View Full Version : Spyware
I'd just like to apologise if this is the wrong place to post this, i had a look around and thought this would be my best bet.
The other night i was online and i got a message from Norton Anti Virus saying that it had blocked some kind of Trojan thing. Now i keep getting messages from Spyware guard telling me that something is trying to change all my internet options. I downloaded a new program called Spyware doctor which found stuff my other anti spyware software couldn't it said it removed the problems and i restarted my PC but i still get the same message when opening webpages. Can any one help?
This is the software i run on my PC, none of it seems to be helping and a full Norton Anti Virus Scan couldn't find anything.
Spyware Blaster
Spybot Search and Destroy
Spyware Doctor
Spyware Guard
Any help would be much appreciated, this is driving me mad. :helpsmile:
vidcc
06-24-2004, 03:27 PM
try to find the name of the trojan/dialer and google it or look it up here (http://us.mcafee.com/virusInfo/default.asp) that's the Mcafee virus/trojan library..you should be able to get removal advice there
TRshady
06-24-2004, 03:45 PM
You could try running an trend call online scan for example, and of course once you have the name you'll be able to search symantec.com for example and get the appropriate removal tools. Good luck
Jg427
06-24-2004, 04:19 PM
Check for updates in spybot, if any are found run it again.
Download and run Ad-Aware (http://www.lavasoftusa.com/support/download/).
Before you run it, check for updates.Click the gear at the top and change these settings:
general> activate:automatically save log file,automatically quarantine objects prior to removal
scanning> activate:scan within archives, scan active processes, scan registry, deep scan registry,
scan my IE Favorites for banned sites and scan my hosts file
tweaks>scanning engine>activate:unload recognized processes during scanning.
tweaks>cleaning engine>activate:automatically try to unregister objects prior to deletion and let windows remove
files in use after reboot
click proceed to save your settings.
Now run it, make sure "activate in-depth scan " is checked. Fix anything it finds.
Download HiJackThis (http://www.spywareinfo.com/~merijn/downloads.html).
Place hjt in its own folder like C:\HiJackThis\hijackthis.exe
Close all browser windows,click scan,then save log.
Post the log file here from hjt.
The hjt server appears to be offline, try one of these to download..
http://tomcoyote.com/hjt/
http://www.snapfiles.com/get/hijackthis.html
http://www.wilderssecurity.com/showthread.php?t=12516
I appear to have 'Trojan Horse: BackDoor.Agent.BA' and apparently it is currently impossible to cure since no virus scanning software can recognise and delete it. Link to thread below. Any thoughts?
http://www.computing.net/security/wwwboard/forum/12291.html
Jg427
06-24-2004, 05:48 PM
Any thoughts?
Yes, did you run adaware?
Run hjt and post the log.
Logfile of HijackThis v1.97.7
Scan saved at 19:32:30, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\RcMan.EXE
C:\program files\HaldexLtd\stnd246\3056094.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\LightSurf\Common\IconMgr.exe
C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Tools\SpywareGuard\sgmain.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Internet Tools\SpywareGuard\sgbhp.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\EAX.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Center\RCenter.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\OSDMenu.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\New User\My Documents\Documents\assessment\New Folder\Programs\Applications\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpbb.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Internet Tools\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {6CF16B2C-327C-4B88-B66B-A9F48B15569D} - C:\WINDOWS\System32\fbgjld.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\RcMan.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd246\3056094.exe -remove
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Internet Tools\SpywareGuard\sgmain.exe
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7690.5254861111 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37690.5254861111)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Jg427
06-24-2004, 07:55 PM
Haldex (http://securityresponse.symantec.com/avcenter/venc/data/dialer.haldex.html) is a dialer application. (O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd246\3056094.exe -remove)
Close all browser windows, run hjt and checkmark to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
Are you using this proxy, if not fix:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cache.freeserve.com:8080
fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {6CF16B2C-327C-4B88-B66B-A9F48B15569D} - C:\WINDOWS\System32\fbgjld.dll
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd246\3056094.exe -remove
Fix these unless you set spybot to lock them:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Reboot into safemode and delete in bold
C:\program files\HaldexLtd\stnd246\3056094.exe < delete the haldex folder
C:\WINDOWS\System32\fbgjld.dll
C:\Documents and Settings\username\Local Settings\Temp\sp.html
boot into normal mode, run a new hjt log and post it.
Champ
06-24-2004, 08:13 PM
do a norton system scan in the specific folder, if you cant delete it then quarantine it and forget about it also def run adaware
i only run 2 spyware pros and they work perfecty (Spybot SandD and Adaware)
Done what you said. Messages appear to have stopped. Here is new log file:
Logfile of HijackThis v1.97.7
Scan saved at 23:21:03, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\RcMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\LightSurf\Common\IconMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
C:\Program Files\Internet Tools\SpywareGuard\sgmain.exe
C:\Program Files\Internet Tools\SpywareGuard\sgbhp.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\EAX.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Center\RCenter.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\OSDMenu.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\New User\My Documents\Documents\assessment\New Folder\Programs\Applications\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpbb.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Internet Tools\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\RcMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Internet Tools\SpywareGuard\sgmain.exe
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7690.5254861111 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37690.5254861111)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Does that look ok?
Jg427
06-25-2004, 03:42 AM
The Haldex is gone but HomeOldSP = about:blank is back. It appears that HomeOldSP is created by a hidden .dll file. Until you find and remove that, it keeps coming back.
You can read about it here (http://forums.spywareinfo.com/index.php?showtopic=7416&st=0) (link from dopey)
The tools you will need are registrar lite (http://www.resplendence.com/download) and Winfile. (http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm)
We can give it a try here or you can follow along in the link above.
The first step is to open registrar lite and paste this line into the address bar and click go:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
On the right side, look for Appinit_Dlls, double click that line.
Post what is listed in size and value. The value should be the hidden .dll that's causing the problem.
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.