Tech Support Forum - View Single Post - Help

Ried · 12-05-2005, 08:54 AM

Alright then, we'll go into the registry.

Reboot into Safe Mode as User.

Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C24F68F-330D-3834-5594-F52CB787AE93}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E519B7D-60F7-36E0-6009-671EAD1F7C44}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{849E652D-E279-49D1-44C6-6C7123362280}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipxk.exe"="C:\\WINDOWS\\SYSTEM32\\IPXK.EXE"
"B5.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B5.t mp.exe"
"B7.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B7.t mp.exe"
"B5.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B5.tmp.exe"
"B7.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B7.tmp.exe"
"netgf.exe"="C:\\WINDOWS\\NETGF.EXE"

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Reboot back into Normal Mode.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

*Save it to your desktop.
*Double-click the new icon on your desktop (tmas-web-scan.exe)
*It will say "Loading TrendMicro definitions".
*Once the definitions are loaded, the program will appear to close then re-open.
*Click "Start Scan"
*After it's done scanning, click "Scan Results"
*Make sure all items found have a check next to them, then click "Clean Threats Now".

Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post along with a new HijackThis log.

Run another scan with HijackThis and post the log here

12-05-2005, 08:54 AM	#22 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,038 OS: WinXP and Vista	Alright then, we'll go into the registry. Reboot into Safe Mode as User. Please make sure system restore is enabled by *right clicking* on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C24F68F-330D-3834-5594-F52CB787AE93} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E519B7D-60F7-36E0-6009-671EAD1F7C44} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{849E652D-E279-49D1-44C6-6C7123362280} [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ipxk.exe"="C:\\WINDOWS\\SYSTEM32\\IPXK.EXE" "B5.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B5.t mp.exe" "B7.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B7.t mp.exe" "B5.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B5.tmp.exe" "B7.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B7.tmp.exe" "netgf.exe"="C:\\WINDOWS\\NETGF.EXE" If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Reboot back into Normal Mode. Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post along with a new HijackThis log.* Run another scan with HijackThis and post the log here __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."