Sorry If Ididn't explain it properly. You needed to delete the files, not the registry entries.

Browse to C:\windows\system32
search for and delete dmtxe.exe & dmzsy.exe


Browse to
C\Documents and settings\all users\Application Data \ great coal love default
search for and delete warn once.exe

When finished with the above run msconfig and deselect,

1. dmtxe.exe
2. dmzsy.exe
3. warn once.exe
Click apply, and ok to exit click restart.
upon restart windows will display a dialog click the check box and click ok.

After restart use msconfig cleanup to remove those entries mentioned above.

I navigated via Explore and could not find the dmtxe.exe & dmzsy.exe files. When I deleted them in regedit they must have gone. I found a folder for the "Great Coal Love" and deleted it.

I ran msconfig, but the files were not there to de-select (presumably this was on the startup tab).

I re-started and did msconfigcleanup - there was nothing to select

I re-booted the pc and hey presto ... Bratsk appeared again in Windows and system 32 !! (I also now know that the one in Windows makes the red circle/white cross appear on the taskbar, because if I delete it quick enough it doesn't come up, but I still have to go to another user to delete the system 32 one).

I have back-tracked ion the instructions and had another look in the regedit files from the earlier post 680074. There is still nothing suspicious in these files that can be causing this bug to reappear on re-boot. It would help if I could copy and paste them to a list here.

In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] only these look suspicious..

(Default) Reg_SZ (Value not set)
CTooLBar Reg_SZ prcmon.exe
CTSyncU.exe Reg_SZ C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


the rest are associated with known applications i.e. Active Sync, Kill&Clean, Nokia, Popstop and Google taskbar.

In [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

Apart from a long list of known stuff there is (under suspicion):-

(Default) REG_SZ (Value not set)
Carpservice REG_SZ Carpserv.exe
csrss REG_SZ
IconixOEAddOn REG_SZ C:\Program Files\EMail ID\OEAddOn\OEdmn_2.exe
kernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
NeroFilterCheck REG_SZ C:\WINDOWS\System32\NeroCheck.exe
PinnacleDriverCheck REG_SZ C:\WINDOWS\System32\PSDrvCheck.exe
SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
TkBellExe REG_SZ C:\Program Files\Common Files\Real\Update_OB\Realsched.exe - osboot
winlogin REG_SZ

I notice in the windows & system32 folder in explore there are a lot of unusual .exe files with strange series of letter (if that helps). ie "ejekoku" - many appear to be MSDos applications.

I'm afraid it's back to trying to pin down what is putting Bratsk back in the Windows/system32 files on reboot.

Thanks for your help.

Well "prcmon.exe" is a Trojan
So that registry entry can be removed
Then locate prcmon.exe in your Windows folder and remove it
(note you may need to end the process first through Task Manager, or just restart and then do this)

Hi - yes I've deleted that one. Still got Bratsk though if you have any more ideas?

Unhide hidden files

My computer > Tools menu > folder options > Click view tab > select show hidden files and folders > click ok and apply to exit.

Now browse to C:\windows\system32 and see if the dmtxe.exe & dmzsy.exe files are now there.

Also delete this file Bratsk

Deleting the registry entry will not delete the file itself.

if this doesn't work then somethign else is cousing the problem

I just realized that this thread has been hijacked. That's not fair. Here I was thinking that you started the thread. You should have started your own thread, but I guess it is too late for that.

In your first post you mentioned spyware 2009. Are you shure it isn't antivirus 2009?

Files were already unhidden and these two are not in system32.
Apologies, I didn't mean to hijack - happened by accident. I believe Karterfive and myself have an identical problem.
It was called AntispywareXP2009 I believe
Bratsk isn't there either as I deleted both of them. But it will be back in Windows and system32 if I re-boot - which I agree says it's something else - but I have no idea what or where to look. It would help if you could agree each process in the boot up one at a time and see which one causes the problem. I've posted all of the regedit "unusuals".

Did you try to see if you are able to download the programs mentioned earlier? If not please try and see if you are able to.
At this point a HJT log would be great. If you are still unable to download the programs I will email them to you.

Go to C:\Program Files and search for any suspicious entries.

Damn I missed that too

Karterfive if you are still out there, please reply back here, and let us know if you still require support. Apologies for the misunderstanding.

I have downloaded HJT but it won't allow it to run. If I click the icon it does nothing despite the fact it is downloaded and installed. Last night I tried to re-install Norton. It wouldn't let that happen either. I think it has knocked out windows installer. I followed the Norton instructions to re-install, but it still won't let it happen. All I have that is working is Spyhunter 3 security suite.

Can you try running it in safe mode? Also, see if it works by renaming HijackThis to something recognisable to us, like 'DoThis.exe' or something.

SpyHunter 3 is a less that desired program. It has been listed as rogue and even current de-listing makes it clear it is not recommended. You can do better. Please see this for more information:
http://forums.cnet.com/5208-6122_102...sageID=2813886

This means you are not getting complete protection and it also means some of the information put out by the program may be inaccurate.

I have renamed Hijack This and it works - hurrah! I attach the log file. Hijack This is now "Do This" in the logfile!

The only reason I have spyhunter is because it was the only thing I could download and install having had AVG and Norton wiped out. AVG is my preferred choice.

Can't seem to start in Safe mode either because the keyboard entries will not accept. I suspect it has knocked this out too.

Attached Files

hijackthis.log (11.5 KB, 4 views)

Wow. That's a pretty bad log.

Also, I'd like to check this entry with you, did you install this, and what do you use it for?
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A

If you do not recognise it, fix the entry too. After you have fixed those entries, try running MBAM and SAS again. Then post back with a fresh HijackThis log.

It wasn't this bad last week! Damn infection.

Supadial was the original default dialler connection that came with all Tiny computers. It is disabled.

From the log file, what specifically should I get rid of and how please? Do I just select them in the HJ file and press "fix checked"?

Please could you advise which files from my logfile I should "fix" please? And presumably I fix them within HJT by selecting them and pressing "fix checked"?

I do not want to interfere with momok's support to you (anyway he's better than me!)

Please do what he has suggested

Yes, but I don't understand his reply. Do I "fix" everything in the screenprint or everything that HJT comes up with in the logfile?

Oh!

No you just fix (tick and fix) only the ones in the quotes above

You need most of what's in the HJT log to run your computer

He forgot to say "place a checkmark against the following.......and fix them"

I concur. Your are in good hands.