A sneaky pest here. I read the FAQ and followed these steps:
Ran SpyBot S&D and AdAware (with updated definitions): SpyBot removed DyFuCa, ISTbar, WhenU.ClockSync, VX2/f.
Ran CWShredder, which removed CWS.Yexe.
Ran Norton Anti-Virus (with updated definitions); added IE-SpyAd web pages to my restricted zone; installed Hijack This and Browser Hijack Blaster
The immediate symptoms were as follows: Pop-ups; my home page changed; a Lycos side-bar installed. CWShredder seemed to remove the problem, but a day later, I am back in trouble as homepage gets back to MSN. I also had problems syncing my clock application and my system clock reset to 2036. I got rid of the Lycos sidebar and manually fixed my system clock.
Today, I still have the following problems:
1- My homepage is still being hijacked to MSN (I use MYIE2 or IE6 as browsers, and both have the problem). Hijack Blaster catches this (it happens even when browser is not running) but cannot prevent it. Running CWBlaster had seemed to prevent the problem (I was able to set a home page) but today it is back and I cannot control my home page.
2- I get an error message upon reboot regarding c:/.../services/wmplayer.exe being missing but being in the registry (apparently I accidentally deleted this as it was marked malware, but no problems caused by this are apparent yet, other than the message)
3- Syncing my system clock with an internet server takes a very long time. Also, the alarm clock application on my system (which I have been using w/o problems for a year) can no longer sync with the internet. Computer stalls.
Any help would be greatly appreciated. Please please please!
My Hijack This log follows:
Logfile of HijackThis v1.97.7
Scan saved at 11:21:27 PM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Alarm Clock Deluxe\AlarmClockDeluxe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\TpChrSrv.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Ali Alpay\Desktop\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 130.91.162.210 post post.wharton.upenn.edu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Alarm Clock Deluxe] C:\Program Files\Alarm Clock Deluxe\AlarmClockDeluxe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ilqhutqd] C:\WINDOWS\ilqhutqd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.3088425926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} - http://webcafe.wharton.upenn.edu/eRoomSetup/client.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D03F864-3616-406A-93CC-7C711816FEA1}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D03F864-3616-406A-93CC-7C711816FEA1}: NameServer = 151.197.0.38 151.197.0.39
Full Version: HELP: hjt log here; hijack to msn.com +other probs
Hi apicomm Wave.gif
Am working my way up the list and have just now gotten to yours.
Give me a few minutes to analyze this and I'll be back with a response for you.
(Good job on the pre-cleaning BTW :thumb: - makes our job a lot easier)
BRB
Janie
Am working my way up the list and have just now gotten to yours.
Give me a few minutes to analyze this and I'll be back with a response for you.
(Good job on the pre-cleaning BTW :thumb: - makes our job a lot easier)
BRB
Janie
You had a Gaobot worm also.
Follow these instructions on this page (including making sure you have the Windows Critical Security Updates to prevent reinfection from the exploit this worm uses). You should actually check to make sure you have ALL the recommended Windows Updates here:
http://v4.windowsupdate.microsoft.com/en/default.asp
W32.HLLW.Gaobot.EF
http://securityresponse.symantec.com/avcen....gaobot.ef.html
That worm was was the one trying to startup NOT the valid windows media player.
Using HijackThis scan and place an x next to these items and press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [ilqhutqd] C:\WINDOWS\ilqhutqd.exe
O1 - Hosts: 130.91.162.210 post post.wharton.upenn.edu <---Did you add this entry to your hosts file? If not, let HJT *fix* it, otherwise you can leave it alone
...........................................................
Reboot your PC and delete this file named in bold (if found). Don't mistake it for the valid wmplayer.exe which is located in the Program Files folder. The *bad* one is located in the Services folder here:
C:\WINDOWS\System32\services\wmplayer.exe <--delete file (if found).
It is possible the file has already been deleted by a prior cleaning step and that entry in HJT was simply a leftover in the registry.
We need more information on this file as it looks very suspicious. Can you rightclick (only, do not leftclick) on it and tell us the properties and version info listed?
C:\WINDOWS\ilqhutqd.exe
I am not at all sure about your Alarm clock program. Is it adware of some sort and maybe Spybot fixing the WhenU.clock sync disabled it? I'm thinking if it is something you need to reinstall perhaps.
Follow these instructions on this page (including making sure you have the Windows Critical Security Updates to prevent reinfection from the exploit this worm uses). You should actually check to make sure you have ALL the recommended Windows Updates here:
http://v4.windowsupdate.microsoft.com/en/default.asp
W32.HLLW.Gaobot.EF
http://securityresponse.symantec.com/avcen....gaobot.ef.html
That worm was was the one trying to startup NOT the valid windows media player.
Using HijackThis scan and place an x next to these items and press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [ilqhutqd] C:\WINDOWS\ilqhutqd.exe
O1 - Hosts: 130.91.162.210 post post.wharton.upenn.edu <---Did you add this entry to your hosts file? If not, let HJT *fix* it, otherwise you can leave it alone
...........................................................
Reboot your PC and delete this file named in bold (if found). Don't mistake it for the valid wmplayer.exe which is located in the Program Files folder. The *bad* one is located in the Services folder here:
C:\WINDOWS\System32\services\wmplayer.exe <--delete file (if found).
It is possible the file has already been deleted by a prior cleaning step and that entry in HJT was simply a leftover in the registry.
We need more information on this file as it looks very suspicious. Can you rightclick (only, do not leftclick) on it and tell us the properties and version info listed?
C:\WINDOWS\ilqhutqd.exe
I am not at all sure about your Alarm clock program. Is it adware of some sort and maybe Spybot fixing the WhenU.clock sync disabled it? I'm thinking if it is something you need to reinstall perhaps.
Forgot something.....
See the notice here about Browser HijackBlaster
http://www.wilderssecurity.net/bhblaster.html
Here is a link to the free SpywareGuard (and it's partner - SpywareBlaster). Did you also get the SpywareBlaster?
SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster protects you against ActiveX-based spyware (which is very prevalent these days) and SpywareGuard protects you against most of the rest.
http://www.wilderssecurity.net/spywareguard.html
See the notice here about Browser HijackBlaster
http://www.wilderssecurity.net/bhblaster.html
QUOTE
Browser Hijack Blaster
It is recommended that potential users of Browser Hijack Blaster look at SpywareGuard instead. SpywareGuard's Browser Hijack Protection is very similar to that of Browser Hijack Blaster, but is much more advanced and will provide more protection. (SpywareGuard is also freeware.)
It is recommended that potential users of Browser Hijack Blaster look at SpywareGuard instead. SpywareGuard's Browser Hijack Protection is very similar to that of Browser Hijack Blaster, but is much more advanced and will provide more protection. (SpywareGuard is also freeware.)
Here is a link to the free SpywareGuard (and it's partner - SpywareBlaster). Did you also get the SpywareBlaster?
SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster protects you against ActiveX-based spyware (which is very prevalent these days) and SpywareGuard protects you against most of the rest.
http://www.wilderssecurity.net/spywareguard.html
Thank you so much for your help!
I followed your steps. I am afraid the problem is much more serious than I imagined. Let me describe and wait to hear from you!
First, I had a scary experience. I had all Windows Updates; checked yesterday; also have auto-update. Yet when I went to the site, it told me I did not have SP1 and older updates. I had to install 5 critical ones. How were they removed? Scary.
With that in place, I removed the items you asked me to. A new log (after reboot) is below. The mysterious ilqhutqd.exe was also removed.
The mail host in the log is my school's host that I use.
There were no copies of wmplayer in the services folder. There are copies in:
c:\windows\ServicePackFiles\i386
c:\windows\RegisteredPackages\{B3C...
I did not touch these.
I did a clean reboot and the wmplayer message had gone away.
BTW, this morning before your post, I added a script to simplify designating trusted sites (my webmail pages). I moved everything to restricted zone by default. I also uninstalled the alarm clock application. You will see these below.
My browser's home page is blank now (as I want it to be), but I am scared that something is lurking there. My system performance and reboot also seems to be slower, and with windows patches disappearing and everything, I am quite afraid!
Please please help. And thank you soooo much!!
My log follows
Logfile of HijackThis v1.97.7
Scan saved at 3:10:05 PM, on 4/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Documents and Settings\Ali Alpay\Desktop\hijack\HijackThis.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O1 - Hosts: 130.91.162.210 post post.wharton.upenn.edu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Alarm Clock Deluxe] C:\Program Files\Alarm Clock Deluxe\AlarmClockDeluxe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Add To Restricted Sites (HKLM)
O9 - Extra button: Add To Trusted Sites (HKLM)
O9 - Extra button: Research (HKLM)
O15 - Trusted Zone: *.bay10.hotmail.msn.com
O15 - Trusted Zone: *.f415.mail.yahoo.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.hotmail.msn.com
O15 - Trusted Zone: *.upenn.edu
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.3088425926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} - http://webcafe.wharton.upenn.edu/eRoomSetup/client.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
I followed your steps. I am afraid the problem is much more serious than I imagined. Let me describe and wait to hear from you!
First, I had a scary experience. I had all Windows Updates; checked yesterday; also have auto-update. Yet when I went to the site, it told me I did not have SP1 and older updates. I had to install 5 critical ones. How were they removed? Scary.
With that in place, I removed the items you asked me to. A new log (after reboot) is below. The mysterious ilqhutqd.exe was also removed.
The mail host in the log is my school's host that I use.
There were no copies of wmplayer in the services folder. There are copies in:
c:\windows\ServicePackFiles\i386
c:\windows\RegisteredPackages\{B3C...
I did not touch these.
I did a clean reboot and the wmplayer message had gone away.
BTW, this morning before your post, I added a script to simplify designating trusted sites (my webmail pages). I moved everything to restricted zone by default. I also uninstalled the alarm clock application. You will see these below.
My browser's home page is blank now (as I want it to be), but I am scared that something is lurking there. My system performance and reboot also seems to be slower, and with windows patches disappearing and everything, I am quite afraid!
Please please help. And thank you soooo much!!
My log follows
Logfile of HijackThis v1.97.7
Scan saved at 3:10:05 PM, on 4/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Documents and Settings\Ali Alpay\Desktop\hijack\HijackThis.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O1 - Hosts: 130.91.162.210 post post.wharton.upenn.edu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Alarm Clock Deluxe] C:\Program Files\Alarm Clock Deluxe\AlarmClockDeluxe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Add To Restricted Sites (HKLM)
O9 - Extra button: Add To Trusted Sites (HKLM)
O9 - Extra button: Research (HKLM)
O15 - Trusted Zone: *.bay10.hotmail.msn.com
O15 - Trusted Zone: *.f415.mail.yahoo.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.hotmail.msn.com
O15 - Trusted Zone: *.upenn.edu
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.3088425926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} - http://webcafe.wharton.upenn.edu/eRoomSetup/client.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
Good news!
I think what you saw were the 5 new critical updates for WinXP just issued today by Microsoft
Microsoft Windows Security Bulletin Summary for April, 2004
http://www.microsoft.com/technet/security/...n/winapr04.mspx
When I went to Windows Update it said *Critical Updates and Service Packs* so I'll bet that's what made you think you were missing SP1, but in reality the udate was for SP1
I think what you saw were the 5 new critical updates for WinXP just issued today by Microsoft
Microsoft Windows Security Bulletin Summary for April, 2004
http://www.microsoft.com/technet/security/...n/winapr04.mspx
When I went to Windows Update it said *Critical Updates and Service Packs* so I'll bet that's what made you think you were missing SP1, but in reality the udate was for SP1
I just went back to my install history on win update, and you are right. It was an update for the service pack + 4 new installs 
Everyhting feels clean now, except for slower system performance. BUT for the last two days, this trojan has been coming back every 12-24hrs or so. I have Norton and SpywareGuard running. I am waiting to see if it will reappear tonight.
At this point, I'll just cross my fingers and wait for you to "clear" my latest log, posted after I removed the items you indicated.
Is that looking good?
Thank you so so much
Everyhting feels clean now, except for slower system performance. BUT for the last two days, this trojan has been coming back every 12-24hrs or so. I have Norton and SpywareGuard running. I am waiting to see if it will reappear tonight.
At this point, I'll just cross my fingers and wait for you to "clear" my latest log, posted after I removed the items you indicated.
Is that looking good?
Thank you so so much
Looks clean to me :thumb:
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :). I think you already have done this but I will list it anyway for the benefit of anyone else reading this topic
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :). I think you already have done this but I will list it anyway for the benefit of anyone else reading this topic
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Thank you!! I removed the restore files as instructed.
Here is another problem that I discovered.
After this incident, I made Opera 7.23 the default browser. I went to change the theme on my desktop today. Under left-click-desktop>>"Themes" tab>>pull-down menu, there is an option for "More themes online..." This took me to the Microsoft website as expected, but with MYIE2 browser.
Now I clearly had removed MYIE2 as default browser, but it was the link browser somehow. I uninstalled MYIE2. Now, when I go to "more themes online..." nothing happens. No error message, no "searching" for browser, nothing.
I can click hyperlinks from e-mails or documents, and Opera pops up as it should. Yet this "Display Properties" window cannot call it.
Have I wrecked some connection inadvertently when fixing spyware?
Here is another problem that I discovered.
After this incident, I made Opera 7.23 the default browser. I went to change the theme on my desktop today. Under left-click-desktop>>"Themes" tab>>pull-down menu, there is an option for "More themes online..." This took me to the Microsoft website as expected, but with MYIE2 browser.
Now I clearly had removed MYIE2 as default browser, but it was the link browser somehow. I uninstalled MYIE2. Now, when I go to "more themes online..." nothing happens. No error message, no "searching" for browser, nothing.
I can click hyperlinks from e-mails or documents, and Opera pops up as it should. Yet this "Display Properties" window cannot call it.
Have I wrecked some connection inadvertently when fixing spyware?
Goooood morning apicomm
I'm not familiar with either Opera or MYIE2. My expertise is really spotting malware and removing from systems. Your browser options may have been affected by the spyware/hijacks, I'm not sure or just setting up those additional browsers something is wrong in the settings. I don't know how to tell you to check your settings in those other browsers so perhaps asking your question in our Browser forum, those folks who are knowledgeable in that area may be able to help you sort the problem :)
See the Browser forum below and start a new topic with a little background on the problem and I think someone will be along shortly to help :)
http://forum.gladiator-antivirus.com/index.php?showforum=126
I'm not familiar with either Opera or MYIE2. My expertise is really spotting malware and removing from systems. Your browser options may have been affected by the spyware/hijacks, I'm not sure or just setting up those additional browsers something is wrong in the settings. I don't know how to tell you to check your settings in those other browsers so perhaps asking your question in our Browser forum, those folks who are knowledgeable in that area may be able to help you sort the problem :)
See the Browser forum below and start a new topic with a little background on the problem and I think someone will be along shortly to help :)
http://forum.gladiator-antivirus.com/index.php?showforum=126
I will post a new topic there; thank you for the advice.
It has been a day since my last post, and things are working fine, and it looks like my computer is clean now. Yay!
THANK YOU SO MUCH FOR YOUR HELP
You are a star! I really appreciated your help and your time on this.
It has been a day since my last post, and things are working fine, and it looks like my computer is clean now. Yay!
THANK YOU SO MUCH FOR YOUR HELP
You are a star! I really appreciated your help and your time on this.
:hug: You're very welcome. We are glad we could help :victory:
Since your issues seems to have been resolved, I'll go ahead and close this thread. For anyone else experiencing similar issues, please post a new topic of your own. :thx:
Since your issues seems to have been resolved, I'll go ahead and close this thread. For anyone else experiencing similar issues, please post a new topic of your own. :thx:
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.