 - Global Startup: CaSup.lnk = C:\hp\region\CustAtStartUp.wsf
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ReSchedHPSU.lnk = C:\hp\bin\CLOAKER.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 10090 bytes

BC AdBot (Login to Remove)

 


#2 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 28 December 2012 - 07:22 AM

I ran Malwarebytes again but it looks like the detections are removed. Here is the log from this morning

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.27.10

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 6.0.2900.2180
HP_Administrator :: YOUR-4DACD0EA75 [administrator]

Protection: Disabled

12/28/2012 3:10:25 AM
mbam-log-2012-12-28 (03-10-25).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 405649
Time elapsed: 54 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:29 PM

Posted 30 December 2012 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please run these tools and post the logs for my review.

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).


#4 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 December 2012 - 08:59 AM

Remember i can only get on my computer right now in safe mode and it takes many, many tries to get in. I also did a system restore so non of my previous programs are there. I can't get into normal mode to try to undo the system restore if that is possible

Here is the Security Check log:

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
N
o
r
t
o
n
ECHO is off.
I
n
t
e
r
n
e
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.70.0.1100
HijackThis 2.0.2
Adobe Flash Player 11.5.502.135
Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Edited by LAB811, 31 December 2012 - 09:00 AM.


#5 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 December 2012 - 09:02 AM

Here is the Adware Cleaner log:

# AdwCleaner v2.104 - Logfile created 12/31/2012 at 12:01:13
# Updated 29/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : HP_Administrator - YOUR-4DACD0EA75
# Boot Mode : Safe mode with networking
# Running from : C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Documents and Settings\All Users\Desktop\eBay.lnk
File Found : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Found : C:\user.js
Folder Found : C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Found : C:\Program Files\BabylonToolbar

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.2180

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

*************************

AdwCleaner[R1].txt - [1214 octets] - [31/12/2012 12:01:13]

########## EOF - C:\AdwCleaner[R1].txt - [1274 octets] ##########


Thank you nsdaq for your help

#6 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 December 2012 - 09:06 AM

NASDAQ I only did a search as you instructed when i closed the AdwCleaner program it said to note only a search had been performed no action taken. Should I have done something else?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:29 PM

Posted 31 December 2012 - 09:15 AM

I can't get into normal mode to try to undo the system restore if that is possible


Sorry No. The system restore is irreversible.

===

Check and see if you can get Clean boot in Windows XP

Instructions here.

http://logitech-en-amr.custhelp.com/app/answers/detail/a_id/228#xp

Let me know how if goes.

#8 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 December 2012 - 10:22 AM

OK followed all of your instructions and was able to do a clean boot. It restarted in normal mode twice with both steps. It is very weird all the logos and type are really small and faint.

Ready for the next step. I have no antivirus, I previously had Avira, and that makes me nervous...

Edited by LAB811, 31 December 2012 - 10:23 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:29 PM

Posted 31 December 2012 - 02:31 PM

You will remember the instructions to start a Clean boot.

Clean boot in Windows XP
To perform a clean boot in Windows XP:
1 - Click Start > Run, type msconfig and then click OK.
2 - On the General tab, choose Selective Startup.
3 - Clear the following check boxes:
...Process SYSTEM.INI file
...Process WIN.INI file
...Load Startup items
4 -Click the Services tab.
5 - Select the Hide All Microsoft services check box (at the bottom).
6 - Click Disable all.
7 - Click OK.
8 - Click Restart.


Restart the process and this time go directry to step 6.

I would like you to enable a few services at a time and restart the computer.

If all is well enable to more processes and restart the computer

Do this until you have enable them all or that at one point in the trial and error you DO NOT get to normal mode.

This will indicate that one or more of the services is/are the culprit.

Let me know which file/files is causing the normal boot.

#10 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 December 2012 - 03:02 PM

Question?? Once I get thru the Run msconfig and it puts me on the general page to I stick with selective start up? Is that what you mean by DO NOT go to Normal mode. Do I choose selective start up then go to the Services Tab and disable all?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:29 PM

Posted 01 January 2013 - 08:33 AM

What ever works for you. I do not have an XP box to test.

I wants you to enable items that were disable. By trial and error you should be able to identify the culprit.

If there are many items to enable you can try Half of them. if all is well then you will only have the other half to look after.

#12 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 January 2013 - 03:47 PM

Ok I chose selective startup and went to the services tab disabled all and then enabled about half of them. Restarted the computer and I got a pop up window that said Microsoft Officelnk.disabled. Windows needs to know what program created it etc.
Is what i did what you wanted me to do?? Should I now go ahead and enable the next half. I want to make sure that I understand your instructions before going any further.

Happy New Year!

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:29 PM

Posted 01 January 2013 - 04:02 PM

It's a start.

The file is a .lnk file and should start the Microsoft offic when you start the computer.
It should look like this.
O4 - Global Startup: Microsoft Office.lnk. disabled

It's located in a Startup folder.
Search your computer for Microsoft Office.lnk and delete it.

#14 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 January 2013 - 04:37 PM

Ok I went to start then all programs then startup and found it there and deleted it and sent it to the recycle bin. Is that right? Do you want me to continue on enabling the rest of the services now?

#15 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 January 2013 - 04:41 PM

I just noticed there is another one AT&T Support Tool.lnk.disabled. Should I do the same thing with that one and the Microsoft Office one? Sorry if I am over cautious...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users