AVG continues to find a file called 9129837.exe and "deletes" it at start up. Next time starting it comes up again though. File seems to be in the Windows\Prefetch folder and is also in an AVG folder. Is that file a problem (the prefetch one)? How can we get rid of it so AVG won't "find" it at start up?
There was an entry for ikowin32.exe in the Startup folder in the Start Menu and in the MSCONFIG area of Startup. The exe itself was in that folder and has been deleted. Is there still any trace? I mention this in case it helps know the infection. There is still an entry for it in the Registry at ...
HKLM\SOFTWARE\Microsoft\Sh
That doesn't seem related to the entry in MSCONFIG so should I manually delete it? How can I remove the entry I see in MSCONFIG?
A HJT log is below. It was run after manually deleting the file in the StartUp folder and after running MalwareBytes. I just did a quick scan with MalwareBytes but it is doing a full scan now. The quick scan found on .LOG file in the ApplicationData folder (e.g. USER\Application Data). I believe it removed that file.
The OS is XP. Virus protection is AVG. I hope this is still clear but I tried to keep brief and to the point. Please NO Googled responses or canned replies without first making sure it relates to all I provided here! I have done research already and relying on the experts here to help me clean the last of this or confirm the machine looks good.
Should I run anything else. I will let you know the results of the MalwareBytes full scan but it will probably be "tomorrow." I can provide more info or details if it will help so don't hesitate to ask. Thanks a lot for your help and time!!
bol
p.s. I was told a message appeared early in this "infection" about a file called pfdupd.exe . Is that a problem or concern (or legit)? There is also a new Windows folder called PSS (e.g. C:\Windows\PSS). Is that a problem? Finally, for bonus, is the file in the Prefetch folder something good to delete manually and what is that folder for (simple explanation fine and I will open new Q if needed for more).
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The Prefetch folder in your Windows directory is used to store information on the applications that you always open, this will speed up the loading time the next time you open it again. It save to delete the content.
Try this free online virusscanner: http://housecall.trendmicr
bol -
MBAM is a great product, but we get a much better picture of what is running on a computer from "ComboFix".
Basic download and run comments from 'rpg' here:
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcompute
b0lsc0tt, have you tried bringing the machine up in safe mode and disinfecting?
Back in the day, as a last-ditch effort on certain obnoxious viruses (and long before there was the plethora of utilities we have now) we would kill a file, and create a dummy file of the same name in its place, so that when the process went to create that file, it would fail.
You can use this in conjunction with filemon: http://technet.microsoft.c
So, create that file, reboot, and bring up filemon. If there is a process continually writing out that file, you will see it being denied in filemon, you can then track it down and destroy it.
rxfoster,
I too remember the old days of 'Safe Mode' scans being the starting point for anti-malware work. Unfortunately the bad guys have gotten a lot better at what they do.
Both ComboFix and MBAM (and a few others) are specifically written to run in Normal Mode - and to identify the malware processes (and sources) while you are running your computer as you normally would.
When 'bol' posts his ComboFix log, standby to watch 'rpggamergirl' put the hurt on whatever bad stuff is running on that computer. It is a joy to behold.
Thanks for the responses. An update first.
Full scan using MalwareBytes and then AVG did not find anything. I have run ComboFix and the log is below. The message we were getting from AVG everytime the machine started about finding the 9129837.exe file has not come up since ComboFix was run.
How does the ComboFix log look? Any concerns or something else we should do? The machine seems to running fine now. I haven't looked to see if the file was still in the Prefetch folder (with a .pf extension and slightly different name) or if the registry entry was still there. I can look at those if it is important.
Also I figured you would mention if the HJT log looked bad but it is available in the question body. I didn't see a response about it so wanted to make sure it wasn't just overlooked. Disregard it of course if the ComboFix log is better (see below).
Let me know if you need any other info or have a question. Thanks to all who have posted or looked at this so far!
anil_kumar137,
Thanks for the registry path and the first recommendation for ComboFix. It is a great program. As far as the path I now remember that one but had gotten confused about it. Relates to MSCONFIG and removing entries but probably not worth bringing up here.
Stussyexpert,
Thanks for the info on the Prefetch folder and contents. If the file doesn't get removed by these clean up steps and programs then I will manually remove it later manually.
younghv,
Thanks for the ComboFix details. The results are below. A side note as I ran it. It was the first time I did it on a machine running AVG. I did disable the Resident Shield before starting the program but somehow AVG still popped up a message to Allow/(or some other option) about 3 program files related to ComboFix. It happened right at the start. The rest seemed to go fine but I was concerned AVG may cause a real problem. Do you know if I missed something in trying to "shutdown" the virus program? Some of those really are a pain to disable. :(
rxfoster,
The machine has been working fine in normal mode so I haven't had to result to SafeMode for any steps yet. Fingers are crossed that we passed the worst of it. I do know most of what I have run or has been suggested works better in Normal mode so I prefer to avoid Safe Mode unless it is my only option. As far as FileMon, I am aware of it but honestly it would be a last resort. I'd rather rely on Virus experts and programs to clean than try to manually chase it down.
bol
younghv - Excellent, looks like a darn fine program, I will add it to my toolbox... very much appreciated, sir.
b0lsc0tt - One item of interest... the "twain_16.dll" deletion by Combofix, that is from Adware.7000n - so that is one less thing to worry about as well. You might confirm that everything under Supplementary scan is as you wish it to be. Also, your home page ROCKS =)
Note: "Safe Mode" simply ensures that certain processes are not automatically initiated on boot. It doesn't guarantee a fix, but it's certainly not rendered obsolete by some program.
Filemon just shows you what is running, and what it is doing on/to your system. If you have never run it before, and are an IT professional in the Windows space, I recommend giving it a whirl as it is an invaluable tool in diagnosing everything from permissions issues to memory leaks. And while it is fine to rely on "Virus experts" and programs to clean your machine, ultimately no one is going to be able to certify that you are 100% operational from a post. You are going to have to dig in to do a health check and see that any residual issues are not still resident.
That being said, the log looks pretty clean!
rxfoster,
The machine is actually a coworker's. I had to check to see what the HomePage was. Glad you like it but not really something I would choose. Nothing against the site or page though, just not what I want to have to load everytime I start my browser.
As far as FileMon I agree it is a great tool. I have actually found it very useful for some of my work related projects. Speaking of that I have to get back and as long as this can get cleaned without me spending tons of time on it (and my coworker off his machine) I will be VERY happy. I really do hate virus infections because it seems the machine is often not the same after it. If it weren't so much work to reformat, etc it would be what I would recommend everytime. Luckily we do have great tools and there are great experts here so I know if it can be cleaned and "as good as new" they will get me there. :)
Thanks for the feedback on the log and your review. I will keep this open for others to review and respond but appreciate your input and info.
bol
bol -
As you can probably guess, the following information is not from me. :)
Please review the information and post any questions you have.
Thanks,
Vic
**************************
There was an infostealer/keylogger in the system so it's a good idea to change passwords etc.
c:\windows\twain_16.dll <-- this file is not of Adware 7000n.com... it is actually an info-stealer so Bol might like to tell the user to change all passwords tht has been used on that pc (using another clean pc).
http://74.125.113.132/sear
%system%\twain_16.dll <-- this one is the one belonging to 7000n.com, located in the system32 folder whereas the one in Bol's log is located in the Windows folder(the infostealer)
http://74.125.113.132/sear
The Combofix log looks all right.. the only suspicious entries are those unknown folders in the C:\ (examples below) but then the user might have created or know those folders. Bol can ask the user if they know those folders.
C:\vanaccident082009
C:\winfiduc09
C:\winscorp09
C:\winptnr09
Vic,
Thanks! Is there any way to tell when that file started "logging" or was installed? Would it only log TYPED passwords or what about those "saved" and entered by a program (i.e. an email client that checks email)?
Is the computer now a clean one or what else would need to be done? I can change the passwords from another computer (or have him) but if it is clean now shouldn't that computer be OK to use too?
The folders are fine and created by the user. One is probably a personal one (you can guess what it contains) and the others are work related.
Thanks again.
bol
bol,
Hard to know when that file started monitoring... though you may find when it was installed/created looking at the properties.
If the system is clean now then it should be okay to change password from that pc.
I would do an online scan also(kaspersky is good) to check if there are other nasties that are missed by MBAM, AVG and Combofix as sometimes some scanners may missed something.
Kaspersky won't remove if it finds any threats so a log needs to be saved if it finds threats.
http://www.kaspers
O
http://www.pandasecurity.c
Thanks! Is there a way to find the properties AFTER the file was removed by ComboFix? I believe it is gone now (from the ComboFix log) but I can verify that. Would I be able to see the attributes looking at the file in ComboFix's backup?
I will run the online scan you recommended. Thanks for everything!
bol
Oh ... what about how the keylogger works? Would it get just what was physically typed using a key on the keyboard or does it pickup everything? E.g. form filler in browser or third party program and "saved" passwords. I understand this may be something hard to answer (because of the differences in those loggers) but thought it worth asking.
bol
Sorry my mistake.... original date when that file was created is now gone....
About that keylogger, I'm sorry but I have no idea what its method of stealing infos whether it just logged keystrokes or some other methods as well.
Some advanced keyloggers can keep track of all programs that have been launched, the clipboard, chat conversations, all visited websites, e-mails sent and received and can also take snapshots of the screen every few seconds. But I don't know if the info-stealer found in that system also has these functions or whether it's just a plain keystrokes logger.
It does seem like there are some other infections or at least the online scan of Kaspersky found some. I had to quit it because it was scanning some network drives too (and would've taken forever). I decided to replace AVG with Kaspersky on that machine (or at least try it since AVG was going to expire soon). I am having a problem installing Kaspersky though. Don't know if it is related to the difficulty I had removing AVG, infections, or some conflict or other issue. I am now doing the online Kaspersky scan (of just important areas) so I can have the log file. I will see about getting Kaspersky (or something) installed tomorrow since it is too late for help with it now. After all this time I am really liking my earlier idea of the clean format ...
bol
p.s. If details of the Kaspersky install error will help someone help me with it then let me know. I will even be glad to open a new question.
Thanks for the response about that stuff. I will let him know the program may have been around for awhile. He was great and quick about responding to the first "virus" signs when he visited a site but I don't know if that was when the file was picked up or if the two are unrelated. I will hope the first. :(
bol
anil_kumar137,
What do you mean "your way" when you mentioned cleaning the virus? If you mean the clean format I am not at that point yet. It takes DAYS to set that workers machine (and others like his). Once they are going it is worth it but I'd rather not start that process if I don't have to and can get this going.
If you meant something else please explain. Thanks!
bol
<<<" After all this time I am really liking my earlier idea of the clean format ...">>>
Yes, when info-stealers/keyloggers or virut are present in the system it's always wise to reformat regardless of whether an info has been stolen or not... for peace of mind.
If the user doesn't want to reformat there's also another tool that's supposed to detect the presence of any keylogger files, just to make sure. It's IceSword.
Here's the normal canned for IceSword when scanning for hidden/stealth files where the user is asked to post the logs for the Helper.
Please download and unzip Icesword to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.
Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.
Logs can be collected under the headings :
Processes
Win32 Services
Startup
SSDT
Message
For keyloggers:
To check for the presence of keyloggers, ask the user to check Message Hooks and take note of the Process Path of any entries that are Type WH_KEYBOARD which is the main one to look for.
WH_MSGFILTER
WH_GETMESSAGE
W
WH_JOUR
L
Thanks for that info. I hope it will make more sense as I get started. I may have to wait until tomorrow to do it (just getting too tired now but this is the perfect time to have access to that machine :)).
The result of the Critical Areas scan was just 1 file found. It is the last file in the list below. That is a copy/paste from the html log made by the scan (I will attach that file too).
The EchoVNC program is something we installed. I haven't tried matching that DLL yet but it is a valid one for that program so I suspect that is OK.
The barcode file is also a false positive I would think but maybe I am wrong. I will have to ask about it tomorrow but I believe, especially from the location, it was downloaded on purpose and part of the developing he does.
Not really many details about what was found in his Inbox but so I am not sure how what to think of that. Is there any way to narrow it down? Could it also be something harmless that appears bad? The names make me wonder, especially since they say "HTML" if it is just some thing with some Javascript that isn't harmful or malicious. What are your thoughts?
The attached file is the detailed report with a .txt extension added so I could attach it here. Remove and view in your browser if you wish (honest I didn't mess with the code in it :)).
bol
Thanks for IceSword. The instructions were perfect; I was just too tired to realize it until I got going.
Not red entries for Processes, Win32 Services, or Startup. I do have logs if you want but didn't attach them.
The other 2 had red entries. It is odd but I got no response from the program when I tried to click on Log to save them. It seemed like you said that should work but maybe I misunderstood.
SSDT had one item that was listed about 15 times. Each was in read. The entry was \??\C:\Windows\system32\dr
The Message Hooks section had a number of entires as you said (with the WH_KEYBOARD). Many seemed legit so I am not sure if you want me to still type them or if there is some other way to get the log. Explorer (C:\Windows\explorer.exe) was list about 5 times. One other file in that directory was ctfmon.exe with one entry. One in the System32 subdirectory named ctfmon.exe. The others were all in Program Files folders. Some I didn't know what they were for sure but only a couple. Of course I don't know if some are really replaced or just named so close that I am missing they are harmful (like that twain file from earlier which I believe has some legit "cousins" in that same folder). Let me know if you want more details.
Thanks!
bol
C:\Windows\system32\driver
ctfmon.exe <-- if located in the system32 folder it is legit... but if located in the
Windows folder then it's the info-stealer.
I think all those files that Kaspersky flagged as suspicious or infected are false positives, it happens.
Looks like things are okay then.
http://www.spywareterminat
try this guy its FREE!!! good private group..
this and malwarebytes always seems to work for me..
press F8 at start up and run windows in safe mode with networking to disable virus start up files and to be able to update virus database especially with malwarebytes
http://www.malwarebytes.or
good luck!!
Hi All,
Maybe i am little late on this, however if the problem is still not resolved you could try the following:
Filename: 9129837.exe is associated with Trojan/ Rootkit named differently by different Anti Virus vendors. For example:
Packed.Generic.234
Backdoor.Win32.H
Generic PWS.y!fr [McAfee]
Troj/FakeAV-VQ [Sophos]
TrojanSpy:Win32/Ur
Trojan-Spy.Win3
Win-Trojan/Haiuy.5
Registry Modifications
The following Registry Keys were created:
HKEY_USERS\.DEFAUL
H
The newly created Registry Values are:
[HKEY_CURRENT_USER\Sof
ttool = "%Windir%\9129837.exe"
so that 9129837.exe runs every time Windows starts
[HKEY_CURRENT_USER\S
k1 = 0xE6994594
k2 = 0x470F80CD
version = "10"
Other details
To mark the presence in the system, the following Mutex object was created:
___RHaiuy72Mjtex
The following ports were open in the system:
1038 UDP 9129837.exe (%Windir%\9129837.exe)
1046 UDP 9129837.exe (%Windir%\9129837.exe)
1126 TCP 9129837.exe (%Windir%\9129837.exe)
1128 TCP 9129837.exe (%Windir%\9129837.exe)
1129 UDP 9129837.exe (%Windir%\9129837.exe)
1848 TCP 9129837.exe (%Windir%\9129837.exe)
12930 TCP 9129837.exe (%Windir%\9129837.exe)
23445 TCP 9129837.exe (%Windir%\9129837.exe)
30195 TCP 9129837.exe (%Windir%\9129837.exe)
The following Internet Connections were established:
Server Name Server PortConnect as UserConnection Password
91.213.29.22 80 (null) (null)
91.213.29.2 20 (null) (null)
The following GET requests were made:
cgi-bin/ooo.cgi?user_
cgi-bin
c
cgi-bin
c
cgi-b
I
http://www.sophos.com/
Vee_Mod - "Please do not ever recommend that MalwareBytes be run in "Safe Mode"."
The link to the MBAM forum that you posted states (from nosirrah, MBAM dev member):
"We instruct to use safemode when regular mode is not able to be reached OR a regular mode scan cant be completed for some other reason ."
So, while it is clear that MBAM is different from other vendor offerings that run the same in safe mode and normal mode, it appears that "do not ever recommend" might be a bit strong.
Now, that being said, according to the staff it should "nearly always" be run in normal mode (which was news to me, and I am glad I know that now - thanks to younghv)
All,
Sorry for the delay. It seems it has been one thing after another although luckily it wasn't too much more with that machine.
SSharma,
Thanks for the info. It seems that malware/virus is no longer an issue. I saw no trace of the files or registry entries listed in your post. I appreciate the details though and nice to know it is gone.
Did the details come from some other page on the Internet or was that something you typed and compiled on your own? If it was from other source then please let me know what it was. I am still glad you posted it but it really needs to credit the source and may have been better as a URL since a lot of content was copied. Of course that also may be your own content; the layout of it just makes me wonder and I also notice you are new here.
revolution2kk8,
Thanks for posting but did you read my posts? I am already using MalwareBytes and have moved beyond it. In fact it didn't find anything if I rememeber right. Still a good recommendation if I wasn't already using it. I am glad the Moderator pointed out the proper use of it though. Luckily the computer was really functional so Safe Mode, as a last resort, was not needed for any of this. Please make sure you read all the comments carefully before posting in the future. The question and some of my comments referenced running MalwareBytes.
rpggamergirl,
Should I be worried I couldn't save the other log files? They were actually in areas that would seem to be something worth review. Thanks for the response on the files and IMO the entries in the 2 areas are OK but it does puzzle me that I couldn't save the log file for either.
Also, since it seemed I was at a point where ComboFix had served its purpose I went to uninstall it. It seemed to start the process to uninstall but the virus program, AVG, popped up some messages related to the files I had originally removed (I believe one was the file with the numbers in the name). After that it seemed the program wasn't removed. I saw no sign that I was really infected but is the virus program seeing what ComboFix removed and so interfering when I try to have it uninstalled? Is there a good way to uninstall ComboFix? Is there a chance that process, either the uninstall or the virus program's interference, could mess with sound drivers on the machine?
The latter seems off topic but at some point the machine lost the ability to play sound. Even to the point I couldn't click the Play button in the Sounds section of Control Panel when I had some Windows event selected. I was about to do a repair install but luckily a restore fixed things. Just wanted to provide this detail in case it could be related.
All,
** general info that you could skip **
As far as an update and current status the machine has been running well for a few days now. I did have to manually fix a registry entry or two that had permissions messed up (no owner, guest account had "full access", and I couldn't access even with Admin rights). It took a few steps but they seem good now. In case it matters the one key I remeber, and was causing issues for removing and then reinstalling AVG, was HKLM\SOFTWARE\Microsoft\Wi
For general info to maybe help others the Kaspersky install had an issue on that machine. It was an error 1904 in module adialhk.dll ("failed to register" and "HRESULT -2147024891"). I was able to install the program by leaving out the Spy part of it. Kaspersky tech support provided that suggestion and it worked great. Unfortunately Kaspersky was just too "active" in it protection. The machines I tested it on slowed noticeably for the users. Too slow and I couldn't get settings in Kaspersky to make a difference (i.e. mark files/folders as "trusted" for certain or all Kaspersky tasks). I had to go back to AVG on the machines, including the one infected. While Kaspersky was installed on the machine that was infected it did remove a couple of things. I believe I listed them above but they didn't seem that major (not like the key logger).
** END **
Hopefully that may be useful to someone. I am interested if any have follow ups on what I posted. I will keep this open for a few days at least to hopefully get a response about ComboFix removal and to see if there are any other responses. Thanks for all the help. Let me know if anything isn't clear or there is a question.
bol
<<<"Should I be worried I couldn't save the other log files?">>>
Which log you couldn't save?
Sorry, my canned states logs but should be data collected as only 3 logs can be collected namely:
1. Processes
2. Win32 Services
3. StartUp
The 2 other sections I asked SSDT and Message Hooks don't produce logs.
I run IceSword on my pc and I was able to save the above 3 logs.
<<<"It seemed to start the process to uninstall but the virus program, AVG, popped up some messages related to the files I had originally removed (I believe one was the file with the numbers in the name).">>>
You mean AVG gave you an alert whether to allow Combofix to remove the random numbered filename that has been deleted?
I would turn off AVG first, though I don't know why AVG would alert about any files in the Qoobox quarantine folder at any time except when AVG was running a scan?
The Combofix log you posted was the result of the second run and that random numbered filename was not listed among the files deleted by CF on that log, though CF could've deleted it in its first run. As I've said the CF log you posted was the result of the second run which only shows the recent deleted files and not the previous ones.
I always use CF uninstall switch when I uninstall Combofix --> ComboFix /u
<<<"either the uninstall or the virus program's interference, could mess with sound drivers on the machine?">>>
I don't think so, not that I know of ... the only times I've known a sound would be affected after cleanup was if some values in the registry was hijacked and the scanner/user deleted the bad file without reseting the registry, there was one thread here at EE.
For example in this key the "aux" value is hijacked if C:\Windows\System32\wdmaud
HKLM\software\microso
"aux"="wdmaud.sys"
rpg,
Thanks for clearing up the IceSword program. Glad it worked for me as it should.
It was a day or two before so I may be leaving out a detail about the message. It was an AVG one that appeared just as I was running the ComboFix /u command. It mentioned that numbered file I mentioned above and another message/file or two. I agreee it is odd since the ComboFix program didn't seem to remove it. AVG did initially before running ComboFix. The CF log I posted was actually the first run of that program but after the other "virus" was removed.
I won't worry about it now though. I will leave CF on the computer. It just isn't worth the risk of removing even though the sound issue was probably just a coincidence. I spent enough time trying to fix it before having to use the Restore Point that it just isn't worth the time and CF is fine remaining installed for now. The coworker won't be bothered by the desktop icon and will leave it alone unless they ask me.
Thanks to all! I will close this now but really appreciated all those that helped, even in a small way.
bol
<<<"The CF log I posted was actually the first run of that program but after the other "virus" was removed.">>>
hmm.. something is wrong somewhere because the log shows it was the result of the second run....maybe CF hang then continue to run? CF scan is numbered and that one had number 2.
Sorry couldn't help much there.
Yes, it's okay to leave Combofix installed as long as the next time it's run it needs to be updated, it has an expiry date where when run it only run on 'reduced functionality' mode.
Business Accounts
Answer for Membership
by: anil_kumar137Posted on 2009-09-15 at 23:38:31ID: 25342538
Hi, any enties which is in msconfig will be find registry in this path below and also run combofix if its malware it will remove it.
HKLM\SOFTWARE\Microsoft\wi
http://www.bleepingcompute