MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Internet & Email arrow Topic: mypoiskovik - homepage
November 18, 2019, 10:15:37 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 18, 2019, 10:15:37 PM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: mypoiskovik - homepage  (Read 4608 times)
Matthew
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« on: May 13, 2004, 04:00:03 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Please help!! When I start my pc for the first time and start Internet Explorer, the homepage defaults to www.mypoiskovik.com. I can then go into the the internet options page and change the home page to 'blank' or another website - but when I re-boot and start explorer again, then the www.mypoiskovovik.com page reappears.
I have disabled system restore, and run; Spybot Search and Destroy, Adware 6.0, CW Shredder, HijackThis, Xclean Micro and Reg Cleaner-t. They all seem to find something, but the problem still persits when I reboot. Ps. I have also run the latest windows update service pack 1. Can anyone help??
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: May 14, 2004, 02:51:06 AM »

Can you please post your Hijackthis log.
Copy and paste the Whole contents of the log here.
Let's see if there is possibly something you missed
Logged

 
Qwerty
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #2 on: May 15, 2004, 01:18:34 PM »

hi all

i have the same problem with this mypoisovik page reappearing all the time. i've tried cwshredder and spybot and nothing works. anyone know how to get rid of it? here's my hijackthis log...

thanks!


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lester Lim\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it
Logged

 
cadaverlab
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #3 on: May 15, 2004, 06:16:58 PM »

First, let me address your problem specifically, qwerty.

I've been plaqued by this poiskovik demon several times before; but I think these guys are saavy enough to change the mechanism of infection constantly; so what happened to me did not probably happen to you in the same way.

Here's my advice:
1.  What the hell is this:  C:\WINDOWS\AGRSMMSG.exe  Sounds very fishy to me.  This is probably the file.  Figure out the exact date you were infected, and find out when this file was created.  Perhaps they coincide.
2.  Several other programs bother me.  Check them the same way:
smss.exe
lsass.exe
wuauclt.exe
3.  As I say later in my post, changing the search registry entries before you find the program is useless.  Every time the poisk trojan infects, it's simply some kind of executable file (.exe) that sits in your windows or windows/system32 directories.  This is where you need to look.  The dates are absolutely the most important things to look at.  Figure out the infection date, and the date when these executable files were created.  This is how you will find the poisk trojan.  No anti-spyware is going to nab these guys, because they change the name of the trojan .exe constantly.

4.  Once you find the file, which I would bet is  C:\WINDOWS\AGRSMMSG.exe ; do this:
Load windows in safe mode with command prompt.  Do this by pressing the F8 button before windows loads.  get to the c:\windows directory, and type delete agrsmmsg.exe

Then reboot.  The only thing I can think of is that this might be some kind of messaging tool that I'm unfamiliar with.  Nevertheless, you could always just rename the file to something else, and if it's important; change it back.  I don't think messaging software would be found directly in your windows directory, though.


Let me also share something I wrote in a different forum:

I recently downloaded HijackThis and found it to be an excellent tool. By using the program, I could minimize the amount of time it took for me to find the spyware and remove it. There may be many spyware removal programs out there, but for new ones and obscure ones, this is the way to go. Regedit becomes your best friend.

Anyway, I'm writing about the lineage of a group of programs designed to link you to a server that always contains the "mypoisk" string.

The sites are:
mypoiskovik.com
and
mypoisk.com

I've been infected by the damn thing 3-4 times, and each time, the program mutates to infect your computer in a different way.

In the beginning, the program ran off of dll files:
cpan.dll and ctrlpan.dll. This was easy enough to remove. You might have had to reboot in safe mode to delete the files, which can be found by searching all the subdirectories in the windows directory.

After this, the poisk guys became more devious, and have started to create a program that loads on your computer every time you load. Using hijackthis, you can find the name of the file in the O16 category.

1st generation: Winlogon.exe in the windows/startup directory. This was especially subversive, since you have a winlogon.exe that is in the windows/system32 directory that is necessary for windows to run. This requires you to boot in safe mode to delete the file; if it is running.

2nd generation: Winlogon.exe + windows/dllhelp.exe + various dll files.

Winlogon can be removed the same way, although I didn't need safe mode to remove. I found olodfn.dll AND nlhdnfd.dll. These may or may not be associated with the mypoisk bugs, but I found them on the same date in my windows directory. Remove them both.

Finally, this dllhelp.exe file must be removed in safe mode. Otherwise, you get an error saying that it's a necessary system process. I believe that you will find when you try to shut down your comp, you get a program "win min" that takes a long time to settle down before you can turn your computer off. This was rather sloppy work by the poisk hackers.

Several tips for users removing any spyware:
Check your windows directory and your windows/system32 directory using the sort by details function. Then use the date to find the newest items. This is how I found the files in conjunction with hijackthis. Compare the new files to the hijackthis entries, and you will certainly find what's wrong if some queerbait was dumb enough to create a program that loads on startup.

The LAST thing you want to do after making sure all of these heinous files and programs are deleted is to change your registry. Otherwise, you're wasting time.

Hijackthis will show you the registries in the search categories that need to be changed to your favorite browser. I'm too chicken to delete them entirely. Type regedit on start --> run to find the necessary program to change the entries.

Here's how you know that you're in the clear:

1. You change the registry entries and reboot to find that they are mysteriously changed again by the spyware program.
2. After finding this program and deleting it, you change the registry entries, reboot, and find that they have not changed. This means no spyware is loading and hijacking your browser.

Note: I should have used the term "hijacker" or "trojan horse" in lieu of "spyware." I know these are different kinds of programs. Too lazy to edit it.
Logged

 
cadaverlab
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #4 on: May 15, 2004, 06:27:22 PM »

Upon further investigation, I figured out what your problem may be, with relative certainty.

These are the culprits.
lsass.exe
wuauclt.exe

As I said before, load in safe mode and RENAME the files to something like 1.txt and 2.txt.  There's no way they can be executed now.  Then, reboot.  Now, fix your registry search entries that you've found in hijackthis.  Now, try to use the internet.  Change your search page.  Now close.

Reboot.

Your search page should be what you originally wanted.  If not, we have another trojan at work.

BTW, I checked the net to see what AGRSMMSG.exe and smss.exe
are.  They are benign and are not trojans.  Don't delete them.

If this doesn't fix it, I'm sure we can figure it out.
Logged

 
cadaverlab
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #5 on: May 15, 2004, 06:30:11 PM »

Cripes!  It's not lsass.  That's a system file.  Don't delete it.  Try the other one instead.  Only delete wuauclt.exe.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: May 15, 2004, 08:00:40 PM »

wuauclt.exe is Windows ME Auto update for Windows
You can disable it via Control Panel if you don't want it running in the background

Please move Hijackthis out of the Temporary Directory or redownload and  save to a Permanent folder
EG....Open MyDocuments----Right click an empty spot and Select NEW----Folder----name that new folder HJT
put hijckthis into that new folder---backups will be stored there

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Next would you ensure that CWShredder is up to date
Open CWShredder and check for update. Close it down once you are sure it is updated

Set Windows to Show Hidden files and folders
link will explain how
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Do another Scan with hijackthis and put a check next to these entries
and then FIX checked after ALL other windows are closed (including this one)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - Global Startup: winlogin.exe

RESTART your computer in Safe Mode

Find and delete these files or folders
C:\Program Files\Internet Explorer\IEengine.exe  <---the IEengine file

Look for this one too it it exists, be very careful on what you remove
C:\WINDOWS\system32\winlogin.exe <---this file NOTICE the spelling

Please watch that you do not delete winlogon.exe (that is a legit file  in the same directory)

While still in safe mode would you please run CWShredder one more time
and let it FIX all problems..
RESTART back in Normal mode-----Don't open a browser yet, instead
access your Internet options via Control Panel
Under the Programs tab---"Reset Web Settings"
Under the General tab---- Delete files and Reset home page

Post back a fresh Hijackthis log afterwards---Include top header
Version of hijackthis and OS, thanx.
Logged

 
cadaverlab
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #7 on: May 15, 2004, 08:48:49 PM »

Ah...

You found it, benditup.

It's the winlogon.exe file.  I hadn't noticed it.

This may be mypoiskovik trojan 1.0; and I've dealt with it before.

Make sure to look in your C:\Documents and Settings\All Users\Start Menu\Programs directory for a file called "winlogon.exe".  

It shouldn't be there, so delete it if you find it there.  You may need safe mode to do so.  

They're trying to mimic the winlogon.exe file in your windows/system directory that is a necessary system process.  This way, when you check system processes, you'll think nothing is wrong.
Logged

 
cadaverlab
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 26


Bookmark and Share

View Profile
« Reply #8 on: May 15, 2004, 08:50:26 PM »

quote:
Originally posted by cadaverlab

Ah...

You found it, benditup.

It's the winlogon.exe file.  I hadn't noticed it.

This may be mypoiskovik trojan 1.0; and I've dealt with it before.

Make sure to look in your C:\Documents and Settings\All Users\Start Menu\Programs directory for a file called "winlogon.exe".  



It shouldn't be there, so delete it if you find it there.  You may need safe mode to do so.  

They're trying to mimic the winlogon.exe file in your windows/system directory that is a necessary system process.  This way, when you check system processes, you'll think nothing is wrong.



Actually, the program is winlogin.exe.  Sorry for the mixup.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: May 15, 2004, 09:03:03 PM »

Smiley

Make sure you look for the Winlogin.exe

Not the Winlogon.exe <--- this one is legitimate
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: May 15, 2004, 09:05:08 PM »

Thanx for the info Cadaverlab
Logged

 
Qwerty
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #11 on: May 16, 2004, 12:31:14 AM »


hi everyone

many thanks to all who replied to my plea for help. my system works fine now after deleting the winlogin file and following the rest of your instructions.

thanks y'all!
Logged

 
mwalsh_21
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1


Bookmark and Share

View Profile
« Reply #12 on: May 17, 2004, 01:14:52 AM »

I know that you have your problem licked, but if others still find problems read on.  I had this problem today to.  Mine was a file called cvshost.exe in the windows folder.  the smarted way to ridd yourself of this problem and many others like it is to do a search of the windows and windows32 folders for All .exe files, then find the ones that were installed since your problems started and delete them in save mode.    happy computing!!8)
Logged

 
Matthew
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #13 on: May 17, 2004, 12:43:07 PM »

quote:
Originally posted by benditup

Can you please post your Hijackthis log.
Copy and paste the Whole contents of the log here.
Let's see if there is possibly something you missed

Logged

 
Matthew
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #14 on: May 17, 2004, 12:59:19 PM »


Dear cadaverlab,

Many thanks for your advice, together with benditups advice (another replier) I have managed to remove the exe files which were defaulting my homepage. For your info. these were as follows: m.exe, IEengine.exe, dlltemp.exe and dllhelp.exe. Keep up the good work, and again, many thanks.



quote:
Originally posted by cadaverlab

First, let me address your problem specifically, qwerty.

I've been plaqued by this poiskovik demon several times before; but I think these guys are saavy enough to change the mechanism of infection constantly; so what happened to me did not probably happen to you in the same way.

Here's my advice:
1.  What the hell is this:  C:\WINDOWS\AGRSMMSG.exe  Sounds very fishy to me.  This is probably the file.  Figure out the exact date you were infected, and find out when this file was created.  Perhaps they coincide.
2.  Several other programs bother me.  Check them the same way:
smss.exe
lsass.exe
wuauclt.exe
3.  As I say later in my post, changing the search registry entries before you find the program is useless.  Every time the poisk trojan infects, it's simply some kind of executable file (.exe) that sits in your windows or windows/system32 directories.  This is where you need to look.  The dates are absolutely the most important things to look at.  Figure out the infection date, and the date when these executable files were created.  This is how you will find the poisk trojan.  No anti-spyware is going to nab these guys, because they change the name of the trojan .exe constantly.

4.  Once you find the file, which I would bet is  C:\WINDOWS\AGRSMMSG.exe ; do this:
Load windows in safe mode with command prompt.  Do this by pressing the F8 button before windows loads.  get to the c:\windows directory, and type delete agrsmmsg.exe

Then reboot.  The only thing I can think of is that this might be some kind of messaging tool that I'm unfamiliar with.  Nevertheless, you could always just rename the file to something else, and if it's important; change it back.  I don't think messaging software would be found directly in your windows directory, though.


Let me also share something I wrote in a different forum:

I recently downloaded HijackThis and found it to be an excellent tool. By using the program, I could minimize the amount of time it took for me to find the spyware and remove it. There may be many spyware removal programs out there, but for new ones and obscure ones, this is the way to go. Regedit becomes your best friend.

Anyway, I'm writing about the lineage of a group of programs designed to link you to a server that always contains the "mypoisk" string.

The sites are:
mypoiskovik.com
and
mypoisk.com

I've been infected by the damn thing 3-4 times, and each time, the program mutates to infect your computer in a different way.

In the beginning, the program ran off of dll files:
cpan.dll and ctrlpan.dll. This was easy enough to remove. You might have had to reboot in safe mode to delete the files, which can be found by searching all the subdirectories in the windows directory.

After this, the poisk guys became more devious, and have started to create a program that loads on your computer every time you load. Using hijackthis, you can find the name of the file in the O16 category.

1st generation: Winlogon.exe in the windows/startup directory. This was especially subversive, since you have a winlogon.exe that is in the windows/system32 directory that is necessary for windows to run. This requires you to boot in safe mode to delete the file; if it is running.

2nd generation: Winlogon.exe + windows/dllhelp.exe + various dll files.

Winlogon can be removed the same way, although I didn't need safe mode to remove. I found olodfn.dll AND nlhdnfd.dll. These may or may not be associated with the mypoisk bugs, but I found them on the same date in my windows directory. Remove them both.

Finally, this dllhelp.exe file must be removed in safe mode. Otherwise, you get an error saying that it's a necessary system process. I believe that you will find when you try to shut down your comp, you get a program "win min" that takes a long time to settle down before you can turn your computer off. This was rather sloppy work by the poisk hackers.

Several tips for users removing any spyware:
Check your windows directory and your windows/system32 directory using the sort by details function. Then use the date to find the newest items. This is how I found the files in conjunction with hijackthis. Compare the new files to the hijackthis entries, and you will certainly find what's wrong if some queerbait was dumb enough to create a program that loads on startup.

The LAST thing you want to do after making sure all of these heinous files and programs are deleted is to change your registry. Otherwise, you're wasting time.

Hijackthis will show you the registries in the search categories that need to be changed to your favorite browser. I'm too chicken to delete them entirely. Type regedit on start --> run to find the necessary program to change the entries.

Here's how you know that you're in the clear:

1. You change the registry entries and reboot to find that they are mysteriously changed again by the spyware program.
2. After finding this program and deleting it, you change the registry entries, reboot, and find that they have not changed. This means no spyware is loading and hijacking your browser.

Note: I should have used the term "hijacker" or "trojan horse" in lieu of "spyware." I know these are different kinds of programs. Too lazy to edit it.

Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 26, 2017, 05:42:28 PM