You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.>
http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.>
http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.>
http://www.bleepingcomputer.com/forums/tutorial62.html
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
<Fix this if you haven`t set this proxy yourself or don`t know what it is.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
<As above.
O16 - DPF: {0D0950E6-046D-437A-8985-369BE10C7E2A} (LogOutOCX.LOgOut) -
http://iauthor.accenture.com/iauthor/ASP/IALogOut.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) -
https://ftl.gateway.citrix.com/net6helper.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{864879D0-B1E7-4EC2-9BEF-4D65657995D5}: NameServer = 205.152.0.5,205.152.16.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = citrite.net,ctxuk.citrix.com,jp.citrix.com,citrix.com.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = citrite.net,ctxuk.citrix.com,jp.citrix.com,citrix.com.au
Only fix the above 017 entries, if you don`t recognise the domain or the entries are not from your ISP.
Click on the fix checked button.
Close HJT. Reboot your system.
Let me know if that helps.
Regards Howard
This thread is for the use of alexherb56 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.