Have you checked in Add/Remove Programs to see if there are any installers
relating to that particular spyware program? Also, click start > run > type
in msconfig > startup tab > under startup items, check to see if its there,
uncheck and restart the system.
Or this:
Save this to text where you can access it in safe mode.
Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip
Unzip the files to a folder, then open and double-click on Killbox.exe to
run it. In the "Paste Full Path of File to Delete" box, copy and paste the
following:
C:\WINDOWS\System32\qjpcbtsnx.exe
Check the box to delete on reboot and click the red X to the right. Click
OK, then NO to reboot now. Copy the next filepath and paste it in the box,
and repeat the above steps. When all of the below filepaths are done, close
the Killbox.
C:\WINDOWS\Downlo~1\EGDACCESS.inf
C:\WINDOWS\system32\EGDACCESS_1057.dll
Download and install Reglite.
Scan again with HijackThis and place a check next to the following entries.
Close ALL other windows and click fix.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [Instant Access] rundll32.exe
EGDACCESS_1057.dll,InstantAccess
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} -
http://akamai.downloadv3.com/binari...ESS_1057_XP.cab
Right click My Computer and choose properties. On system restore tab, check
the box to turn off. OK out.
Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the
box next to /safeboot and OK. Yes to restart. This will restart your
computer in safe mode. Logon to your user account.
Now in safe mode, you will need to show hidden files and folders, as well as
system files and extensions for known file types.
Open RegLite and copy/paste the following string in the address window then
click go.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
The forum format puts a space in the word current that you will need to edit
out before clicking Go.
Right click the "qjpcbtsnx"="c:\\windows\\system32\\qjpcbtsnx.exe -start"
value in the right pane and delete. Then copy/paste the following.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Uninstall\qjpcbtsnx
Right click the qjpcbtsnx key in the left pane and delete.
Then paste,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Uninstall\Instant Access
click go and delete the Instant Access key in the left pane.
Exit Reglite.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and
delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary
internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk
cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.
Run another HijackThis scan and post the log. Let us know if the popups
stop.
