Homepage has been hijacked & registry has been changed

[Guest]

My home page has been hijacked to www.aflashcounter.com. I've tried to
correct the problem with Norton AntiVirus, AdawareSE, Spybot, Aluria,
CWShredder, etc. but nothing seems to fix the problem. Every time I run a new
HijackThis log file the problem is back. My registry has been changed too. I
can see the name "aflashcounter" on some of the registry keys. What can I do
to get this off my PC?

 

[Jan Il]

Hi cacdrc

This may be a newer variant of about: blank. Methods that previously removed
the previous variant may not have any effect on it. Try the following and
follow the instructions carefully. This variant replicates itself, thus, you
must fully clean it from your system. This coolwebsearch infection uses a
hidden dll to reinfect, thus it replicates itself over and over if not
removed properly.

<<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>

CAUTION!!!!!
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP) The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.

Also, get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

IMPORTANT!!
RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT

HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

About Buster
http://www.majorgeeks.com/download4289.html

and......

Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.

YOU USE THIS PROCEDURE AT YOUR OWN RISK!

Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml

Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.

Write down the name of the DLL file that's displayed!

(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)

Exit Registrar Lite.

Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS Shield Dropper.vbs

Download Silent Runners here:
http://www.silentrunners.org/Silent Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!

(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)

Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS File Cleaner.vbs

Reset your Internet Explorer home page. Your PC should now run normally.

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I'll follow your steps when I get home tonight but I'm a little confused
about something. You said to run all programs offline in safe mode and show
hidden files. That I follow. Then you said to reboot & run them again. Do I
reboot in safe mood? Also, did you want me to download About Buster?

 

[Jan Il]

Hi cacdrc

I'll follow your steps when I get home tonight but I'm a little confused
about something. You said to run all programs offline in safe mode and show
hidden files. That I follow. Then you said to reboot & run them again. Do I
reboot in safe mood? Also, did you want me to download About Buster?

Yes to both questions.

Sometimes not all scumware are detected on a first run, thus, it is always
best to do at least 2 runs in Safe Mode. Also, running the programs in Safe
Mode assures that there's no interference from any other programs perhaps
running in the background, and you are not operating in Windows, thus it is
easier for the scumware to be detected, and less likely a chance for it to
hide in files that are "in use".

The About:Buster is a much more aggressive tool to go after and remove the
more stubborn variants. The second set of instructions I provided are for
the really nasty ones, that can continue to replicate repeatedly, and even
morph in some cases, if not properly removed.

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I'll post back after I go through all the steps VERY SLOWLY Thanks so much
for your help!

 

[Jan Il]

Hi cacdrc

I'll post back after I go through all the steps VERY SLOWLY Thanks so much
for your help!

You're welcome! Take your time and go through the programs a couple of
times, to be sure nothing gets left, as sometimes it can take more than one
scan to get all the critters. I'll be keeping watch, so just come back here
when you're done, or if you need help.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[Guest]

I think I found the file but I want to be sure before I run the script to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

 

[Jan Il]

Hi cacdrc

"> I think I found the file but I want to be sure before I run the script to

delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

No, do not delete it, that is a legitimate file. Its part of your systems
Intel chipset drivers.

The best bet right now is to run the HiJackThis log and post it and let the
experts take a look at what you have on your system and advise you of what
you need to do to correct the problem. Let us know what you find out on
that.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[Jan Il]

Hi cacdrc

I think I found the file but I want to be sure before I run the script to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I don't remember which program it was that found this file. I'm at work so I
don't have everything in front of me. But it was one of the ones you told me
to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the programs
you had in your post and then I went to safe mode and ran all my anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file (notepad) that
gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do appreciate all
your help, though.

Hi cacdrc

I think I found the file but I want to be sure before I run the script to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jan Il]

Hi cacdrc

Thank you for the additional information, it does help. You did right in
running all the programs and your AV in Safe Mode. That is the best method.

One more thing, did you create the HiJackThis log and post it in the AumHa
forum according to the instructions? I know that you can save it to the
folder on the desktop, the then post it on the forum after you return to
normal mode. If you have, please let me know under what name it is and when
so that I can check on it, I'd like to see what the experts say about the
log and what they find. If you haven't done so yet, please do so from Safe
Mode, save the log, and then copy and post the log to the AumHa site I
provided as soon as possible. It may be the key to getting a hold of the
hijacker. Although the file you mentioned file is a legitimate file, it
could have been altered, and we need to know by what if possible. It and a
few others may need to be cleaned or deleted and replaced to clean the
system. The experts at AumHa can tell you what is needed to be done.

Thank you for your help and patience. It is sometimes much harder to get
rid of the junk than it is to get it in the first place. You are doing a
great job on your end!

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I don't remember which program it was that found this file. I'm at work so I
don't have everything in front of me. But it was one of the ones you told me
to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the programs
you had in your post and then I went to safe mode and ran all my anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file (notepad) that
gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do appreciate all
your help, though.

Hi cacdrc

I think I found the file but I want to be sure before I run the script to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I saw where you wanted me to post the log file but I didn't know where. I
guess I overlooked that part when I was reading it. I'm not familiar with
AumHa. Is that a website? I saved the logfile so I can copy it wherever it
needs to go.

Hi cacdrc

Thank you for the additional information, it does help. You did right in
running all the programs and your AV in Safe Mode. That is the best method.

One more thing, did you create the HiJackThis log and post it in the AumHa
forum according to the instructions? I know that you can save it to the
folder on the desktop, the then post it on the forum after you return to
normal mode. If you have, please let me know under what name it is and when
so that I can check on it, I'd like to see what the experts say about the
log and what they find. If you haven't done so yet, please do so from Safe
Mode, save the log, and then copy and post the log to the AumHa site I
provided as soon as possible. It may be the key to getting a hold of the
hijacker. Although the file you mentioned file is a legitimate file, it
could have been altered, and we need to know by what if possible. It and a
few others may need to be cleaned or deleted and replaced to clean the
system. The experts at AumHa can tell you what is needed to be done.

Thank you for your help and patience. It is sometimes much harder to get
rid of the junk than it is to get it in the first place. You are doing a
great job on your end!

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I don't remember which program it was that found this file. I'm at work so I
don't have everything in front of me. But it was one of the ones you told me
to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the programs
you had in your post and then I went to safe mode and ran all my anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file (notepad) that
gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do appreciate all
your help, though.

Hi cacdrc

I think I found the file but I want to be sure before I run the script to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel
Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jan Il]

Hi cacdrc

Yes, it is a forum website, and like most forums, you will need to register.
You do not have to worry about your security, or being bombarded with spam,
so go ahead and register. Then on the main forum page, scroll down to the
section that says HiJackThis Logs. Click on that link and the section to
post your log will open. Click on the tab at the left-hand side of the page
above the list of topics that says new topic. The fill in the information
about your problem and paste the log there. Be sure to let them know that
you have been here and were referred there to have your log read. Here is
the main page for you to register and find the HiJackThis section:
http://forum.aumha.org/

If you post back here and let me know when you have posted it, and under
what title and name, I will check on the process and help where I can.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I saw where you wanted me to post the log file but I didn't know where. I
guess I overlooked that part when I was reading it. I'm not familiar with
AumHa. Is that a website? I saved the logfile so I can copy it wherever it
needs to go.

Hi cacdrc

Thank you for the additional information, it does help. You did right in
running all the programs and your AV in Safe Mode. That is the best method.

One more thing, did you create the HiJackThis log and post it in the AumHa
forum according to the instructions? I know that you can save it to the
folder on the desktop, the then post it on the forum after you return to
normal mode. If you have, please let me know under what name it is and when
so that I can check on it, I'd like to see what the experts say about the
log and what they find. If you haven't done so yet, please do so from Safe
Mode, save the log, and then copy and post the log to the AumHa site I
provided as soon as possible. It may be the key to getting a hold of the
hijacker. Although the file you mentioned file is a legitimate file, it
could have been altered, and we need to know by what if possible. It and a
few others may need to be cleaned or deleted and replaced to clean the
system. The experts at AumHa can tell you what is needed to be done.

Thank you for your help and patience. It is sometimes much harder to get
rid of the junk than it is to get it in the first place. You are doing a
great job on your end!

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I don't remember which program it was that found this file. I'm at

work so
I

don't have everything in front of me. But it was one of the ones you

told
me

to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the programs
you had in your post and then I went to safe mode and ran all my anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file

(notepad)
that

gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do

appreciate
all

your help, though.

:

Hi cacdrc

I think I found the file but I want to be sure before I run the

script
to

delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel
Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I registered at the website yesterday and as soon as I have time to visit
there I will post my log and ask for their help. I'm working late this week
so I haven't had time to do much else. I've been able to really clean up my
computer with your help and I really appreciate it!! I just hope I can find
whatever keeps attacking my IE settings. InterMute keeps sending me a message
that my settings have been changed but whenever I check them they're what
they're supposed to be. I have my home page locked now but I'm afraid if I
take the lock off I'll get that dang aflashcounter.com thing again!

Hi cacdrc

Yes, it is a forum website, and like most forums, you will need to register.
You do not have to worry about your security, or being bombarded with spam,
so go ahead and register. Then on the main forum page, scroll down to the
section that says HiJackThis Logs. Click on that link and the section to
post your log will open. Click on the tab at the left-hand side of the page
above the list of topics that says new topic. The fill in the information
about your problem and paste the log there. Be sure to let them know that
you have been here and were referred there to have your log read. Here is
the main page for you to register and find the HiJackThis section:
http://forum.aumha.org/

If you post back here and let me know when you have posted it, and under
what title and name, I will check on the process and help where I can.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I saw where you wanted me to post the log file but I didn't know where. I
guess I overlooked that part when I was reading it. I'm not familiar with
AumHa. Is that a website? I saved the logfile so I can copy it wherever it
needs to go.

Hi cacdrc

Thank you for the additional information, it does help. You did right in
running all the programs and your AV in Safe Mode. That is the best method.

One more thing, did you create the HiJackThis log and post it in the AumHa
forum according to the instructions? I know that you can save it to the
folder on the desktop, the then post it on the forum after you return to
normal mode. If you have, please let me know under what name it is and when
so that I can check on it, I'd like to see what the experts say about the
log and what they find. If you haven't done so yet, please do so from Safe
Mode, save the log, and then copy and post the log to the AumHa site I
provided as soon as possible. It may be the key to getting a hold of the
hijacker. Although the file you mentioned file is a legitimate file, it
could have been altered, and we need to know by what if possible. It and a
few others may need to be cleaned or deleted and replaced to clean the
system. The experts at AumHa can tell you what is needed to be done.

Thank you for your help and patience. It is sometimes much harder to get
rid of the junk than it is to get it in the first place. You are doing a
great job on your end!

Jan
Smiles are meant to be shared,
that's why they're so contagious.


I don't remember which program it was that found this file. I'm at work so
I
don't have everything in front of me. But it was one of the ones you told
me
to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the
programs
you had in your post and then I went to safe mode and ran all my
anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file (notepad)
that
gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't
remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do appreciate
all
your help, though.

:

Hi cacdrc

I think I found the file but I want to be sure before I run the script
to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel
Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other
readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

A quick update ... I just found something I think might help others. The
trojan that directs your home page to www.aflashcounter.com is apparently
called Moo.B

http://mvps.org/winhelp2002/hosts.txt

I'm going to try adding this to my HOSTS file and see if it helps!

I registered at the website yesterday and as soon as I have time to visit
there I will post my log and ask for their help. I'm working late this week
so I haven't had time to do much else. I've been able to really clean up my
computer with your help and I really appreciate it!! I just hope I can find
whatever keeps attacking my IE settings. InterMute keeps sending me a message
that my settings have been changed but whenever I check them they're what
they're supposed to be. I have my home page locked now but I'm afraid if I
take the lock off I'll get that dang aflashcounter.com thing again!

Hi cacdrc

Yes, it is a forum website, and like most forums, you will need to register.
You do not have to worry about your security, or being bombarded with spam,
so go ahead and register. Then on the main forum page, scroll down to the
section that says HiJackThis Logs. Click on that link and the section to
post your log will open. Click on the tab at the left-hand side of the page
above the list of topics that says new topic. The fill in the information
about your problem and paste the log there. Be sure to let them know that
you have been here and were referred there to have your log read. Here is
the main page for you to register and find the HiJackThis section:
http://forum.aumha.org/

If you post back here and let me know when you have posted it, and under
what title and name, I will check on the process and help where I can.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

I saw where you wanted me to post the log file but I didn't know where. I
guess I overlooked that part when I was reading it. I'm not familiar with
AumHa. Is that a website? I saved the logfile so I can copy it wherever it
needs to go.

:

Hi cacdrc

Thank you for the additional information, it does help. You did right in
running all the programs and your AV in Safe Mode. That is the best method.

One more thing, did you create the HiJackThis log and post it in the AumHa
forum according to the instructions? I know that you can save it to the
folder on the desktop, the then post it on the forum after you return to
normal mode. If you have, please let me know under what name it is and when
so that I can check on it, I'd like to see what the experts say about the
log and what they find. If you haven't done so yet, please do so from Safe
Mode, save the log, and then copy and post the log to the AumHa site I
provided as soon as possible. It may be the key to getting a hold of the
hijacker. Although the file you mentioned file is a legitimate file, it
could have been altered, and we need to know by what if possible. It and a
few others may need to be cleaned or deleted and replaced to clean the
system. The experts at AumHa can tell you what is needed to be done.

Thank you for your help and patience. It is sometimes much harder to get
rid of the junk than it is to get it in the first place. You are doing a
great job on your end!

Jan
Smiles are meant to be shared,
that's why they're so contagious.


I don't remember which program it was that found this file. I'm at work so
I
don't have everything in front of me. But it was one of the ones you told
me
to download & install.

I got a little confused by your instructions because I wasn't sure which
programs you wanted me to run in Safe Mode. So I downloaded all the
programs
you had in your post and then I went to safe mode and ran all my
anti-virus
programs, then the programs I had downloaded. The Registrar Lite program
didn't detect a value for the AppInit dll. When I double-clicked on it and
the box came up, the value field was blank. I ran the programs from Silent
Runner in the order you told me to anyway. I wasn't sure when to run About
Buster, so I ran it last. I think that's where I got the file (notepad)
that
gave me the info I posted. I had a long list of processes running and it
indicated I had 2 infections on my PC. That was one of them. Don't
remember
what the other one was but I think it was a legitimate record as well.

Whatever is on there is still attacking my home page, so I guess I haven't
resolved the problem yet. Don't know what else I can do. I do appreciate
all
your help, though.

:

Hi cacdrc

I think I found the file but I want to be sure before I run the script
to
delete it. This is what I see.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "igfxcui\DLLName" = "igfxsrvc.dll" ["Intel
Corporation"]

Is the file I want to delete "igfxsrvc.dll"?????

Also,. what program were you using to find this file? Was it one of the
scumware scan programs?

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other
readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm