hey , i need a little help please

[naughty]

i uploaded the hijackthis log (newest version)

there are 2 registry entries i cant del (they reappear) in the log file

and another one
tcactive in Local Machine\..\run that also reapper

all the rest entries i think that i know


Logfile of HijackThis v1.99.1
Scan saved at 03:01:06, on 26/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\IaM\LOCALS~1\Temp\_tc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.netvision.net.il:8080
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"
O8 - Extra context menu item: Download &All using Mass Downloader - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Explore with &Instant Source - C:\Program Files\Instant Source\context.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVB-new/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B0313D2-1223-4351-9CC5-FA8EF33D6F31}: NameServer = 212.143.212.143 194.90.1.5
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

big thanks in advance

[naughty]

O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"


those are the bad entries i cant del manually or using the hijackthis :/

[greyknight17]

Welcome to TSF.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"

Restart and run a new HijackThis scan. Save the log file and post it here.

[naughty]

first thanks.
but it didnt work
it is still there after i deleted this , live and kicking
also tried to del from registery manually but it is just reapper :/

[naughty]

Logfile of HijackThis v1.99.0
Scan saved at 03:32:26, on 27/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.netvision.net.il:8080
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"
O8 - Extra context menu item: Download &All using Mass Downloader - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Explore with &Instant Source - C:\Program Files\Instant Source\context.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVB-new/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B0313D2-1223-4351-9CC5-FA8EF33D6F31}: NameServer = 212.143.212.143 194.90.1.5
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[greyknight17]

I'm not 100% sure what that is for. Did you install any big programs lately? Did some searches and was wondering if it could be part of some installation file.

Do you want to keep GhostSurf? If not, uninstall it from the Add/Remove panel.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\

Restart and see if it comes back.

[naughty]

hey , well i downloaded the program but there is a little problem


already uninstalled a week ago and it is still there

O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe

those files doesnt exists so i cant choose them in killbox but they just reapper.

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"

also in hklm...run i have tcactive without any file path to run , and it also reapper if i del this.

ps.
another problem i encountered yesterday, i tried to backup a file that i programed in hotmail and it told me it is a virus :/ it is in no way virus (at least the part i written) hotmail check with trend micro and i use trend micro that doesnt alarm me on the file . what you suggest please ?

thanks in advance for your help

[jgvernonco]

Can we have the following two logs please:

A new HJT log.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[naughty]

here the logs.

thanks

ps
in the antivirus the only thing that i didnt know is "AltNet Spyware/Adware"
all the other beside the reg error are fine i think

[naughty]

can some one please check again ?
thanks in advance

[greyknight17]

You have to stop downloading those cracks. It's not doing your machine any good.

OK, I only edited some of these since you had too many there, but you should see what files I want you to delete.

Delete these:

C:\WINDOWS\System32\admdll.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\WINDOWS\System32\raddrv.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\WINDOWS\System32\r_server.exe tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.21. No Action Taken.
File C:\Documents and Settings\IaM\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-6234a237-739aefb6.zip infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\IaM\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv684.jar-6c93babb-630a3831.zip infected by "Trojan-Downloader.Java.OpenStream.c" Virus! Action Taken: No Action Taken.
File C:\downloads\appz\new appz\BulletProof.FTP.Server.v2.30.15.WinAll.Cracked.rar tagged as not-a-virus:Tool.Win32.ServiceRunner.d. No Action Taken.
File C:\downloads\appz\new appz\PC-cillin 2004 Crack Activator.zip tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\downloads\appz\new appz\susetup.exe tagged as not-a-virus:Server-FTP.Win32.Serv-U.5201. No Action Taken.
File C:\downloads\appz\new appz1\radmin22.zip tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.22. No Action Taken.
File C:\downloads\appz\new appz1\setup_ares.exe tagged as "not-a-virus:AdWare.NavExcel.d". Action Taken: No Action Taken.
File C:\downloads\appz\new appz1\winamp504.rar tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\downloads\appz\new appz3\crack Babylon_Pro_5.0.0_r78_.zip tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\downloads\appz\new appz3\CRACK-WinZip_v9.0_6028_.zip tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\downloads\appz\new appz3\mirc614.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.14. No Action Taken.
File C:\downloads\appz\new appz3\radmin21.zip tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\downloads\appz\new appz3\scrcam.exe
C:\downloads\ebooks\(ebook - html-txt) - complete_set_of_hacking_tools+manuals.zip
C:\downloads\new appz\check if burn already\curl-7.13.2.zip
C:\downloads\new appz\NewsBin_Pro_v4[1].3_build_4892.zip
C:\downloads\new appz\NewsBin_Pro_v4[1].3_build_4892_Crack_by_Morglum.zip
C:\Program Files\Babylon\crack.exe
C:\Program Files\Trend Micro\Internet Security\PC-cillin 2004 Crack Activator.exe
C:\WINDOWS\Downloaded Program Files\launcher.ocx
C:\WINDOWS\LastGood\Downloaded Program Files\CONFLICT.1\
C:\WINDOWS\system32\admdll.dll

Any ideas what these are for?

C:\Program Files\bf\AddOns\G6Service.exe
C:\Program Files\bf\eatbfs23.rar

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Restart and do this:

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

[naughty]

thanks for the reply
the file you requested is here

i didnt run cleanup again , runned it already once and it killed some things i needed but i am fine again , just those strange enteries and i hope i dont have keyloggers or some other s@$%

thanks again

[greyknight17]

What did CleanUp delete that you wanted to keep? Go into the options and look through the tabs (especially the last one). Edit out what you don't want CleanUp to delete before you run it again.

OK, for the other problem, these two:

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\IaM\LOCALS~1\Temp\IXP001.TMP\"

I think they may be related to TrendMicro.

For the GhostSurf one, do you still see it listed in the Add/Remove panel or see if the folder exists -> C:\Program Files\GhostSurf 2005\

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and delete GhostSurfDelSatellite

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[naughty]

thanks for your reply

tried all , when i del those reg entries they just back automatically :/
the files they point to doesnt exist

[greyknight17]

The temp ones might be ok since you have TrendMicro - I think Trend created those.

For the registry edit, try disabling Ad-watch and then try deleting it again. Fix it in HijackThis if it's still showing up.

[naughty]

at last it solved , thanks all
damn it was ad-aware monitor that backup those when i deleted them :/
disabled it , del and all fine

thanks :)