Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've had my browser hijacked & despite the removal of a BHO, some registry edits, deletion of *.tmp files and cookies, and cleaning up anything else that I could think of...the hijack persists. A couple of the registry edits took and have not been changed back but others keep getting reset. As a temporary measure, I have locked my browser home page but I would very much like to get rid of the problem.
I do scans with Spybot and my AV on a daily basis.Logfile of HijackThis v1.97.7
Scan saved at 11:50:34 AM, on 2/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.exe
C:\PALTALK\PNETAWARE.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\PROGRAM FILES\COMMON FILES\G7PS\SHARED FILES\QCHEX\QCHEX.exe
C:\PROGRAM FILES\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.exe -service
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: AnyTime Deluxe Edition 7.1.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Check Messnger.lnk = C:\Program Files\Common Files\G7PS\Shared Files\Qchex\Qchex.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38023.7009722222
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7277D039-CE10-4ED8-A05F-7C25AD12D433} - http://www.qchex.com/cm/QchexCheckMessenger.cab
Hi Gramma, hello everyone,
Delete the following items using hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
After deleting those restart the computer and go to C:\Windows\System and delete the
wucrtupd.exe file.Best Regards,
Mesich
0 
Thank you! I've tried to fix the R1's & R0 but never thought about the 04. That may be what is resetting them. I'll try it right now and get back to you.
0
Hi Gramma, hello everyone,
Sorry, don't delete the file wucrtupd.exe.
You can remove it from the registry this entry O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
From task list on wucrtupd.exe.
Windows Update Critical Update Notification. This will appear in your Task List if you did a Windows Update at some stage and installed the "Critical Update Notification" component. In some versions this process is scheduled to run every 5 minutes and you cannot change the schedule (under Windows 98 you can get round it with the "sucrtupd" technique, but not under other versions of Windows).
Recommendation :
Do not walk, run to your "Add/Remove Programs" icon in the Control Panel and immediately de-install Microsoft Windows Critical Updates Notification. The consequences of some Microsoft Critical Updates have been such that the last thing you need is something to remind you, and therefore entice you to update your Windows environment with the very latest bug fix (which is what critical updates really are) from Microsoft. It is not just that some of those updates have been quite simply disastrous (remember May/June 2002 ?), it is also that too often for our liking, the full consequences of installing some of those updates are not always clearly spelt out by Microsoft. Yes, some of those updates are needed from a security point of view, but in 98% of cases if you either run a good firewall or your PC is configured securely, then you are protected anyway, so do not fix what doesn’t need fixing. It is best that you simply do a Windows Update once every two or three months, say, and only at times when you do not require your PC urgently in the following 24 hours ! Finally, quite aside from the above, WUCRTUPD is also sometimes responsible for illegal operations, 3-seconds mouse freezes, WULOADER error messages, and Invalid Page Faults in KERNEL32. Have we said enough ?Best Regards,
MesichBest Regards,
Mesich
0
Ooops...too late. I uninstalled the notification & deleted the file. So far all is well...*crossing fingers*
The hijack is still there. Here is the new log...minus the wucrtupd.exe entry.
Logfile of HijackThis v1.97.7
Scan saved at 1:05:20 AM, on 2/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.exe
C:\PALTALK\PNETAWARE.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\PROGRAM FILES\COMMON FILES\G7PS\SHARED FILES\QCHEX\QCHEX.exe
C:\PROGRAM FILES\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: AnyTime Deluxe Edition 7.1.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Check Messnger.lnk = C:\Program Files\Common Files\G7PS\Shared Files\Qchex\Qchex.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38023.7009722222
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {7277D039-CE10-4ED8-A05F-7C25AD12D433} - http://www.qchex.com/cm/QchexCheckMessenger.cab
0
Hi Gramma, hello everyone,
Don't worry about the file I will send you another one. Drop me an email and I'll get one to you.
Delete these items using hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
I also noticed two new entries. Don't delete them.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
Did you just install Start Page Guard?
Did you lock your homepage?
Best Regards,
Mesich
0
I already had SPG installed but it was open when I ran HJT...as was the Control Panel. I forgot to close them before running HJT. I use SPG to block the hijack from changing things.
I'll post the new log in the morning. Thank you for the help! An email is on its way to you.
0
Hi Gramma, hello everyone
You are very welcome, glad to hear everything worked out. Thank you for posting back with the results.
The problem was this one,
O4 - HKLM\..\Run: [sys] regedit -s sys.regCould you rename that file to .old and send it to me so I can take a look at it?
My ISP will reject any email containing an attatchment with a .reg extention.Also are you running Win98 or Win98SE?
Best Regards,
Mesich
0
Hi Gramma, hello everyone
Thanks for the file. I found the sys.reg file running at StartUp changes the following keys in the registry.
[HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main]
"Start Page"
"Search Bar"
"Search Page"[HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search]
"SearchAssistant"[HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main]
"Start Page"
"HOMEOldSP"
"Search Bar"
"Search Page"[HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Search]
"SearchAssistant"[HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"[HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"Thanks again for the file.
I'll get the wucrtupd.exe off to you first thing this morning. 2:14 a.m. here now. :-)
Best Regards,
Mesich
0
Great stuff - Hijackthis worked perfectly. Would recommend!!!! After three days of a vicious attack on my laptop I finally got it back, the last piece was the browser, which after changing registry info, removing BHO and other steps did not work. I found the above sugesstions and they worked flawlessly.
Thanks!!!!!!!!!!
0
Hi jbigwater, hello everyone,
Glad to hear the information was useful. Thanks for posting the results.
Best Regards,
MesichBest Regards,
Mesich
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
