147ak477

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

the other 2 items inside
"force active desktop on"  have  0X0000001 (1)
"no driver typpe autorun" have  0x000091 (145)

does that have probelm?

gergermen

O4 - HKLM\..\Run: [TFNF5] TFNF5. exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar. exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK. exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY. EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy. exe /Type 01
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
——i scanned, and cliked those item and click fix checked, it said i will permanantly remove those item..so i clicked no....,指上面呢幾個？呢幾個係咩SOFTWARE，你知唔知。
導出（EXPORT）/導入（IMPORT），喺註冊表編輯器嘅“REGISTRY（註冊表）”嗰度。


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"force active desktop on"  have  0X0000001 (1)
—— 改為0，睇下得唔得

PS：desktop background cannot be changed，具體係點？喺DESKTOP，RIGHT CLICK MOUSE，SELECT“PROPERTISE”，有冇“BACKGROUND”呢項？

147ak477

for the desktop problem
i can open the propoerties, but it doesen't me to select other background from the list
i can click change colour but even i click apply , don't have effect
but change screensavers etc is ok

when i just got infected. the desktop change to blue with a large textbox saying  SPYWARE INFECTION. and cannot change background

after i used some other software , microsoft anti-spyware , norton etc to scan and remove the infected files , the desktop become white in background but still cannot change

[ Last edited by 147ak477 on 2006-1-15 at 11:59 AM ]

147ak477

for the filter-031, those files doesn't seem familiar to me
i open registry and can see the functions to import and export

does that mean i should export one set of thoses filter-031 files to one location as backup?
then delete the orignal ones ?

also if change registy do i need to restart to take effect?

gergermen

WHAT ABOUT THIS
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurentVersion\\Policies\\Explores
“No Save Setting”若1 ，改為0

pop-up，maybe this one
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"

#12嗰幾個software，知唔知係咩嚟。

[ Last edited by gergermen on 2006-1-15 at 12:13 PM ]

147ak477

do not have “No Save Setting” in that folder ...


the names in #12 doesn't look familiar to me

[ Last edited by 147ak477 on 2006-1-15 at 12:16 PM ]

gergermen

REG:system.ini: Shell=explorer. exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001. exe"
——喺註冊表同呢個文件del曬佢。如果唔知，用HIJACKTHIS修復

HKLM\..\Run: [drsmartloadb] c:\\drsmartloadbfilter-031 —— 有冇掃過毒，呢個亦有可能，入註冊表，DEL咗呢項。

Winlogon Notify: Installer - C:\WINDOWS\system32\irl6l53s1.dll —— 呢個不少少懷疑？但唔肯定

147ak477

Originally posted by gergermen at 2006-1-15 12:31 PM:
REG:system.ini: Shell=explorer. exe...

deleted all of them lu
see if it works

147ak477

still have popo-ups

gergermen

Originally posted by 147ak477 at 2006-1-15 15:26:
still have popo-ups

唔係啩~~~

CAP張圖睇下（下面幾張）

彈出嚟嘅係咩內容/ TASK MANAGER /  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\启动

OR
用HIJACKTHIS再掃一次

[ Last edited by gergermen on 2006-1-15 at 03:58 PM ]