ApoKalypse 1 Report post Posted December 23, 2006 nape benda ni leh kuar time aku masuk windows ??? sebelum ni takde pon... benda ni jadi lepas aku uninstall XPspypro n aku scan guna kaspersky dia detect virus so aku neutralize lah natang tu... pastu lepas restart kuar error tu... help me plss ~ Quote Share this post Link to post Share on other sites
ApoNie 0 Report post Posted December 23, 2006 cuba ko masuk kat registry -> start>regedit> cari sysDll32.dll tu.. lepas jumpa dia punya key, delete key tu.. tapi sebelum tu cuba ko backup dulu rgistry ko..harap membantu Quote Share this post Link to post Share on other sites
ApoKalypse 1 Report post Posted December 23, 2006 (edited) jumpa dah..tp nak backup registry camno tu??? Edited December 23, 2006 by ApoKalypse Quote Share this post Link to post Share on other sites
ApoNie 0 Report post Posted December 23, 2006 pi kat file>export.. pahtu save ahh ngan nama apa ponn... Quote Share this post Link to post Share on other sites
ApoKalypse 1 Report post Posted December 23, 2006 ok thanks...nanti aku reply kalo menjadi k Quote Share this post Link to post Share on other sites
Impreza_2004 0 Report post Posted December 23, 2006 From Symantec:Type: SpywareName: XPCSpy ProVersion: 2.25Publisher: X Software IncRisk Impact: LowFile Names: XPCSpyPro.exe; AppSpy.dll; IESpy.dll; KeySpy.dll; SysDll32.dll; Rx.exe; Systemout.exe; AppMon.dll; IEMon.dll; systemin.sysSystems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XPBehavior: Spyware.XpcSpy is a spyware program that is used to secretly monitor other users by logging keystrokes and screen shots.Symptoms: Your Symantec program detects Spyware.XpcSpy.Transmission: This program must be manually installed.Spyware.XpcSpy can do the following: Log keystrokes 1) List all running programs 2) Log instant messenger conversations 3) Take periodic screen shots 4) Send the log files by email or FTPWhen Spyware.XpcSpy is executed, it performs the following actions:1) May create one or more of the following files:%ProgramFiles%\XSoftware\XPCSpyPro\XPCSpyPro.exe %ProgramFiles%\XSoftware\Working\XPCSpyPro.exe - This is the main spyware file. %ProgramFiles%\XSoftware\XPCSpyPro\AppSpy.dll %ProgramFiles%\XSoftware\XPCSpyPro\IESpy.dll %ProgramFiles%\XSoftware\XPCSpyPro\KeySpy.dll %ProgramFiles%\XSoftware\Working\AppMon.dll %ProgramFiles%\XSoftware\Working\IEMon.dll %ProgramFiles%\XSoftware\Working\KeyMon.dll %ProgramFiles%\XSoftware\Working\StartPrograms\HomePage.lnk %ProgramFiles%\XSoftware\Working\StartPrograms\Readme.lnk %ProgramFiles%\XSoftware\Working\StartPrograms\Run Me.lnk %ProgramFiles%\XSoftware\Working\StartPrograms\Uninstall Me.lnk %ProgramFiles%\XSoftware\Working\StartPrograms\User Manual.lnk %ProgramFiles%\XSoftware\Working\StartPrograms %ProgramFiles%\XSoftware\Working\AppHot.sup %ProgramFiles%\XSoftware\Working\bk.bmp %ProgramFiles%\XSoftware\Working\file_id.diz %ProgramFiles%\XSoftware\Working\IeHot.sup %ProgramFiles%\XSoftware\Working\license.txt %ProgramFiles%\XSoftware\Working\Manual.chm %ProgramFiles%\XSoftware\Working\Readme.txt %ProgramFiles%\XSoftware\Working\record.tdb %ProgramFiles%\XSoftware\Working\UnistInfo.ini %ProgramFiles%\XSoftware\Working\Web.url %ProgramFiles%\XSoftware\unins000.dat %ProgramFiles%\XSoftware\unins000.exe %System%\systemout.exe %System%\SysDll32.dll %System%\rx.exe %System%\wintft.dll %System%\drivers\systemin.sysNotes: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files. %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).2) May create one or more of the following folders:%ProgramFiles%\XSoftware %ProgramFiles%\XSoftware\Report %ProgramFiles%\XSoftware\Screenshots %ProgramFiles%\XSoftware\Working %ProgramFiles%\XSoftware\Working\tmp3) Adds one or more of the following registry keys:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA41EE62-B36A-4344-850C-9221073CF6B9}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppMon.TShellExecuteHookHKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEMon.IESpyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}4) Adds the following value:"System Check" = "Rundll32.exe SysDll32.dll,SystemCheck"to the following registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runso that the spyware runs when you start Windows.5) Add the following value:"ImagePath" = "%System%\systemout.exe"to the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SystemOutServiceso that the spyware runs as a service when you start Windows.6) Logs all keystrokes, instant messenger conversations, and running programs; and takes periodic screen shots. The default log file path is %ProgramFiles%\XSoftware\Report.7) Sends out the log files and screen shots through email or FTP. The following is a general removal procedure. This spyware may include an uninstallation tool named Unins000.exe, along with Unins000.dat, both of which are located in the installation folder. The default installation folder is %Program Files%\XSoftware. Before you try to remove this spyware using the following instructions, we recommend that you try to uninstall it by using the provided uninstaller. To do this, browse to the %Program Files%\XSoftware folder, and if Unins000.exe is there, double-click Unins000.exe.The following instructions pertain to all Symantec antivirus products that support Security Risk detection:1) Update the definitions. 2) Restart the computer in Safe mode 3) Run a full system scan. 4) Delete the value that was added to the registry.For specific details on each of these steps, read the following instructions:1. To update the definitionsTo obtain the most recent definitions, start your Symantec program and run LiveUpdate.2. To restart the computer in Safe modeShut down the computer, and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document "How to start the computer in Safe Mode." 3. To run the scan -Start your Symantec antivirus program, and then run a full system scan.-If any files are detected as Spyware.XpcSpy, and depending on which software version you are using, you may see one or more of the following options:Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions about this situation, contact your network administrator.-Exclude (not recommended)If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove it from your computer. -Ignore or SkipThis option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.-CancelThis option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. The Cancel option tells the scanner to ignore the threat for this scan only, and thus the threat will be detected again the next time that you run a scan. To delete the security risk -Click its file name (under the Filename column). -In the Item Information box that appears, write down the full path and file name. -Use Windows Explorer to locate and delete the file. If Windows Explorer reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.-DeleteThis option attempts to delete the detected files. In some cases, the scanner will not be able to do this.To delete the security risk- If you see a message, "Delete Failed" (or similar message), manually delete the file. -Click the file name of the threat that is under the Filename column. -In the Item Information box that appears, write down the full path and file name. -Use Windows Explorer to locate and delete the file. If Windows Explorer reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.4. To delete the value from the registryImportant: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document "How to make a backup of the Windows registry."-Click Start > Run. -Type the following: regedit -Click OK. -Navigate to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-In the right pane, delete the following value:"System Check" = "Rundll32.exe SysDll32.dll,SystemCheck"-Delete the following keys:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA41EE62-B36A-4344-850C-9221073CF6B9}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppMon.TShellExecuteHookHKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEMon.IESpyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA} Quote Share this post Link to post Share on other sites