malware info

Yes there have been many of them fixed here. Normally none of the standard tools (including Spybot) completely fix problems with PSGuard. If you find out that you are still having problems, follow the steps below:


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Post you HJT log and we will see!
Also tell me exactly what Spybot is detecting. I would bet it is just the registry key from it.

Also you can run the steps below.

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Reboot into safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please attach this log to your next reply.

 

Okay! You log is clean but you can fix the one left over line from running HSremove:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremov


Also I have a question on the below service. Is this something you installed? If so, what it it for?
O23 - Service: LckFldService - Unknown owner - E:\WINDOWS\System32\LckFldService.exe

 

If you run HSremove (which is not needed for your problems), it will put itself as your start page. The funny thing is your log said hsremov not http://hsremove.com/done.htm which it normally shows when you run it.


Locate the E:\WINDOWS\System32\LckFldService.exe file with Windows Explorer.
Then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.