Solved

Tmp5.tmp.exe, slow pc, hidden data sending...

Posted on 2007-04-06
15
1,883 Views
Last Modified: 2013-12-06
Hi guys,

it all started when one of our employees started getting popups saying something like "all adult sites you've been to were recorded." IE windows would open up all the time. I used Kaspersky Anti-Virus with the latest updates. I turned off the System Restore and ran the full scan in Safe Mode. Sure enough it found 4 or 5 trojans and deleted them. It seems like there are no popups now, but pc is so slow. Also, Kaspersky often popups a warning saying that explorer.exe - hidden data sending. Also, files like tmp5.tmp, tmp.tmp, tmp54.tmp.exe are created in "Documents and Settings/username/Local Settings/Temp". Sometimes all desktop content dissappears and the only thing I can do is reboot. My guess is that the virus isn't completely gone. Please help. Thank you.

Here is the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:53 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53280391-b32a-4b99-9d0a-3814dffad97d} - C:\WINDOWS\system32\igfsrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://polarbearhabitat.ca:85/LNetCam.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://cbcs-us.com/Remote/msrdp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Hirsch.local
O17 - HKLM\Software\..\Telephony: DomainName = Hirsch.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4018CEBF-3C0B-4D54-AD25-946E09398235}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Hirsch.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4018CEBF-3C0B-4D54-AD25-946E09398235}: NameServer = 192.168.1.2
O20 - AppInit_DLLs:  ,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfsrv - C:\WINDOWS\SYSTEM32\igfsrv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APRemoteInstall - Zenith Infotech Ltd. - C:\WINDOWS\System32\APRemoteInstall\DataCollector.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\WINDOWS\system32\timeserv.exe (file missing)



0
Comment
Question by:RealSnaD
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 15

Assisted Solution

by:Tomeeboy
Tomeeboy earned 50 total points
ID: 18867457
For starters, it appears as if you have two virus scanning programs running in the background, which is probably going to slow things down quite a lot (since they are likely scanning each other constantly).  Choose either AVG or Kaspersky and uninstall the other one.

Aside from that, I don't really see anything obvious jumping out of your HijackThis log.  I'd try to remove one of the anti-virus softwares and see how much that improves things.

In addition, you may try downloading a Spyware/Adware remover, as virus scanning utilities typically aren't the best for removing some adware-related trojans/malware.  One program that I have used recently with some success was SuperAntiSpyware (which I had actually never heard of before somebody recommended it to me).  I wasn't have much luck with Spybot and Adaware for whatever reason, and this one worked.
http://www.superantispyware.com/

Do those things and you should see some improvement.  Hope that helps!
0
 
LVL 32

Expert Comment

by:r-k
ID: 18868237
Or try an online scan at: http://onecare.live.com/site/en-us/default.htm

Also, once the system is clean, install Windows Defender from:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Good luck.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18868347
Hi,

You need to delete this file --> C:\WINDOWS\SYSTEM32\igfsrv.dll
The file is already active before explorer loads(so it will be in use) so better to delete it in safe mode or use Killbox.


Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\igfsrv.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.


Then fix entries:
O2 - BHO: (no name) - {53280391-b32a-4b99-9d0a-3814dffad97d} - C:\WINDOWS\system32\igfsrv.dll
O20 - Winlogon Notify: igfsrv - C:\WINDOWS\SYSTEM32\igfsrv.dll


And scan with SUPERAntispyware, if problem persists.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18868386
On second thought.....
this is a very new malware dll, and we don't know exactly what else it does, other files it is hooked or how it hooked itself to winlogon\notify,
You need to remove the bad registry entry(the winlogon\notify\igfsrv) first but it might not let you.
NOTE:
there might be a chance that you might not be able to logon if registry is still present when the file is gone.


Using Avenger, removes the registry entry and delete the file at reboot, so at least we know both is gone at reboot.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text and characters inside the lines below):

-----------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\system32\igfsrv.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfsrv

-----------------------------------------------------------------------------------------------------
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.


Please post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.



0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18868408
I was worrying for nothing......

I've seen the below entry on google, which means it's okay even if the bad registry still present and the file is gone. No need to worry, you can delete the file and fix the registry entry, doesn't have to be done at the same time,
O20 - Winlogon Notify: igfsrv - igfsrv.dll (file missing)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18868436
gosh...sorry for my numerous posts.

After you get rid of that file --> C:\WINDOWS\system32\igfsrv.dll

You need to empty all temp folders, and ATF Cleaner does that, it also cleans "All users" temp folders.

Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.
0
 
LVL 7

Author Comment

by:RealSnaD
ID: 18870294
Thank you. You've been very helpful.
Here is my avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cpdyfarm

*******************

Script file located at: \??\C:\WINDOWS\fpmueswo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\igfsrv.dll deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfsrv deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Then I ran ATF-Cleaner in Safe Mode. It got rid of all content in all temp folders. The ran HijackThis and fixed this entry:
O2 - BHO: (no name) - {53280391-b32a-4b99-9d0a-3814dffad97d} - C:\WINDOWS\system32\igfsrv.dll

I didn't have this one in the log tho:
O20 - Winlogon Notify: igfsrv - C:\WINDOWS\SYSTEM32\igfsrv.dll


Here is my new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:23 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/500141020/5050/64/31/0/html1175869287.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://polarbearhabitat.ca:85/LNetCam.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://cbcs-us.com/Remote/msrdp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Hirsch.local
O17 - HKLM\Software\..\Telephony: DomainName = Hirsch.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4018CEBF-3C0B-4D54-AD25-946E09398235}: NameServer = 192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Hirsch.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4018CEBF-3C0B-4D54-AD25-946E09398235}: NameServer = 192.168.1.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APRemoteInstall - Zenith Infotech Ltd. - C:\WINDOWS\System32\APRemoteInstall\DataCollector.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\WINDOWS\system32\timeserv.exe (file missing)

Everything seems to work fine and fast, no popups no nothing. But in my Documents and Settings/username/Local Settings/Temp folder every time I load my pc this file gets created:

Perflib_Perfdata_9ec.dat

Is it some kind of threat?

Thanks.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Author Comment

by:RealSnaD
ID: 18870306
And also the empty folder named "WPDNSE" is created there every time I login.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18870344
"Perflib_Perfdata_9ec.dat

Is it some kind of threat?"

No, this not a threat. These files are created by the Windows Performance Library and could be created by any number of applications that monitor performance.

If you find them accumulating over time just delete them (you may not be able to delete all because some may be in use, which is normal).

Glad things are better.

0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 50 total points
ID: 18870351
"..also the empty folder named "WPDNSE" is created .."

This is also normal, created by Windows Media Player.

"WPDNSE stands for Windows Portable Device Namespace extension."

The above quote is from:

http://groups.google.fr/group/microsoft.public.windowsxp.help_and_support/browse_thread/thread/27bf8e4e7a778b24/3d9db4cc2832aaab?lnk=raot
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18870918
As r-k already explained, those files are nothing to worry about.

>>I didn't have this one in the log tho:
O20 - Winlogon Notify: igfsrv - C:\WINDOWS\SYSTEM32\igfsrv.dll<<

That's because Avenger already took care of it, as we can see from the avenger line below:
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfsrv deleted successfully

BTW, well done on pasting script, you did a good job there!
I find some people likes to edit the instructions and they remove some letter/character like the "s", or the colon ":" which ends up in Avenger not running the script.


Thanks for the logs.
Besides some unnecessary registry clutters in your hijackthis log, nothing stands out there now.
Although, did you purposely created this entry below? If so, then things are okay.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/500141020/5050/64/31/0/html1175869287.html
0
 
LVL 7

Author Comment

by:RealSnaD
ID: 18871690
You guys helped me lot. Thanks!!!

>> Although, did you purposely created this entry below? If so, then things are okay.
>> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/500141020/5050/64/31/0/html1175869287.html

No, I didn't create that on purpose. Can I just remove that using regedit or is it better to use Avenger again?

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 18871710
Just let Hijackthis fix that entry,
Hijackthis will remove that entry from the registry and revert it back to the safe MS default entry.
0
 
LVL 7

Author Comment

by:RealSnaD
ID: 18871753
Thanks!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18874053
Thank you, :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Virus or Ransom ware 6 323
PUP or Virus 6 62
Ransomware 9 62
Noob question:this site is sql vulns? 2 45
Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now