WinFixer - Removing from Registry - how?

I have had this problem occur and would like to remove it I hope this is the right area to post about this.
I have tried VUNDO both sections and nothing works.
I tried HiJack This and my log is below my singautre.
I have tried NO ADWARE and it comes up as being on these two files does anyone know how i can get to them?
WIN FIXER: HEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DF_KMD
WIN FIXER: HEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET\ENUM\ROOT\LEACY_DF_KMD
ALSO on these forums it would really help if people could attach images so I could have shown you the no adware log rather than type it out.
Anyone that can help please I will rate you 500 if i can get this answered cause It's annoyingly causing many problems on the computer many of which are popups.
HIJACK THIS LOG BELOW SIGNAUTRE
Any help VERY APPRECIATED
Amanda aka raven555
Logfile of HijackThis v1.99.1
Scan saved at 1:05:50 AM, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
G:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
G:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
G:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\Documents and Settings\Amanda\Desktop\abc\abc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {3D9E7C96-9533-423F-B85F-70F859A20CE4} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {733FD72F-103E-4B9E-BCB9-A76064AF3C72} - C:\WINDOWS\system32\vtututs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CloneCDTray] "G:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /A "C:\WINDOWS\system32\E_S1DE.tmp"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Free Download Manager] G:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "G:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - Global Startup: Adobe Reader Synchronizer.lnk = G:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with &FileFactory Turbo - G:\Program Files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125702722750
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/chainz_2/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.cogeco.ca/en/ols21/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://caebmm.imgag.com/imgag/cp/install/crusher-cae.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CEEFE929-741C-4323-B7FE-C17CA6DA3A01} (WebCamX Control) - http://live.dss.com.tw/WebCamX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/chuzzle/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssttt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - G:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe

raven555Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r-kCommented:
"WIN FIXER: HEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DF_KMD
WIN FIXER: HEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET\ENUM\ROOT\LEACY_DF_KMD"

For these, you can open Device Manager (Control Panel -> System -> Hardware -> Dev Manager) then select View -> Show Hidden Devices
then expand the tree for "non plug-and-play drivers" and see if the above is in that list. If there you can right-click and select disable or uninstall.

For Winfixer in general this has been discussed here before, e.g:

 http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21733115.html
 http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21753895.html
0
r-kCommented:
Also you can post your HJT log at http://www.hijackthis.de/ and click "Analyze" at the bottom to get some help in identifying the bad stuff.
0
rpggamergirlCommented:
>>I have tried VUNDO both sections and nothing works.<<
Are you saying that you've tried both Vundofix and or VirtumondoBegone.exe? and didn't help? You have remnants of vundo there.

You have purityscan there as well and combofix will get rid of it:
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Please fix these entries too:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {3D9E7C96-9533-423F-B85F-70F859A20CE4} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {733FD72F-103E-4B9E-BCB9-A76064AF3C72} - C:\WINDOWS\system32\vtututs.dll (file missing)
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O20 - Winlogon Notify: ssttt - C:\WINDOWS\
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

rpggamergirlCommented:
Have you tried manually deleting those registry entries yourself by going to those keys?

Start > Run > type in

regedit

press Enter and navigate to those keys and delete -->"LEGACY_DF_KMD"
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DF_KMD
HKEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET\ENUM\ROOT\LEACY_DF_KMD

legacy keys are harmless when the main vundo dll is already gone.

----------------------
O20 - Winlogon Notify: ssttt - C:\WINDOWS\
The above entry, is another main vundo dll that's hidden,
if you have the vundo.txt, can you post it so we can see if there are any vundo dlls that it couldn't removed? the log should tell us something.

You can also try SUPERAntispyware:
http://www.superantispyware.com/
0
raven555Author Commented:
Hello rpggamergirl
I have done both scans.....and I have posted them on my site so that the post isn't so long.
Please reply would be willing to fix anything anyone suggests it's so annoying :(
ComboFix log file
http://www.atimefortv.net/COMBOFIX.html
http://www.atimefortv.net/HIJACKTHIS.html
Let me know what i need to do
Thanks
Amanda aka raven555
0
raven555Author Commented:
Yes I tried going to the keys themselves, but they weren't listed
they still show up in NOADWARE when I run the scan and if they aren't there, why is Noadware still getting the WINFIXER? and I still get popups

Amanda aka raven555
0
rpggamergirlCommented:
Thanks for the logs.
Did you have 3 instances of Internet Explorer running while hijackthis did a scan? looks like it.

These entries are still showing in hijackthis log. Also those 016 entries you can safely fixed, they will be downloaded again when you visit those sites or when an app needs them. They all load when IE is open.
O2 - BHO: (no name) - {733FD72F-103E-4B9E-BCB9-A76064AF3C72} - C:\WINDOWS\system32\vtututs.dll (file missing)
O20 - Winlogon Notify: ssttt - C:\WINDOWS\


LEGACY_MCHINJDRV <-- this one is supposedly already deleted. Smitfraudfix also deletes this driver and other relevant reg entries that relates to winfixer.

You can delete these files below, they are the reversed files of main vundo dlls, remnants of Vundo/winfixer infection, you need to show hidden files first, or you can use Killbox to delete them ALL in one go.
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.bak1


I'm not sure about these files below, probably related to pogo apps, but you can have them check at jotti online --> http://virusscan.jotti.org/
C:\WINDOWS\modemx.dll
C:\WINDOWS\rascntrl.dll
C:\WINDOWS\system32\svcprmpt.dll

There are other files dated back in February and January that I didn't checked(as I assume your problem is only recent)


Can you also run smitfraudfix? Please run option 2 in Safe Mode, and then run option 3 in normal mode to clear your Trusted zones.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raven555Author Commented:
rpg girl,
I tried to do as you suggest when when i went to try to do Start - RUn regedit, it wouldn't let me type in Safe mode, can you advise how to fix this?

I've never had this problem
Amanda
0
rpggamergirlCommented:
That legacy driver is supposedly have been removed.
Just look in the registry in normal mode, can you access the registry in normal mode?

I don't think those registry are still present, if so, then what you can do is run smitfraudfix, smitfraudfix will also removed those reg entries.
I want to know why you can't access the registry, whether it's disable by malware or not.
0
raven555Author Commented:
4 vertical lines like pixels (memory cells ) come up now and I don't know how to fix this either? can someone help? by the way, rpg girl your answer did help so I'm giivng u the points to the the other matter wasn't sure what to call this subject so that I know where to post the memory issue.
Anyone that can help is appreciated
Amanda c
0
rpggamergirlCommented:
Sorry I wasn't here, I see you've already posted your new question and MASQUERAID is there helping you, that's great.

Thank you for the points, :)
Good luck!
~rpg
0
raven555Author Commented:
Your welcome rpggamergirl,
feel free to offer anything you can think of

on the other post :)
Amanda
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.