Troj_agent.J

Discussion in 'adware, spyware & hijack cleaning' started by Phil35, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    Hi Guys.

    I used ad-aware 6.0, and here are the Hijack results. Any help would be great, as this is a real pain.

    Phil

    Logfile of HijackThis v1.97.7
    Scan saved at 7:03:34 PM, on 6/7/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\ACT\SideACT.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Screen-Savers.com\Webshots\Webshots\WebshotsTray.exe
    C:\SSH VPN\putty.exe
    C:\Program Files\Remote Desktop\mstsc.exe
    C:\Documents and Settings\philip.ansourian\Desktop\Copy of HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/mail?.intl=au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.yahoo.com/config/mail?.intl=au
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Screen-Savers.com\Webshots\Webshots\WebshotsTray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O13 - FTP Prefix:
    O13 - Gopher Prefix:
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343au.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6934490741
    O16 - DPF: {BD419ACD-B41C-49D9-8ADF-CCA159052515} - http://ads.adultcash.com/toolbar/bmeb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlexe.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = safecoms.com.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = safecoms.com.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = safecoms.com.au
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Phil35,

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    R3 - URLSearchHook: (no name) - - (no file)

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O13 - FTP Prefix:
    O13 - Gopher Prefix:

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    O16 - DPF: {BD419ACD-B41C-49D9-8ADF-CCA159052515} - http://ads.adultcash.com/toolbar/bmeb.cab

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlexe.CAB

    Then reboot into safe mode and delete:
    C:\Program Files\MyWebSearch <= entire folder

    Can you tell us how you found Agent. J and where (full path and filename)?

    Regards,

    Pieter
     
  3. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    Hi Pieter,

    Firstly, I think the trojan came through an e-mail attachment. I am not really sure.

    Do I delete the lines you have state?

    Thanks,

    Phil
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Phil,

    Yes. I missed a bit in my answer.

    Put a checkmark before the items I listed HijackThis, close all windows except HijackThis and click Fix checked.

    Regards,

    Pieter
     
  5. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    Hi Pieter,

    It is still there. I rescanned hijack, and the results are as follows

    after deleting these lines, they are back.

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O13 - FTP Prefix:
    O13 - Gopher Prefix:


    Logfile of HijackThis v1.97.7
    Scan saved at 11:10:27 PM, on 6/7/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\ACT\SideACT.exe
    C:\Program Files\Wireless\Client Manager\CMAGS.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Screen-Savers.com\Webshots\Webshots\WebshotsTray.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINNT\explorer.exe
    C:\Documents and Settings\philip.ansourian\Desktop\Programs\Hijack\Copy of HijackThis.exe
    C:\SSH VPN\putty.exe
    C:\Program Files\Remote Desktop\mstsc.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/mail?.intl=au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/msn/index11.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.yahoo.com/config/mail?.intl=au
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Screen-Savers.com\Webshots\Webshots\WebshotsTray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O13 - FTP Prefix:
    O13 - Gopher Prefix:
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6934490741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = safecoms.com.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = safecoms.com.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = safecoms.com.au
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Try this: copy the part in bold below and save it as prefixes.inf

    [Version]
    signature="$CHICAGO$"

    [DefaultInstall]
    AddReg=MyAddReg
    DelReg=MyDelReg


    [MyDelReg]
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

    [MyAddReg]
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,(Default),(value not set)
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,ftp,ftp://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,gopher,gopher://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,home,http://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,mosaic,http://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,www,http://


    Then rightclick the file you made and choose install. Then run HijackThis again and check if they are gone.

    Regards,

    Pieter
     
  7. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    where do I save it?

    Phil
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Phil,

    Doesn't matter for it to function. Anywhere on the C:\ drive will do.

    Regards,

    Pieter
     
  9. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    I really appreciate your help. Thanks.

    They are still there after I installed the .inf

    Phil
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Something is writing back those seemingly empty registry-keys?

    Please click Start > Run > copy&paste
    regedit /e c:\prefixes.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes"
    > OK

    Then find C:\prefixes.txt and post the content.

    Regards,

    Pieter
     
  11. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    are you sure??

    the prefixes.txt is about 40 meg

    Phil
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That's definitely not good. Mine is 512 kb

    We will have to find another way

    Download Registrar Lite from here:
    http://www.resplendence.com/download/reglite.exe

    Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

    Copy and paste the follow text into the address bar, then hit 'Go':
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

    Tell me any noticeable differences with my screenshot (extra subkeys, enormous size difference)

    Regards,

    Pieter
     

    Attached Files:

  13. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    the idiots in at work have stopped me from installing certain files, and this is one of them.

    I need to enter the system, but not the registry. It's the area where I can change users rights (even though I am an admin.).

    What do I insert other than regedit o_O
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Start > Run > regedit > OK
    And the registry editor will open.

    Navigate to this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
    the same way you would in explorer by clicking plusses to open "folders"

    I am afraid that the registry editor will not show what we need, but we should at least try.

    Regards,

    Pieter
     
  15. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    I looked there, but nothing shows after \windows\

    Phil
     
  16. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    I don't remember where it is, but it is a similar area to regedit, where all users preferences can be changed, something like 32regdto_O?

    can't remember

    Phil
     
  17. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    I found the access. via regedt32, so now i need to find the user rights and change them

    Phil
     
  18. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    I have full access, so I don't understand why I can not install reglite??
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Please look again. That worries me very much.

    Regards,

    Pieter
     
  20. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    Does this mean anything?

    in the following

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.Assoc\RegBackup\0.map

    Value name cb33c31da491e5e0 value data ,1,HKCR,gopher,

    there are about 25 entries in the registry with the 1,HKCR,....
     
  21. Phil35

    Phil35 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    13
    Hi Pieter,

    Finally got it sorted out. Got Trend Micro to help.

    Appreciate all your help.

    Phil
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Phil,

    Could you tell me how and what was found by Trend Micro. It may help me to help others better.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.