attacked by "Warning: spyware"

Status
Not open for further replies.
K

Kobe

Beta member
Messages
3
My desktop is changed into a message "Warning: Spyware", and I can't fix it. Below you find my Hijackthis logfile. Can someone tell me what I should do?

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 15:56:40, on 26/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack this\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PSDrvCheck] "c:\program files\liquid.silver\program\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Echo Fire Server] "C:\Program Files\Synthetic Aperture\Echo Fire\Support\Echo Fire Server.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Kdu] C:\WINDOWS\Upt.exe
O4 - HKLM\..\Run: [Spr] C:\WINDOWS\System32\Spa.exe
O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\Auj.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{52DEABA4-071D-4AF9-A6C5-8FA9AA24FBB8}\SVCHOST.EXE
O4 - HKLM\..\Run: [Jla] C:\WINDOWS\System32\Cjv.exe
O4 - HKLM\..\Run: [Abe] C:\WINDOWS\System32\Cvq.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\System32\Jgm.exe
O4 - HKLM\..\Run: [Jek] C:\WINDOWS\Gcg.exe
O4 - HKLM\..\Run: [Tlm] C:\WINDOWS\System32\Gnr.exe
O4 - HKLM\..\Run: [Mav] C:\WINDOWS\Kth.exe
O4 - HKLM\..\Run: [Qoa] C:\WINDOWS\System32\Uld.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\Gng.exe
O4 - HKLM\..\Run: [Fcj] C:\WINDOWS\System32\Nee.exe
O4 - HKLM\..\Run: [Grg] C:\WINDOWS\Afg.exe
O4 - HKLM\..\Run: [Kmd] C:\WINDOWS\Vcr.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Nvf.exe
O4 - HKLM\..\Run: [Tem] C:\WINDOWS\Ken.exe
O4 - HKLM\..\Run: [Feq] C:\WINDOWS\System32\Amg.exe
O4 - HKLM\..\Run: [Ncf] C:\WINDOWS\Vlf.exe
O4 - HKLM\..\Run: [Rmp] C:\WINDOWS\Psq.exe
O4 - HKLM\..\Run: [Lce] C:\WINDOWS\Lno.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: IBM Internet Explorer Helper console - {6B07CF02-CF48-438E-BA4C-9F657A85B58B} - C:\WINDOWS\System32\iegfxfrw.dll
O9 - Extra 'Tools' menuitem: IBM Internet Explorer Helper console - {6B07CF02-CF48-438E-BA4C-9F657A85B58B} - C:\WINDOWS\System32\iegfxfrw.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
I see you have norton ghost running.

Have you by chance a drive image to fall back on. If so don't do it yet, but it will be one safety net for you.

This infection is currently one of the hard ones to remove.

The HJT log was taken some few days ago now, with reboots the files names would have probably changed.

When you post back please do NOT turn your computer off, or reboot, each time you do so gives the malware more chances to mutate.

Before you start get this killbox program.

Download Pocket Killbox and unzip it; save it to your Desktop.

A tutorial is provided here at this link on using killbox - read it first as it will help you understand what it will do.
http://forum.malwareremoval.com/viewtopic.php?t=320

=====================
Disable spysubtract before doing this fix.


  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake.

    Also any NEW O4 lines with file names of three characters - they will all be bad. They will need to be added to both the HJT fix and the file deletions. :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [Kdu] C:\WINDOWS\Upt.exe
    O4 - HKLM\..\Run: [Spr] C:\WINDOWS\System32\Spa.exe
    O4 - HKLM\..\Run: [Aqp] C:\WINDOWS\Auj.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{52DEABA4-071D-4AF9-A6C5-8FA9AA24FBB8}\SVCHOST.EXE
    O4 - HKLM\..\Run: [Jla] C:\WINDOWS\System32\Cjv.exe
    O4 - HKLM\..\Run: [Abe] C:\WINDOWS\System32\Cvq.exe
    O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\System32\Jgm.exe
    O4 - HKLM\..\Run: [Jek] C:\WINDOWS\Gcg.exe
    O4 - HKLM\..\Run: [Tlm] C:\WINDOWS\System32\Gnr.exe
    O4 - HKLM\..\Run: [Mav] C:\WINDOWS\Kth.exe
    O4 - HKLM\..\Run: [Qoa] C:\WINDOWS\System32\Uld.exe
    O4 - HKLM\..\Run: [Ois] C:\WINDOWS\Gng.exe
    O4 - HKLM\..\Run: [Fcj] C:\WINDOWS\System32\Nee.exe
    O4 - HKLM\..\Run: [Grg] C:\WINDOWS\Afg.exe
    O4 - HKLM\..\Run: [Kmd] C:\WINDOWS\Vcr.exe
    O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Nvf.exe
    O4 - HKLM\..\Run: [Tem] C:\WINDOWS\Ken.exe
    O4 - HKLM\..\Run: [Feq] C:\WINDOWS\System32\Amg.exe
    O4 - HKLM\..\Run: [Ncf] C:\WINDOWS\Vlf.exe
    O4 - HKLM\..\Run: [Rmp] C:\WINDOWS\Psq.exe
    O4 - HKLM\..\Run: [Lce] C:\WINDOWS\Lno.exe
    O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Killbox we are going to delete all those files, remember to add any new ones you fixed with HJT.

    Run it, and click the radio button that says Delete a file on reboot. For each of the files, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
    The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
    Let the system reboot.:

    C:\WINDOWS\Upt.exe
    C:\WINDOWS\System32\Spa.exe
    C:\WINDOWS\Auj.exe
    C:\WINDOWS\System32\Services\{52DEABA4-071D-4AF9-A6C5-8FA9AA24FBB8}\SVCHOST.EXE
    C:\WINDOWS\System32\Cjv.exe
    C:\WINDOWS\System32\Cvq.exe
    C:\WINDOWS\System32\Jgm.exe
    C:\WINDOWS\Gcg.exe
    C:\WINDOWS\System32\Gnr.exe
    C:\WINDOWS\Kth.exe
    C:\WINDOWS\System32\Uld.exe
    C:\WINDOWS\Gng.exe
    C:\WINDOWS\System32\Nee.exe
    C:\WINDOWS\Afg.exe
    C:\WINDOWS\Vcr.exe
    C:\WINDOWS\System32\Nvf.exe
    C:\WINDOWS\Ken.exe
    C:\WINDOWS\System32\Amg.exe
    C:\WINDOWS\Vlf.exe
    C:\WINDOWS\Psq.exe
    C:\WINDOWS\Lno.exe
    C:\WINDOWS\SYSTEM32\drct16.dll

    Reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
 
Dear Chris,

Thanks a lot for your help. I must say I have been playing do-it-yourself surgeon already before I received your reply, based on some collected answers about similar problems to other people on the web - though never exactly the same. I was capable to at least freeze the whole problem. Everything is gone and it doesn't seem to come back, except for one item: WINDOWS/system32/drct16.dll. (see in the attached HJT logfile under 020.) The strange thing is that only HJT sees it; Explorer nor Killbox shows the file. Any idea?

Secondly, apart from the fact that nothing seems to happen anymore (no new files in 04, no desktop advertisement, no undemanded URLvisits anymore as far as I see...) there is still one setup in my computer that it disturbed and that I wasn't able to fix yet:
Many other people who had this invader were capable of deleting the desktop advertisement by right mouse click at the very border of the screen to be able to go to the monitor window and change there the settings. It seems that on my computer some things got changed to unable me to do so. I could finally delete this advertisement from my desktop by deleting the files in WINDOWS, but still some of these changes in m settings remained:
-At first the right mouse click option doesn't work anymore on my desktop (only on the toolbar below I get a popup window)
- if I go to START > Control Panel > Display > Desktop, I cannot do any changes to choose the background, nor able to scroll over the items. The screen on the monitor icon above in the window previews a white desktop - probably it is referring to the html file called 'desktop' that came with the virus and that I deleted. That html file name is still shown as one of the possible backgrounds, though it is deleted. I cannot select any other background; the scroller is froozen. Nevetheless, my desktop shows the original color (green) I had before, as an alternative to the missing 'desktop' html file I suppose.
- Some other strange quality of my desktop: all my former shortcuts are gone on the desktop. That is because the desktop doesn't refer anymore to C:\documents & settings\"me"\desktop but to C:\desktop. When I install new shortcut icons, they appear double and I can only place two (doubled) icons. As soon as I add a third one, it replaces one of the others, as if the desktop has a limit of two (doubled) icons.
So there must be some strange settings from the virus still around. Any idea?

(I have Norton Ghost running now, but I didn't have a ghost backup before)

Thanks a lot
 

Attachments

  • hijackthis2.txt
    4.9 KB · Views: 45
also try this first:-

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. into a folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Run CWShredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.
 
Thanks for your help. Still the problems didn't get fixed. Below you find both log files. SPSeHjFix didn't find any problem and so it didn't reboot. Also CWSchredder couldn't find anything. I did an extra check with Hitman Pro. No result. Neither Norton found anything wrong. Still HJT sees a drct16.dll file at the start up. I don't know if you recognize even more bad files in the log. The desktop problem I couldn't fix.


SPSeHjFix.log

(3/29/05 6:23:43) SPSeHjFix started v1.1.1
(3/29/05 6:23:43) OS: WinXP Service Pack 1 (5.1.2600)
(3/29/05 6:23:43) Language: nederlands
(3/29/05 6:24:04) Disinfection started
(3/29/05 6:24:04) Bad-Dll(IEP): (not found)
(3/29/05 6:24:04) Bad-Dll(IEP) in BHO: (not found)
(3/29/05 6:24:04) UBF: 5
(3/29/05 6:24:04) UBB: 0
(3/29/05 6:24:04) UBR: 13
(3/29/05 6:24:04) Bad IE-pages: (none)
(3/29/05 6:24:04) Stealth-String not found
(3/29/05 6:24:04) Not infected->END


Logfile of HijackThis v1.99.1
Scan saved at 7:19:19, on 29/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synthetic Aperture\Echo Fire\Support\Echo Fire Server.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PSDrvCheck] "c:\program files\liquid.silver\program\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Echo Fire Server] "C:\Program Files\Synthetic Aperture\Echo Fire\Support\Echo Fire Server.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Well every thing looks good except that O20 line.

Run HJT in safe mode

Unload SpySubtract as it will try to stop this change.

fix that O20 line in HJT

reboot and post back with a new HJT log.
 
Remove entries at your own risk


O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll Unknown

O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe" Unknown application.
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom