# how to get to hkey



## sunny99 (Jun 30, 2004)

I found alot of spyware on my computer and saw that they were all located in an hkey directory. I don't know anything about this but i can't get to the files. How can i get to them? I have windows xp. If i can't get to them, is there a way i can delete these programs from there? I already deleted them and uninstalled them but they still show up. Thanks.


----------



## telecom69 (Oct 12, 2001)

Editing the registry is not to be taken lightly,can you post more about what these files are that you want to get rid off?


----------



## dai (Mar 7, 2003)

run
a/virus
adaware
spybot
cwshredder
hijack save to it's own folder then run it and post the log in the security forum,for one of the experts to advise on what to do with it
before manually editing the registry,use a registry cleaner it is a lot safer
you can d/l the programs here
http://www.spywareinfo.com/downloads.php?cat=all


----------



## JohnWill (Oct 19, 2002)

HKEY is a registry section, not to be edited lightly. Are you sure you know what you're trying to do? Please be more specific as to where the programs "show up", perhaps we can be of more help.


----------



## sunny99 (Jun 30, 2004)

The spyware that i found there was: DyFuCA, 180solutions, Blnet, Cydoor, Gater, GlobalNetcom, ISTBar, Minibug, XXXToolbar, and Lycos Sidesearch. Ifound them by using Spyhunter, but i don't have the full version so it won't delete the programs for me.

The programs give me pop ups and changes the sites that google gives me when i do a search. It slows down my internet and changes error sites.


----------



## Pacalis (Sep 8, 2003)

Hello Sunny ; if you want to , run the TWO online Virus Scans at the bottom of this Post. Then Run CW Shredder on "Fix", next d/l and UPDATE & run both AdAware & SpyBot. Adaware , remove everything it finds. SpyBot,only the items in "RED". Then please run a Hijack This , place it in it's own folder, make no changes and Post it in the appropriate Forum. All Links needed are provided below.

OOPS! Sorry *Dai* , I missed your Post.


----------



## JohnWill (Oct 19, 2002)

You're getting good advice here, leave REGEDIT in it's barn and do this the less painful way.


----------



## billyboy444 (Jul 4, 2004)

To alter HKEY Folders click Start, Click Run, type REGEDIT then click OK and your there. Not much sense in changing the Explorer start page and default page though as the Trojan has a backup file that changes them back when Explorer is opened.


----------



## JohnWill (Oct 19, 2002)

Advising a novice to start deleting keys with REGEDIT is bad advice, it's too easy to render your system inert that way.


----------



## billyboy444 (Jul 4, 2004)

Just updated AVG antivirus and Ad-ware then ran both. Now my homepage is back to normal, no more CoolSearch or whatever, at least for the time being.


----------



## cybertech (Apr 16, 2002)

sunny99, Welcome to TSG!!

Make a folder on your hard drive, like My Documents\HJT
Download Hijackthis. 
Unzip the file to the folder on your hard drive.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here, make a new thread in the Security Forum, and someone will be happy to review it for you.

*Don't make any changes until instructed to do so.*


----------



## lysral (Jul 31, 2004)

Hey 

Now I have done all the things above. Here is my log file! what do I have to do next!

/Lars


----------



## cybertech (Apr 16, 2002)

I can't find anything that tells what this file is C:\WINDOWS\System32\*PRISMSTA.EXE*

Can you navigate to the file, right click, select properties, version tab and report back on the Item name and value fields.


----------



## cybertech (Apr 16, 2002)

Click on the link below to download CWshredder.
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Run the program and let it do it's thing. Make sure to click on *"Fix"* and not scan only.

Reboot:

Download Spybot http://www.spybot.us/spybotsd13.exe

*Click on "Search For updates" when prompted.*

Scan, click on fix problems.

*Reboot*

Download AdAware http://www.lavasoftusa.com/support/download/

*Before you scan with AdAware, check for updates of the reference file by clicking on "Check for updates now", connect. After the updates are installed click "Finish".*

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select "Unload recognized processes during scanning". Under Cleaning Engine select "Let windows remove files in use at next reboot".

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Reboot and post another HJT log for review.


----------



## lysral (Jul 31, 2004)

Hi cybertech!

Thanks for your answer. I have just come home from work the clock is 3 am here in Denmark. I'll follow your advise in the morning thanks!

Lars


----------



## lysral (Jul 31, 2004)

Hi!

Now I have done that :up: so here is my new log!

/Lars


----------



## lysral (Jul 31, 2004)

Hi

This time i'll att. the file as well


----------



## lysral (Jul 31, 2004)

Hi again!

Here is the info on the file! I don't know what it is for!

/Lars


----------



## cybertech (Apr 16, 2002)

Here's the HJT log..

Logfile of HijackThis v1.98.0
Scan saved at 13:54:18, on 02-08-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Generic\USB Card Reader Driver v1.9\Disk_Monitor.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Power Management\PwrGui.exe
C:\WINDOWS\System32\PRISMSTA.EXE
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programmer\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ICQ\ICQ.exe
C:\Documents and Settings\Lars Thulstrup\Dokumenter\DirectX9\HijackThis\HijackThis.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\acggcaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\acggcaa.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Documents and Settings\Lars Thulstrup\Dokumenter\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disk Monitor] C:\Programmer\Generic\USB Card Reader Driver v1.9\Disk_Monitor.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PowerManagement] C:\Programmer\Power Management\PwrGui.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programmer\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Programmer\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\googlenav.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmer\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmer\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab

Thanks for providing the info on PRISMSTA, it appears to be a legitimate company.


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\acggcaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\acggcaa.dll/sp.html (obfuscated)

*Close all applications and browser windows before you click "fix checked".*

Go to Internet Options, Programs
Click the "Reset Web Settings" Button to reset your home and search pages.


----------

