Jump to content


Photo

Killed all but cashsearch


  • Please log in to reply
13 replies to this topic

#1 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 06:32 PM

Hi, and TIA. Really, TIA

I'm infected. I've run adaware 6.0, spybot SD, CWShredder, McAfee scan 4.x,
trojanhunter, and evidence eliminator to make sure everything really gets erased. I managed to get rid of the casino Palripoffo pop -up, and killed keylogger pro. I uninstalled Java VM, and even put on Opera 7.5 as my browser. Opera works well, but I still can't get it to open yahoo mail or a few other things. Opera doesn't get hijacked, but IEx still gets redirected, and I'd like it not to. I read the instructions and killed everything I dared w/ HJT. Please advise, before :techsupport: . I was getting an error fixing w/ HJT (as follows), but that doesn't happen now (included FYI)

An unexpected error has occured at procedure: modBackup_Makeup(sltem=016-DPF:
{11111111-1111-1111-111111111157}-ms-its:mhtml:file//c:nosuch.mht!http//cashsearch.biz/legal/x.chm::/load.exe)
Error#75-Path/File access error

Please email me at merijn@spywareinfo.com

when I tried to fix the file listed this error came up. It happened several times.
after a few more tries at fixing things this seems to have stopped though.
:wtf:

Here is the latest HJT log:


Logfile of HijackThis v1.97.7
Scan saved at 4:09:32 PM, on 5/31/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\wininet32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Administrator\My Documents\downedexe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37545.823587963
O16 - DPF: {C3CCBC0D-D331-11D2-B2EA-004033A01719} (QKTransfer.QuicTransfer) - http://www.quicknowl.../QKTransfer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Can I disable wkcalrem, realsched, and loadqm from here also?
Is runwin32.exe malware?
wininet was not on the task manager processes before.

Thank you for any wisdom you can impart.
Don

#2 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 09:46 PM

I forgot...
I keep getting adaware telling me DSO Exploit returns after I try to remove it. And...I get something called hosts that appears in WINNT, and reappears as soon as I kill it...
Any help???
TIA
don

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 01 June 2004 - 09:49 PM

:) Being your first post - I get the honour and privilege of welcoming you to our corner of the world where spyware has met it's match - Welcome.

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 01 June 2004 - 09:53 PM

Please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Hit save as and give it the name clear.reg under the filename set file types to all files. Save it to the desktop. After you have completed that, double click the clear.reg file and when asked to merge say "Yes" and reboot.

Find this file system32.dll which is probably in either:
  • c:\windows\system32\system32.dll
  • c:\windows\system\system32.dll
... and delete it.

Then fix these with hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe

The following are optional to delete as they are resource hogs:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Also - Your system is in a very serious need of updating ... Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative.

After you have done all updates, please post another HijackThis log for further analysis.

#5 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 02 June 2004 - 02:23 PM

I thank you for your kind welcome, and humbly await your sage advice.
d

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 03:01 PM

donm - The advice has already been posted just above your response
[URL=http://www.spywareinfoforum.com/index.php?act=ST&f=18&t=3911#[here[/url]. Please follow the steps to completeion.

#7 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 June 2004 - 10:27 AM

Ummm, yeah. Above. :huh: I promise, I do have most of my greay matter still intact. In fact, I is even a college grajeate. Cept'n they dinna learn me nuff computer stuff.

Sorry about that. I did most of what you suggested(except the Winupdate), and most of the malware seems dead. The problem now is my browsers don't work...
Neither IE5 nor Opera can connect. I can ping and get responses, so I know the computer is communicating w/ the DSL system. Opera mentions something about a proxy, and the properties in IE5 saythe path cannot be found, and mentions system32. I have eliminated system32.dll from the WINNT\system\ folder, as suggested, but I wonder if I somehow removed a vital part of the WIN2K pro internet systems? Thats why I couldn't complete the updates...no net access.
I have the HJT log and a copy of what IE5 tells me...at home :whistle: . Forgot to bring it to work w/ me. Can you offer any suggestions without it?? Again awaiting any help you can offer. I will post more info when I can. Thank you
d

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 June 2004 - 11:53 AM

Removing system32.dll will not affect anything. The only thing I can think of - Can you check your network configuration i.e. from a command prompt type in "ipconfig /all" and let me know what the settings are - Copy it to notepad and savve it to a file. Are you running any kind of proxy software at home?

If you could include the HijackThis log as well, please do. Also - Be sure to power off your computer, power back on after a minute, as this will reset your network connection.

Edited by PGPhantom, 04 June 2004 - 11:53 AM.


#9 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 June 2004 - 06:07 PM

Hi, I'm not sure what proxy software I'd be running...how can I tell?
(and what is it-whats it do?)
In the HJT logs above there is mention of
R1 HKCU...proxyserver=127...
and
R1 HKCU...proxy override=local.
Is this correct?
I'll post more asap
thank you yet again,
d

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 June 2004 - 12:23 AM

If it is a home computer, typically the only one connected via DSL or cable, you should not have a proxy set yp. Delete those proxy entries from HijackThis and let's see what happens.

#11 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 02:36 PM

Here is some info, probably much more than needed, but better than not enough:

From IE 5.00

under properties tab

general

protocol: Unknown Protocol

Type: Not Available

Connection: Not Encrypted

Address: res://C:\WINNT\System32
(URL) \shdoclc.dll/dnserror.htm#http://yahoo.com/

Size: Not Available

Created: Not Available
Modified: Not Available



From Opera, I get this message when I try to connect:
box says:

Could not connect to proxy server. Access denied
http://www.yahoo.com

[OK]




I did a find file on the computer, searched for: proxy
and got this:

rpcomproxy dll c\programfiles\real\realplayer\rpplugins
jsproxy dl_ c\I386
ndproxy sy_ c\I386
rpcproxy dl_ c\I386
jsproxy dll c\winnt\system32
ksproxy AX "
ndproxy systemfile c:\winnt\system32\drivers
rpcproxy dll c:\temp\ext1656



As suggested, I did IPconfig and got:
command prompt:
ipconfig

Microsoft Windows 2000 [version 5.00.2195]
© Copyright 1985-2000 Ms Corp

C:\ipconfig
Ethernet adapter Local Area Connection
Connection-specific DNS Suffix . : comcast.net
IP Address . . . . . . . . . . . : 24.2.71.119
Subnet Mask . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . : 24.2.64.1

c:\>


Finally, the latest HJT log is:

Logfile of HijackThis v1.97.7
Scan saved at 8:04:36 PM, on 6/4/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\My Documents\downedexe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37545.823587963
O16 - DPF: {C3CCBC0D-D331-11D2-B2EA-004033A01719} (QKTransfer.QuicTransfer) - http://www.quicknowl.../QKTransfer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Again, Please help! I'm sure theres just some setting messed up (I hope) thats not allowing the browsers to hook up. Iknow the DSL is communicating w/ the computer, its just browser problems. But what?

I sincerely thank you for any help.
d

#12 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 02:36 PM

Here is some info, probably much more than needed, but better than not enough:

From IE 5.00

under properties tab

general

protocol: Unknown Protocol

Type: Not Available

Connection: Not Encrypted

Address: res://C:\WINNT\System32
(URL) \shdoclc.dll/dnserror.htm#http://yahoo.com/

Size: Not Available

Created: Not Available
Modified: Not Available



From Opera, I get this message when I try to connect:
box says:

Could not connect to proxy server. Access denied
http://www.yahoo.com

[OK]




I did a find file on the computer, searched for: proxy
and got this:

rpcomproxy dll c\programfiles\real\realplayer\rpplugins
jsproxy dl_ c\I386
ndproxy sy_ c\I386
rpcproxy dl_ c\I386
jsproxy dll c\winnt\system32
ksproxy AX "
ndproxy systemfile c:\winnt\system32\drivers
rpcproxy dll c:\temp\ext1656



As suggested, I did IPconfig and got:
command prompt:
ipconfig

Microsoft Windows 2000 [version 5.00.2195]
© Copyright 1985-2000 Ms Corp

C:\ipconfig
Ethernet adapter Local Area Connection
Connection-specific DNS Suffix . : comcast.net
IP Address . . . . . . . . . . . : 24.2.71.119
Subnet Mask . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . : 24.2.64.1

c:\>


Finally, the latest HJT log is:

Logfile of HijackThis v1.97.7
Scan saved at 8:04:36 PM, on 6/4/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\My Documents\downedexe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37545.823587963
O16 - DPF: {C3CCBC0D-D331-11D2-B2EA-004033A01719} (QKTransfer.QuicTransfer) - http://www.quicknowl.../QKTransfer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Again, Please help! I'm sure theres just some setting messed up (I hope) thats not allowing the browsers to hook up. Iknow the DSL is communicating w/ the computer, its just browser problems. But what?

I sincerely thank you for any help.
d

#13 donm

donm

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 02:39 PM

oops. sorry about the double. Man, I keep looking stupid on here :ugh:
but thanks
d

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 01:20 AM

Your log is pretty clean. In many cases I have seen the following entries cause a problem ...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

Delete them with HijackThis (If they end up being deleted, we can easily restore them from the backups).

Let me know if that resolves the issue...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button