I have tried everything please help if you can

I have WindowsXP on my system at home. I usually can take care of pretty much anything but this has become frustrating. I have run several programs to try and get rid of my problem but none has worked. I can't find the item and believe it is somehow hiding somewhere and when I try to delete it, it comes back.

My message reads: HKEY_LOCAL MACHINE: Software\microsoft\windowsnt\current version\winlogon "shell" (explorer.exe, c:\windows\system 32\kebox.exe)

Both Spybot and Adaware and other programs have found it but can't remove it. I ran hijackthis and found it but after it deleted it, it came back again. As soon as it says deleted and I run scan again there it is. Can anyone help me. I am using my office computer as when I logon at home things just pour in. I can still run my scans but the pop ups drive me crazy and I am concerned about my information being out there. Thank you.

 

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat[/B]
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I hope I did this right. Here are the 3 files. I will repost with the hijackthis one. Thank you.

 

Malware

Here is the Hijackthis file. Thank you. I ran everything according to the list. After all were run I still continued to get the pop ups and the original file that adaware keeps finding in the shell file in HKEY LOCAL MACHINE/microsoft/windowsnt/current version/winlogon (explorer.exe, C:\windows\system32\kebox.exe. I hope you can help. Thank you.

NancyD

 

The installed version of Java on this compter is out-dated.
Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Please empty the Norton and Housecall quarentine folders as decribed in the Read and Run me thread and redo the bitdefender scan. It is hard to find any relevant files with it all cluttered up like that.

Download:

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)


Run HijackThis. Click the 'Do a system scan only' button.

Click 'Config'

Click 'Misc Tools'

Click 'Open Process Manager'

Select the following processes from the list (if found) and terminate by clicking 'terminate'

Click 'Back' to return the the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE (to the recycle bin NOT PERMANENTLY YET) the following: (Some of these may have already been deleted by Pocket Killbox)

Using windows search (using the procedure set out below) search for and delete (to the recylce bin NOT PERMANENTLY) every occurence of the follwing files

Click Start and select Search
Now Select "All files and folders"
Enter the filenamein the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Please also tell me the location of these files when (and if) you find them.
If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Post a fresh HijackThis log, a fresh ShowNew log, a Runkeys log (which you missed the first time) and a Bitdefender scan after emtying your quarentine folders.