New to Gladiator and still a little green with my machine, like I'm not sure if "Coupons and Offers" and "HelpExpress" should be removed via Add/Remove. I tried to remove "Coupons and Offers" there and got message that the "system could not execute the main, file could not be found", So is it there or not? Also, I run V-Com's Fix it and it finds many viruses like LOLOWEB and RULEDOR and STARTPAGE and MENDWAR and TROJ_BROK and PEPERand SANDBOX and NOSEARCH and ISTBAR. I also run Ad-Aware and it only finds auto.search.msn.com\213.159 which it rates as a medium risk and can not remove. I can not search from IE. When I open it I only get http://searchpage.cc/1525/ but it still lets me navigate through my favorites. If I go to "Tools", then "Internet Options" and try to reset my home page it refuses to apply the change. I think I've attached the note pad file of my scan log but I'm not sure. Can someone help? Thanks......
Edit by CalamityJane: attachment removed, wrong one
Full Version: sick, need penicillin
I thought I attached my log with my last (first) entry...here it is.
Edit by CalamityJane: Attachment removed, I copied and pasted it in here instead
Logfile of HijackThis v1.97.7
Scan saved at 1:07:21 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\john wolins\Application Data\crhl.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john wolins\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - C:\WINDOWS\System32\kbdhlela3.dll (file missing)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: SuperBar - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKCU\..\Run: [Reaw] C:\Documents and Settings\john wolins\Application Data\crhl.exe
O4 - HKLM\..\RunOnce: [*rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/1525/
O13 - WWW Prefix: http://www.nkvd.us/1525/
O13 - Home Prefix: http://www.nkvd.us/1525/
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88ABADE2-40C7-4803-9636-1D6511101911}: NameServer = 151.197.0.38 151.197.0.39
Edit by CalamityJane: Attachment removed, I copied and pasted it in here instead
Logfile of HijackThis v1.97.7
Scan saved at 1:07:21 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\john wolins\Application Data\crhl.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john wolins\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - C:\WINDOWS\System32\kbdhlela3.dll (file missing)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: SuperBar - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKCU\..\Run: [Reaw] C:\Documents and Settings\john wolins\Application Data\crhl.exe
O4 - HKLM\..\RunOnce: [*rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/1525/
O13 - WWW Prefix: http://www.nkvd.us/1525/
O13 - Home Prefix: http://www.nkvd.us/1525/
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88ABADE2-40C7-4803-9636-1D6511101911}: NameServer = 151.197.0.38 151.197.0.39
Hi jwolins and welcome! Wave.gif
I downloaded your log from your reply and then copy/pasted it in - that is much easier to work with :)
First, You have a CoolWebSearch hijacker and that needs a special (free) tool to remove it called CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*
Reboot your PC and Scan again with HijackThis. Post a new log back here so we can see what is left to deal with :)
I downloaded your log from your reply and then copy/pasted it in - that is much easier to work with :)
First, You have a CoolWebSearch hijacker and that needs a special (free) tool to remove it called CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*
Reboot your PC and Scan again with HijackThis. Post a new log back here so we can see what is left to deal with :)
Wave.gif Thanks Calamity, I think CWShredder removed the CoolWebSearch hijacker BUT: The link you posted was redirected by the hijacker and I had to navigate through Google to the Spyware site and find the exe. file to download but it seems to have worked. I also installed Windows SP1 and adjusted my Activex controls but the Hijackthis scan still found a bunch of stuff! And I must apologize for my inability to copy and paste the log file. The file is easy enough to copy but IE does not allow me paste it here...! Can't figure it out yet.
Edit by CalamityJane to add contents of HijackThis log
Logfile of HijackThis v1.97.7
Scan saved at 10:18:54 PM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\john wolins\Application Data\crhl.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\john wolins\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1525/www.weather.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - C:\WINDOWS\System32\kbdhlela3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: SuperBar - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Reaw] C:\Documents and Settings\john wolins\Application Data\crhl.exe
O4 - HKLM\..\RunOnce: [*rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - Home Prefix: http://www.nkvd.us/1525/
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Edit by CalamityJane to add contents of HijackThis log
Logfile of HijackThis v1.97.7
Scan saved at 10:18:54 PM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\john wolins\Application Data\crhl.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\john wolins\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1525/www.weather.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - C:\WINDOWS\System32\kbdhlela3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: SuperBar - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Reaw] C:\Documents and Settings\john wolins\Application Data\crhl.exe
O4 - HKLM\..\RunOnce: [*rawchyd] rundll32 C:\WINDOWS\System32:rawchyd.dll,Init 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - Home Prefix: http://www.nkvd.us/1525/
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Because you were redirected clicking my link it is probable some malware has placed some bad entries in your hosts file that causes you to not be able to visit or see certain security sites.
Please do a search on your PC for a file named: hosts (you want the one with no extension)
It is located in the folder listed for your Operating System:
Windows NT4/2000/XP/2003 c:\winnt\system32\drivers\etc directory.
Please open it up - Windows will popup a dialogue box. Put a dot in the choose program option down at the bottom, and you can select a program to open it with (use Open with Notepad or Wordpad). and look at the entries inside. If you did not place them there yourself, please delete them (just the bad entries - not the whole hosts file). Most *bad* entries begin with: O1 - Hosts: 127.0.0.* (where * can be any number) and then a name of a security site
The list will look something like this:
O1 - Hosts: 127.0.0.0 localhost --(leave this entry)
(Delete the rest that may look like the following)
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
(etc, many more sites listed.)
If you are not sure what to do, copy and paste your hosts file entries here, and we will advise you which entries are safe to delete
Or, alternatively, there is also a program available to reset your Hosts file to the default used by Windows. Please note that this next instruction will replace any entries in that file - so if you have added entries yourself to the Hosts file, you will need to add them back after resetting your Hosts file with this method.
Download the Host FileReader from here: http://members.shaw.ca/techcd/VB_Projects/
Install the program and run it.
Double click on the Hosts file name in the bottom window.
Press 'Reset Default' and press 'OK'
Press 'Save Changes'
Exit Program you should be able to access the sites you need.
...................................................
How to copy and paste
How to copy & paste from your log.
Put the mouse at the beginning of what you want to copy and click the left mouse button, holding it down while you drag over the section.
Drag across or down. At the end of what you want copied, let go of the mouse button.
What you want to copy should be highlighted!
(If you goof, click the mouse button once to unhighlight, then start over.)
While it's highlighted, hold down the Ctrl key and hit the letter "c". This copies the highlighted part to an invisible clipboard.
Now go to where you want to paste it. Put the cursor on that spot by clicking the left mouse button once. Now hold down the Ctrl key and hit the letter "v" to paste what you copied.
If you want to move text from one place to another, highlight the text then hold down the Ctrl key and hit the letter "x". Click on the place you want to move it to, hold down the Ctrl key and hit the letter "v" to paste it in the new place.
(This cuts it from the original place, copies it to the invisible clipboard and then pastes it in the new place.)
Ctrl + c = copy
Ctrl + v = paste
I will be out of town most of today. If no one gets a chance to review your log, I will do that as soon as I return (may be later this evening or first thing tomorrow) :)
Please do a search on your PC for a file named: hosts (you want the one with no extension)
It is located in the folder listed for your Operating System:
Windows NT4/2000/XP/2003 c:\winnt\system32\drivers\etc directory.
Please open it up - Windows will popup a dialogue box. Put a dot in the choose program option down at the bottom, and you can select a program to open it with (use Open with Notepad or Wordpad). and look at the entries inside. If you did not place them there yourself, please delete them (just the bad entries - not the whole hosts file). Most *bad* entries begin with: O1 - Hosts: 127.0.0.* (where * can be any number) and then a name of a security site
The list will look something like this:
O1 - Hosts: 127.0.0.0 localhost --(leave this entry)
(Delete the rest that may look like the following)
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
(etc, many more sites listed.)
If you are not sure what to do, copy and paste your hosts file entries here, and we will advise you which entries are safe to delete
Or, alternatively, there is also a program available to reset your Hosts file to the default used by Windows. Please note that this next instruction will replace any entries in that file - so if you have added entries yourself to the Hosts file, you will need to add them back after resetting your Hosts file with this method.
Download the Host FileReader from here: http://members.shaw.ca/techcd/VB_Projects/
Install the program and run it.
Double click on the Hosts file name in the bottom window.
Press 'Reset Default' and press 'OK'
Press 'Save Changes'
Exit Program you should be able to access the sites you need.
...................................................
How to copy and paste
How to copy & paste from your log.
Put the mouse at the beginning of what you want to copy and click the left mouse button, holding it down while you drag over the section.
Drag across or down. At the end of what you want copied, let go of the mouse button.
What you want to copy should be highlighted!
(If you goof, click the mouse button once to unhighlight, then start over.)
While it's highlighted, hold down the Ctrl key and hit the letter "c". This copies the highlighted part to an invisible clipboard.
Now go to where you want to paste it. Put the cursor on that spot by clicking the left mouse button once. Now hold down the Ctrl key and hit the letter "v" to paste what you copied.
If you want to move text from one place to another, highlight the text then hold down the Ctrl key and hit the letter "x". Click on the place you want to move it to, hold down the Ctrl key and hit the letter "v" to paste it in the new place.
(This cuts it from the original place, copies it to the invisible clipboard and then pastes it in the new place.)
Ctrl + c = copy
Ctrl + v = paste
I will be out of town most of today. If no one gets a chance to review your log, I will do that as soon as I return (may be later this evening or first thing tomorrow) :)
Next, you need to download and clean with this free program as I'm sure it will find more junk on your PC.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Then scan once more with HijackThis and post a new log please so we can determine what may be left to be fixed. :)
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Then scan once more with HijackThis and post a new log please so we can determine what may be left to be fixed. :)
Hi Calamity, (may I call you Calamity...?)
Real Life had a hold on me for a while (I teach climbing.....) so I've just now updated and ran Adaware and I must say that it seems like it worked quite well, and quite easily too. Thanks again and now I'll try to cut and paste my log.
John
Real Life had a hold on me for a while (I teach climbing.....) so I've just now updated and ran Adaware and I must say that it seems like it worked quite well, and quite easily too. Thanks again and now I'll try to cut and paste my log.
John
Hi John,
Ok - we'll be here. Teaching climbing sounds like an exciting job :thumb:
You can call me whatever you like. Many people just call me CJ for short
Edit: Opps - here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 8:13:42 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [rwncd] C:\WINDOWS\rwncd.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Ok - we'll be here. Teaching climbing sounds like an exciting job :thumb:
You can call me whatever you like. Many people just call me CJ for short
Edit: Opps - here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 8:13:42 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [rwncd] C:\WINDOWS\rwncd.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Ready? Let's roll!
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - (no file)
O4 - HKLM\..\Run: [rwncd] C:\WINDOWS\rwncd.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
..................................
Reboot your pc
Then, I need to know more about a couple of files that were on your PC. Could you please find and attach your last Adaware log. It will most likely be located here:
C:\Program Files\Lavasoft\Ad-aware 6\Logs
Go to *My Computer* and navigate to the folders listed in the path above to get to the Logs folder for Adaware and find the log with the latest date :)
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E0D960D9-DF74-4D60-B077-76AFF09B52BA} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {4D15DF94-6232-4113-B22E-7BCD6BDF4B12} - (no file)
O4 - HKLM\..\Run: [rwncd] C:\WINDOWS\rwncd.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O13 - Mosaic Prefix: http://www.nkvd.us/1525/
..................................
Reboot your pc
Then, I need to know more about a couple of files that were on your PC. Could you please find and attach your last Adaware log. It will most likely be located here:
C:\Program Files\Lavasoft\Ad-aware 6\Logs
Go to *My Computer* and navigate to the folders listed in the path above to get to the Logs folder for Adaware and find the log with the latest date :)
Calamity:
Thanks for being so prompt. Those seven items seem to be gone now. Can I remove "Coupons and Offers" from add/remove programs since those other files are now gone??
Attached is latest Adaware log.
Thanks for being so prompt. Those seven items seem to be gone now. Can I remove "Coupons and Offers" from add/remove programs since those other files are now gone??
Attached is latest Adaware log.
Hi John,
Yes, you can remove it if it will let you. I think the program that was there is gone so it may not remove itself from the add/remove programs list. Let me know what happens when you try it .
Your adaware log looks good :thumb:
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
Yes, you can remove it if it will let you. I think the program that was there is gone so it may not remove itself from the add/remove programs list. Let me know what happens when you try it .
Your adaware log looks good :thumb:
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.