娛樂滿紛 26FUN - Powered by Discuz! Board

標題: Help from spyware infection [打印本頁]

作者: 147ak477 時間: 2006-1-13 12:56 AM 標題: Help from spyware infection

after infection
always have pop ups
desktop background cannot be changed

i tried
yahoo taskbar
microsoft antispyware
norton
use them scan and remove

but still have prob

also computer is really slow....
please hlpe me

作者: hello1997 時間: 2006-1-13 06:54 AM

did u try microsoft spyware removal tools?
http://www.download.com/Microsof ... 86.html?tag=lst-0-1

or

Adaware
http://www.download.com/Ad-Aware ... 02.html?tag=lst-0-1

They should work!!! Good luck!!!

作者: gergermen 時間: 2006-1-13 11:25 AM

有冇試過 Hijackthis，呢度有POST過

desktop background cannot be changed
——呢個可以入註冊表搞，記得都有POST過。

作者: lywv6 時間: 2006-1-14 03:33 PM

Originally posted by hello1997 at 2006-1-13 06:54 AM:
did u try microsoft spyware removal...

used both
they detected some spywawre and removed
but still have pop-ups

作者: gergermen 時間: 2006-1-14 04:46 PM

呢啲軟件清唔曬，入註冊表手工清除之。

入之前可用HIJACKTHIS掃一次，作一個分析，揾出位置。

[ Last edited by gergermen on 2006-1-14 at 04:47 PM ]

作者: 147ak477 時間: 2006-1-14 08:23 PM

i downloaded hijackthis
scanned.... but dunno how to find which one is problematic and clear

作者: gergermen 時間: 2006-1-14 10:46 PM

post 個掃描結果上嚟（爲免太長，用TXT格式上傳上嚟）。

作者: 147ak477 時間: 2006-1-15 08:49 AM

attached
pls rename it to .log instead of .rar to view

thanks

附件: hijackthis.rar (2006-1-15 08:49 AM, 7.7 KB) / 下載次數 3
http://www.26fun.com/bbs/attachment.php?aid=738608&k=9436288f5a2de6ba9b9508f0ca441c23&t=1714336420&sid=V63L5V

作者: gergermen 時間: 2006-1-15 10:51 AM

O4 - HKLM\..\Run: [TFNF5] TFNF5. exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar. exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK. exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY. EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy. exe /Type 01
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
——呢幾個本人覺得有啲疑問，先將呢幾項導出後再DEL，睇下有問題，若有，再導入返。

desktop background cannot be changed
—— 入註冊表，start——run,type regedit
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop" , "NoActiveDesktopChanges"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
——值係唔係 1，若係改為 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL", "Search Page"
——睇下係唔係你自己SET嘅LINK，若唔係，就改返佢。

作者: 147ak477 時間: 2006-1-15 11:05 AM

thanks but i have some problem

導出後再DEL，睇下有問題，若有，再導入返
how to do this?
i scanned, and cliked those item and click fix checked, it said i will permanantly remove those item..so i clicked no....

—— 入註冊表，start——run,type regedit
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop" , --- i can find this, value is 0
"NoActiveDesktopChanges" ---- cannot find this

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000 - cannot find
"NoDispBackgroundPage"=dword:00000000 -cannot find

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL", "Search Page"
-- it seems the link are from micorsoft since they start with www.microsoft.com
but i didn't set them

作者: 147ak477 時間: 2006-1-15 11:08 AM

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

the other 2 items inside
"force active desktop on" have 0X0000001 (1)
"no driver typpe autorun" have 0x000091 (145)

does that have probelm?

作者: gergermen 時間: 2006-1-15 11:37 AM

O4 - HKLM\..\Run: [TFNF5] TFNF5. exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar. exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK. exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY. EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy. exe /Type 01
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
——i scanned, and cliked those item and click fix checked, it said i will permanantly remove those item..so i clicked no....,指上面呢幾個？呢幾個係咩SOFTWARE，你知唔知。
導出（EXPORT）/導入（IMPORT），喺註冊表編輯器嘅“REGISTRY（註冊表）”嗰度。

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"force active desktop on" have 0X0000001 (1)
—— 改為0，睇下得唔得

PS：desktop background cannot be changed，具體係點？喺DESKTOP，RIGHT CLICK MOUSE，SELECT“PROPERTISE”，有冇“BACKGROUND”呢項？

作者: 147ak477 時間: 2006-1-15 11:51 AM

for the desktop problem
i can open the propoerties, but it doesen't me to select other background from the list
i can click change colour but even i click apply , don't have effect
but change screensavers etc is ok

when i just got infected. the desktop change to blue with a large textbox saying SPYWARE INFECTION. and cannot change background

after i used some other software , microsoft anti-spyware , norton etc to scan and remove the infected files , the desktop become white in background but still cannot change

[ Last edited by 147ak477 on 2006-1-15 at 11:59 AM ]

作者: 147ak477 時間: 2006-1-15 11:57 AM

for the filter-031, those files doesn't seem familiar to me
i open registry and can see the functions to import and export

does that mean i should export one set of thoses filter-031 files to one location as backup?
then delete the orignal ones ?

also if change registy do i need to restart to take effect?

作者: gergermen 時間: 2006-1-15 12:06 PM

WHAT ABOUT THIS
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurentVersion\\Policies\\Explores
“No Save Setting”若1 ，改為0

pop-up，maybe this one
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"

#12嗰幾個software，知唔知係咩嚟。

[ Last edited by gergermen on 2006-1-15 at 12:13 PM ]

作者: 147ak477 時間: 2006-1-15 12:13 PM

do not have “No Save Setting” in that folder ...

the names in #12 doesn't look familiar to me

[ Last edited by 147ak477 on 2006-1-15 at 12:16 PM ]

作者: gergermen 時間: 2006-1-15 12:31 PM

REG:system.ini: Shell=explorer. exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
——喺註冊表同呢個文件del曬佢。如果唔知，用HIJACKTHIS修復

HKLM\..\Run: [drsmartloadb] c:\\drsmartloadbfilter-031 —— 有冇掃過毒，呢個亦有可能，入註冊表，DEL咗呢項。

Winlogon Notify: Installer - C:\WINDOWS\system32\irl6l53s1.dll —— 呢個不少少懷疑？但唔肯定

作者: 147ak477 時間: 2006-1-15 12:49 PM

Originally posted by gergermen at 2006-1-15 12:31 PM:
REG:system.ini: Shell=explorer. exe...

deleted all of them lu
see if it works

作者: 147ak477 時間: 2006-1-15 03:26 PM

still have popo-ups

作者: gergermen 時間: 2006-1-15 03:53 PM

Originally posted by 147ak477 at 2006-1-15 15:26:
still have popo-ups

唔係啩~~~

CAP張圖睇下（下面幾張）

彈出嚟嘅係咩內容/ TASK MANAGER /
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\启动

OR
用HIJACKTHIS再掃一次

[ Last edited by gergermen on 2006-1-15 at 03:58 PM ]

作者: gergermen 時間: 2006-1-15 04:19 PM

O17 - HKLM\System\CCS\Services\Tcpip\..\{9B69C40C-4719-4BCA-85F7-49A8AFC67880}: NameServer = 205.252.144.28 218.102.23.77

之前用HIJACKTHIS掃過嘅LOG中有呢個，一下冇留意，你清唔清楚呢個IP，也許就是POPUP嘅來源，佢將你個IP重定向呢個到，用HIJACKTHIS修復。

作者: 147ak477 時間: 2006-1-15 04:30 PM

Originally posted by gergermen at 2006-1-15 03:53 PM:

唔係啩~~~

CAP張圖睇下（下...

i have fix the O-17 file lu

also do u mean cap the screen of those files in regedit?

作者: 147ak477 時間: 2006-1-15 04:36 PM

after i fix the O-17
all the pop ups shows cannot find server
and one of those link is
http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={8583258A-8641-7559-614F-AEC2FEBEBF81}&type=normal&mSkip=1&rnd=19054

作者: gergermen 時間: 2006-1-15 04:40 PM

Originally posted by 147ak477 at 2006-1-15 16:36:
after i fix the O-17
all the pop u...

而家應該冇事嘞？係唔係
你POST嘅LINK係連去呢度（賣廣告

）
http://www.health-yshopping.com/normal/yyy102.html

作者: 147ak477 時間: 2006-1-15 04:52 PM

after i fix O-17 for a while .
i disconnect and re-connect internet (coz cannot load 26fun.com) , but now the ads-pop -up can show again!

also i attach the screen cap for regedit
some of the directory in the local machine cannot be find

圖片附件: current_user.jpg (2006-1-15 04:52 PM, 2.3 MB) / 下載次數 2
http://www.26fun.com/bbs/attachment.php?aid=739108&k=f3988850625d2817507550e1516e4814&t=1714336420&sid=V63L5V

圖片附件: local_machine.jpg (2006-1-15 04:52 PM, 2.3 MB) / 下載次數 3
http://www.26fun.com/bbs/attachment.php?aid=739109&k=e0c6662b368e8c4a6da75029ff3c95f8&t=1714336420&sid=V63L5V

作者: 147ak477 時間: 2006-1-15 04:55 PM

links for some other ads:
http://www.hug-ediscounts.com/normal/yyy102.html
all of the URL ends like that

i scanned using hijackthis and find tha O-17 files again!
and i need to fixed it again

[ Last edited by 147ak477 on 2006-1-15 at 04:58 PM ]

作者: gergermen 時間: 2006-1-15 05:09 PM

又出返啲POPUP

睇啲圖又冇嘢

你之前有冇裝過啲咩SOFTWARE/ 咩TOOLBAR之類，同埋之前有冇呢種情況，幾時出現。

用HIJACKTHIS再掃一次
OR
揾下呢兩個FILE：HOST / LMHOST，用NOTEPAD打開。
host內容係唔係咁（紅色嗰度）

# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#    102.54.94.97    rhino.acme.com       # source server
#    38.25.63.10    x.acme.com             # x client host

127.0.0.1    localhost

lmhost入面啲內容最尾係唔係呢個：# end of this file.

[ Last edited by gergermen on 2006-1-15 at 05:12 PM ]

作者: 147ak477 時間: 2006-1-15 05:15 PM

Originally posted by gergermen at 2006-1-15 05:09 PM:
又出返啲POPUP
睇啲圖又冇嘢

你...

hosts file starts similar to the one u shown but ends with like:

127.0.0.1    localhost
127.0.0.1  sds-qckads.com
127.0.0.1  status.qckads.com
127.0.0.1  www.qoolaid.com
127.0.0.1  www.qoologic.com
127.0.0.1  www.CLKPrecision.com
127.0.0.1  www.urllogic.com
127.0.0.1  www.clkoptimizer.com
127.0.0.1  www.isearch.com
127.0.0.1  isearch.com
127.0.0.1  www.idownload.com
127.0.0.1  idownload.com
127.0.0.1  www.mytotalsearch.com
127.0.0.1  mytotalsearch.com
127.0.0.1  www.lop.com
127.0.0.1  lop.com
127.0.0.1  www.websearch.com
127.0.0.1  websearch.com
127.0.0.1  www.page-not-found.net
127.0.0.1  page-not-found.net
127.0.0.1  www.isearchhere.com
127.0.0.1  isearchhere.com
127.0.0.1  as.adwave.com
127.0.0.1  sr.adwave.com
127.0.0.1  www.adwave.com
127.0.0.1  adwave.com EVENT:HOST:127.0.0.1
127.0.0.1  www.pacimedia.com
127.0.0.1  www.exactsearch.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
127.0.0.1  www.contextplus.net
( a lot of them)

lmhosts
starts and ends like normal

[ Last edited by 147ak477 on 2006-1-15 at 05:17 PM ]

作者: gergermen 時間: 2006-1-15 05:17 PM

Originally posted by 147ak477 at 2006-1-15 17:15:

hosts file starts similar to ...

就係佢，你改成我POST咁，得呢行“127.0.0.1 localhost ”就得
大功告成

冇POPUP以後

嗰地址係連去一啲廣告網站.

[ Last edited by gergermen on 2006-1-15 at 05:20 PM ]

作者: 147ak477 時間: 2006-1-15 05:19 PM

Originally posted by gergermen at 2006-1-15 05:17 PM:

就係佢，你改成我POST咁，就大功告成

嗰地址係連去一個搞DESKTOP MARKETING網站.

do u mean i manually edit the" hosts" file
and deleted everything after 127.0.0.1 localhost
and save?

作者: gergermen 時間: 2006-1-15 05:20 PM

yes

下次如果再有啲咁情況，可以睇呢個文件入面內容，咁你識搞嘞

[ Last edited by gergermen on 2006-1-15 at 05:24 PM ]

作者: 147ak477 時間: 2006-1-15 05:37 PM

edited the hosts file
hope the popup doesn't show

你之前有冇裝過?咩SOFTWARE/ 咩TOOLBAR之類，同埋之前有冇呢種情況，幾時出現。

i downloaded a crack file from internet "an exe file"
then the windows task bar pop up sth said spyware infected and my desktop background changed to the one i said above

then i install norton, microsoft antispy, yahoo task bar etc
still cannot solve.. it

i have just restarted the computer

作者: gergermen 時間: 2006-1-15 05:42 PM

Originally posted by 147ak477 at 2006-1-15 17:37:
edited the hosts file
hope the pop...

啲CRACK FILE 唔好亂咁DOWN，有啲可能唔係真。
你想揾CRACK FILE我俾個網址你DOWN。

有啲問題可能軟件搞唔掂，要手工先搞得掂。

改返個HOST文件，應該冇事。

作者: 147ak477 時間: 2006-1-15 05:50 PM

i edited the host file
and restart
and open the host file again
those strange things appeared again
and i manually edit it and connnect to internet

after i connect, microsoft anti-spyware detected the contextplus.com wants to modify the windows host file and i click block it

作者: 147ak477 時間: 2006-1-15 05:57 PM

pop up appeared again
i checked the host files
again they are modified
should i change the property of that file to read-only?

作者: 147ak477 時間: 2006-1-15 07:05 PM

now the situation is even worse
even the hosts files are "clean"
the pop-up still appear

作者: gergermen 時間: 2006-1-15 10:33 PM

你再用HIJACKTHIS掃一次。

個LOG POST上嚟。

應該係仲有咩未清/你唔知裝咗邊個軟件，而嗰個正是根源所在。

作者: gergermen 時間: 2006-1-15 10:39 PM

開始——程式集，啓動，入面有冇咩隨機開嘅程序?

清埋TEMP入面啲內容（連隱藏嗰啲一齊）

開始——執行，MSCONFIG，啓動呢項（CAP張圖）

作者: 147ak477 時間: 2006-1-15 11:40 PM

(1)
by TEMP, you mean c:\ TEMP
or C:\Documents and Settings\Administrator\Local Settings\Temp?

scan log please change to .log

[ Last edited by 147ak477 on 2006-1-15 at 11:42 PM ]

作者: 147ak477 時間: 2006-1-15 11:43 PM

開始——程式集，啓動，入面有冇咩隨機開嘅程序?

only have microsoft office and acrobat reader quick launch

作者: gergermen 時間: 2006-1-15 11:51 PM

Originally posted by 147ak477 at 2006-1-15 23:40:
(1)
by TEMP, you mean c:\ TEMP
or C:\Documents and Settings\Administrator\Local Settings\Temp?

scan log please change to .log

[ Last edited by 147ak477 on 2006-1-15 at 11:42 PM ]

all~~~記住連隱含嗰啲一並DEL

where is log?

作者: 147ak477 時間: 2006-1-15 11:53 PM

sorry forgot to attach

附件: hijackthis.rar (2006-1-15 11:53 PM, 7.3 KB) / 下載次數 9
http://www.26fun.com/bbs/attachment.php?aid=739720&k=c153634aff57f06aad3ec1614bba367f&t=1714336420&sid=V63L5V

圖片附件: msconfig.JPG (2006-1-15 11:53 PM, 211.1 KB) / 下載次數 4
http://www.26fun.com/bbs/attachment.php?aid=739721&k=b1a612118a8514685113ca7d04befa40&t=1714336420&sid=V63L5V

作者: 147ak477 時間: 2006-1-16 12:01 AM

all contents in c:\ TEMP deleted
and
C:\Documents and Settings\Administrator\Local Settings\Temp
some files cannot be deleted , other including hidded files are deleted
see attached

圖片附件: temp.JPG (2006-1-16 12:01 AM, 90.4 KB) / 下載次數 1
http://www.26fun.com/bbs/attachment.php?aid=739725&k=762a48b38760fc530f68446a2e1ea1e7&t=1714336420&sid=V63L5V

作者: gergermen 時間: 2006-1-16 12:32 AM

睇過曬，問題係呢兩個，用HIJACKTHIS修復後，最後手工入去呢兩個位置（記住個路徑同啲數字），再CHECK一次，DEL lv0u09d9e.dll（唔係刪咗後入Recycled嗰種，係不可恢復)，順手改返HOST
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B69C40C-4719-4BCA-85F7-49A8AFC67880}: NameServer = 205.252.144.28 218.102.23.77
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\lv0u09d9e.dll

用殺毒軟件（更新咗個病毒庫先）再全機完整掃一次（用NORTON可能未必查，可以試下其他），懷疑造成呢個問題嘅代碼嵌入咗啲程序度。

作者: ckyckk 時間: 2006-1-16 12:40 AM

Originally posted by gergermen at 2006-1-16 12:32 AM:
睇過曬，問題係呢兩個，用HIJACKTHIS...

非常厲害的電腦博士-隱貓,小弟完全唔明,喵~~喵~~~

作者: 147ak477 時間: 2006-1-16 12:42 AM

O17 --deleted and doesn't appear anymore

but
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\lv0u09d9e.dll
after use hijackthis to fix , still appear, when i manually click delete it
it said other program/user using it , cannot delete

i use norton to scan sometime before and there 's also a .dll ( scanned as a threat) that cannot be deleted.

作者: gergermen 時間: 2006-1-16 10:09 AM

咁你入SAFE MODE度再睇搞一次
HIJACKTHIS掃一次，手工CHECK一次
NORTON掃一次
開始——執行，REGSVR32 /U lv0u09d9e.dll ，再一次相同命令REGSVR32 /U <norton 掃到有問題又DEL唔到個DLL>
再手工刪一次。

[ Last edited by gergermen on 2006-1-16 at 10:29 AM ]

作者: kingwong 時間: 2006-1-16 06:03 PM

用HIJACKTHIS修復以下items：

O4 - HKLM\..\Run: [MS Messenger] C:\WINDOWS\msm. exe

Delete the following files：
ssocks5.dll
%systemdir%\SSocks32.dll
Regsock32. exe
MSM. EXE

[ Last edited by kingwong on 2006-1-16 at 06:06 PM ]

作者: 147ak477 時間: 2006-1-16 08:55 PM

Originally posted by kingwong at 2006-1-16 06:03 PM:
用HIJACKTHIS修復以下items：

O4 -...

where can i find these:
ssocks5.dll
%systemdir%\SSocks32.dll
Regsock32. exe
MSM. EXE

作者: 147ak477 時間: 2006-1-16 09:13 PM

Originally posted by gergermen at 2006-1-16 10:09 AM:
咁你入SAFE MODE度再睇搞一次
HIJACK...

how to enter safe mode?

作者: gergermen 時間: 2006-1-17 12:37 AM

最好先唔好上網住，暫時關閉系統還原（若有開嘅話），開機時按“F5”，將隱含文件全部先顯示出嚟，等清完毒，再隱藏返。
1、先試下用殺毒軟件睇下可唔可以清除
殺毒軟件全機掃一次

2、上面方法唔得，再人手刪除佢
按 kingwong 講用HIJACKTHIS修復下面呢個同上面我講嗰兩個（竟然冇留意到呢項=.=)
O4 - HKLM\..\Run: [MS Messenger] C:\WINDOWS\msm. exe

跟住手工刪除下面呢啲（記得睇下HOST使唔使改）
DEL（呢幾個要徹底刪除，如果刪唔到，試下用上面講先regsvr32 /u 文件名，再刪）
C:\windows\system32\SSock32.dll
C:\WINDOWS\msm. exe
Regsock32. exe & ssocks5.dll: 一係 C:\windows\system32\，or 一係 C:\windows\
——開始——查找(或只有桌面冇打開窗口時按“F3”），輸入ssock32.*,msn.*,ssocks5.*,regsock32.*，位置選C：或所有分區（all driver)/我的電腦
del（入註冊表）
[quote]HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-000000000004}
　　HKEY_CLASSES_ROOT\HTMLEdit.SSocks32
　　HKEY_CLASSES_ROOT\HTMLEdit.SSocks32.1
　　HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
　　HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks32
　　HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks32.1
　　HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{000000000004}

HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5.1
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5
HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}[/quote]

作者: lywv5 時間: 2006-1-17 10:02 PM

暫時關閉系統還原（若有開嘅話），開機時按“F5”
but still cannot enter safe mode
i use win XP

when i reboot ,, it first show toshiba , then window XP ( loading screen). then log in screen
when shall i press F5

作者: 147ak477 時間: 2006-1-17 11:59 PM

entered saft mode
disable 系統還原
set show hidden files

hijackthis remove O 17 and O4

scan norton ( nothing wrong detected! , even the file last time)

search but cannot find all the files:
C:\windows\system32\SSock32.dll
C:\WINDOWS\msm. exe
Regsock32. exe & ssocks5.dll

also all the things in the registry inside the quote cannot be find

作者: 147ak477 時間: 2006-1-18 12:07 AM

still have pop up
after i connect to internet
microsoft anti-spyware detected the contextplus.com wants to modify the windows host file and i click block it

an add pop up in IE, but cannot load

then my toolbar style suddenly changed , from blue XP style to classic grey style and warning windoe ( cannot find power(sth else in the name) .dll ) and rebooted!

作者: gergermen 時間: 2006-1-18 12:25 AM

sorry~~~~is press F8
As your computer restarts but before Windows launches, press F8
first show toshiba ,press F8
select safe made with network,but you no need to use network

作者: ckyckk 時間: 2006-1-18 12:45 AM

Originally posted by gergermen at 2006-1-18 12:25 AM:
sorry~~~~is press F8
As your computer restarts but before Windows launches, press F8
first show toshiba ,press F8
select safe made with network,but you no need to use network

你好少可咁夜喎

作者: 147ak477 時間: 2006-1-24 09:13 PM

seems to fix , using another method from another forum
but thanks anyway
especially gergermen!!!

作者: gergermen 時間: 2006-1-25 12:06 AM

what method~~~~

can you tell me?

作者: lywv5 時間: 2006-1-25 10:45 PM

download a program called l2mfix, and clean up using the programme
(but i do not know what it does, i just enter the command to make it fix :-))

歡迎光臨娛樂滿紛 26FUN (http://www.26fun.com/bbs/)