# Solved: IE proxy settings keep changing



## Timadams (Mar 21, 2005)

Please can anyone offer advice?

My 13 yr old daughter runs a Dell laptop running Windows ME and IE v6.0.2800.1106IC.

Never can really be sure where a 13 year old ends up browsing but just lately the broadband connection has stopped allowing internet access. Her outlook email still continued to gain access and work OK - it is just the internet access on IE and for every web address it reports "page cannot be found".

I have compared her connection settings with mine and the problem seems to be that something is changing her proxy settings.

From the tools >> internet options >> connections >> broadband path, I notice that the problem develops when something has enabled the "Use proxy server for this connection" option which is checked and points to some proxy. The moment I unset this setting everything is fine again but every once in a while something has the rights to re-enable this proxy setting.

She has up to date Norton Anti virus and no viruses are being reported nor any Adware problems when I run Ad Aware SE.

Any ideas please? What might I do in the IE security settings to increase her protections and to deny whatever is doing this from gain the power over the system to make IE changes?

She has no firewall.

Thanks for your help

Tim


----------



## Flrman1 (Jul 26, 2002)

* *Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Timadams (Mar 21, 2005)

Thanks Fireman

I had Hijack this from help you gave me in Jan 2005

Here is the log:
Logfile of HijackThis v1.99.0
Scan saved at 08:12:36, on 02/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADTRAY.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\INTEL\DSLSETUP\PRODSL.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BIN\BTSTART.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTSTACKSERVER.EXE
C:\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\INTEL\DSLSetup\ProDsl.exe /P
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [CPortPatch] C:\WINDOWS\Quick Install\CPPatch.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [BtStart] C:\Program Files\Belkin\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvcRes.dll
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell.com/countries/uk/enu/gen/default.htm (file missing) (HKCU)
O12 - Plugin for .ply: C:\PROGRA~1\INTERN~1\PLUGINS\npPetz.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.evertonfc.com
O15 - Trusted Zone: http://radio.disney.go.com
O15 - Trusted Zone: http://www.everythinggirl.com
O15 - Trusted Zone: http://myscene.everythinggirl.com
O15 - Trusted Zone: http://barbie.everythinggirl.com
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52C1623-3D3E-45EE-9581-B7D68EDB0728} (HiperLoader Control) - http://plugin.hipermedia.co.uk/hiper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\SYSTEM\BTXPPANEL.DLL


----------



## Timadams (Mar 21, 2005)

Dear Fireman

I ran a full scan of Ad Aware this morning as well as the above and it has
found the "Claria" threat on the system.

The proxy setttings are going to http://66.230.143.156

It did not find this yesterday but I did upload new definitions this morning for Ad Aware SE

Thank you for all your help - you guys deserve every donation we give you.

Tim


----------



## Flrman1 (Jul 26, 2002)

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. 
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## Timadams (Mar 21, 2005)

Dear Fireman

I ran Active Scan and it found loads of things; it did not disinfect any of them but at the end gave me no options to have them deleted. Here is the report from Acrive Scan - do I assume that all the problems are still resident on the laptop? Do I have to delete each one individually using "My Computer"?

Active scan report.......

Incident Status Location

Dialerialer.Gen No disinfected C:\WINDOWS\SYSTEM\HotAction_gb-uninstall.exe 
Dialerialer.YC No disinfected C:\WINDOWS\INF\nsupd9x.inf 
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf 
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF 
Dialerialer.YC No disinfected C:\WINDOWS\Downloaded Program Files\NSupd9x.inf 
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll 
Adware:adware/quicksearch No disinfected C:\WINDOWS\Downloaded Program Files\install.inf 
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll 
Adware:adware/sahagent No disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS875.CAB[A0112144.CPY] 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113306.CPY] 
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113368.CPY] 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113369.CPY] 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113370.CPY] 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113371.CPY] 
Dialerialer.BO No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113372.CPY] 
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113373.CPY] 
Dialerialer.Gen No disinfected C:\_RESTORE\ARCHIVE\FS883.CAB[A0113374.CPY] 
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1248.CAB[A0218424.CPY] 
Adware:Adware/Comet No disinfected C:\_RESTORE\ARCHIVE\FS1272.CAB[A0224188.CPY] 
Adware:Adware/Comet  No disinfected C:\_RESTORE\ARCHIVE\FS1223.CAB[A0210325.CPY] 
Adware:Adware/Comet No disinfected C:\_RESTORE\ARCHIVE\FS1241.CAB[A0217718.CPY] 
Adware:Adware/IPInsight No disinfected C:\_RESTORE\ARCHIVE\FS1244.CAB[A0218166.CPY] 
Dialerialer.DK No disinfected C:\_RESTORE\ARCHIVE\FS1281.CAB[A0225484.CPY] 
Adware:Adware/Twain-Tech No disinfected C:\_RESTORE\ARCHIVE\FS1281.CAB[A0225490.CPY] 
Adware:Adware/Comet No disinfected C:\_RESTORE\ARCHIVE\FS1284.CAB[A0225778.CPY] 
Adware:Adware/Comet No disinfected C:\_RESTORE\ARCHIVE\FS1284.CAB[A0225779.CPY] 
Adware:Adware/IPInsight No disinfected C:\_RESTORE\ARCHIVE\FS1284.CAB[A0225785.CPY] 
Adware:Adware/IPInsight No disinfected C:\_RESTORE\ARCHIVE\FS1284.CAB[A0225786.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1413.CAB[W0377979.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261283.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261284.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261285.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261286.CPY] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261287.CPY] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261288.CPY] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261289.CPY] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261292.CPY] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261294.CPY] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][exdl.exe] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][mqexdlm.srg] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][exul.exe] 
Adware:Adware/Exact.SearchBar No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][javexulm.vxd] 
Adware:Adware/Exact.BargainBuddyNo disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][msexreg.exe] 
Hacktool:HackTool/SRunner.B No disinfected C:\_RESTORE\ARCHIVE\FS1415.CAB[A0261295.CPY][instsrv.exe] 
Adware:Adware/SAHAgent No disinfected C:\_RESTORE\ARCHIVE\FS6970.CAB[A0291351.CPY] 
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS8290.CAB[A0338042.CPY]


----------



## Timadams (Mar 21, 2005)

Fireman

I notice that quite a lot of the problem files are supposed to be located in folder: c:\_restore\archive but when I look for this subfolder it does not exist. I have my settings to show hidden folders and files. The only files in my folder c:\_restore is:

DISKCFG.DAT 1kb
SRDISKID.DAT 1kb
VxDMon.cfg 1Kb
VxDMon.dat 61kb

Nothing else is visible are there are NO sub folders


Can I turn off "system restore" option because I never use it and the c: drive spends its life constantly rattling and performing read/writes (the system runs very slowly - or is this due to the malicious spyware, etc)?

Thanks Tim


----------



## Knotbored (Jun 5, 2004)

Tim turning the restore off/on is well hidden in WinME. I suggest you turn it off-restart computer-turn it back on-restart computer again (this clears out the trash.)

To acomplish this in WinME:
start/settings/control panel/system/performance/file system/troubleshooting/disable system restore check it
restart-then go the same thing and uncheck it.
I have found several trojans hide in the -restore folder and windows seems to use the restore function sometimes without alerting me, but I think it should remain on just in case I have some catestrophic ailment on the pc.


----------



## Flrman1 (Jul 26, 2002)

Turning off System restore to clear all restore points is the very last thing I advise doing after a machine is clean. I want to leave all restore points intact just in case something goes wrong during cleaning. You never know when it might be needed.


----------



## Flrman1 (Jul 26, 2002)

*Download Cleanup from *Here* 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

* *Click Here* and download Killbox and save it to your desktop.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\SYSTEM\HotAction_gb-uninstall.exe

C:\WINDOWS\INF\nsupd9x.inf

C:\WINDOWS\INF\dm.inf

C:\WINDOWS\INF\ALCHEM.INF

C:\WINDOWS\Downloaded Program Files\NSupd9x.inf

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll

C:\WINDOWS\Downloaded Program Files\install.inf

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll

C:\WINDOWS\Downloaded Program Files\sporder_.dll*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## Timadams (Mar 21, 2005)

Thanks Firman

It may be 24 hours before I get back to you as I am away all day tomorrow

Will note your advice and get back to you


----------



## Flrman1 (Jul 26, 2002)

OK. Once that is done, I want to get rid of some of those apps you have loading at startup.


----------



## Timadams (Mar 21, 2005)

Dear Firman

Please can I ask one question before I work on your latest instructions.

There appears to be something not quite right with recycle bin. The recycle bin icon on the desktop claims that it is empty by when I try this method -

My Computer
C: drive <<right click>>
properties
disk clean up

The system reports tat there is 6.3 Mb of data in the re-cycle bin
When I say "OK" and "Its is OK to delete the files"

The system returns as completed but when I perform the same tasks as above again the system still reports that there is 6.3 Mb of data in the recycle bin.

Can I also let you know that when I run scan disk and Norton Systemworks
Windoctor and diskdoctor - nothng seems to find any errors on the system configuration.

Do you think that your request to run Custom Cleanup might run into problems please?


----------



## Flrman1 (Jul 26, 2002)

Timadams said:


> Do you think that your request to run Custom Cleanup might run into problems please?


I doubt it. It's not going to hurt anything.


----------



## Timadams (Mar 21, 2005)

Dear Firman

I have finished the tasks you set me.

All went well without incident. Just one strange event,
Cleanup reported one error whilst running that stated:

"cannot delete ___________ : Cannot find the specified file. Make sure you specify the correct path & filename."

but otherwise it seemed to do things and clean up ok.

Here is the result of the House clean log. It found a virus and 3 spywares. I cleaned the virus and 2 of the spywares but one remains.

Also following is a re run of Hijack this.

Thanks.

First Trend Micro House call log........

Trend Micro Housecall Virus Scan0 virus cleaned, 1 virus deleted

Results:
We have detected 1 infected file(s) with 1 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed: 
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
 - 1 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\WINDOWS\Application Data\Microsoft\Internet 
Explorer\V0.15.datTROJ_DIALUI.BDeletion successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed: - 0 worm(s)/Trojan(s) passed, 0 
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) 
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check1 spyware program removed

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 3 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed: - 1 spyware(s) passed, 0 
spyware(s) no action available
- 1 spyware(s) removed, 1 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
DIAL_EXEXNOT.ADialerUnremovable
SPYW_COMSOFT.ASpywareRemoval successful
COOKIE_3182CookiePass

Microsoft Vulnerability CheckNo vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix

Now the hijack this log.....

Logfile of HijackThis v1.99.0
Scan saved at 22:39:46, on 03/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADTRAY.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\INTEL\DSLSETUP\PRODSL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BIN\BTSTART.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTSTACKSERVER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\INTEL\DSLSetup\ProDsl.exe /P
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [CPortPatch] C:\WINDOWS\Quick Install\CPPatch.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [BtStart] C:\Program Files\Belkin\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvcRes.dll
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell.com/countries/uk/enu/gen/default.htm (file missing) (HKCU)
O12 - Plugin for .ply: C:\PROGRA~1\INTERN~1\PLUGINS\npPetz.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.evertonfc.com
O15 - Trusted Zone: http://radio.disney.go.com
O15 - Trusted Zone: http://www.everythinggirl.com
O15 - Trusted Zone: http://myscene.everythinggirl.com
O15 - Trusted Zone: http://barbie.everythinggirl.com
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52C1623-3D3E-45EE-9581-B7D68EDB0728} (HiperLoader Control) - http://plugin.hipermedia.co.uk/hiper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\SYSTEM\BTXPPANEL.DLL


----------



## Flrman1 (Jul 26, 2002)

I missed something:

*O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe*

That is a dialer.

* Run Hijack This again and put a check by that one entry. Close *ALL* windows except HijackThis and click "Fix checked"

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following line then click on the button that has the red circle with the X in the middle. It will ask for confimation to delete the file. Click Yes.

* C:\WINDOWS\iccontrol.exe*

Exit Killbox.

* Restart back to Windows normally then come back here and post a new Hijack This log.


----------



## Flrman1 (Jul 26, 2002)

I just noticed that you are using an old version of Hijack This. Delete the old one and do this after you have done the above from my last post.

* *Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.


----------



## Timadams (Mar 21, 2005)

Hello Firman

I have done as you asked.

I ran a HJT log again and also decided to rerun a Housecall scan again.

Two spywares found.

Here is the Hijack This Log.......

Logfile of HijackThis v1.99.1
Scan saved at 20:34:59, on 04/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADTRAY.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\INTEL\DSLSETUP\PRODSL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BIN\BTSTART.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\BELKIN\BLUETOOTH SOFTWARE\BTSTACKSERVER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\INTEL\DSLSetup\ProDsl.exe /P
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [CPortPatch] C:\WINDOWS\Quick Install\CPPatch.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [BtStart] C:\Program Files\Belkin\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvcRes.dll
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell.com/countries/uk/enu/gen/default.htm (file missing) (HKCU)
O12 - Plugin for .ply: C:\PROGRA~1\INTERN~1\PLUGINS\npPetz.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.evertonfc.com
O15 - Trusted Zone: http://radio.disney.go.com
O15 - Trusted Zone: http://www.everythinggirl.com
O15 - Trusted Zone: http://myscene.everythinggirl.com
O15 - Trusted Zone: http://barbie.everythinggirl.com
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C52C1623-3D3E-45EE-9581-B7D68EDB0728} (HiperLoader Control) - http://plugin.hipermedia.co.uk/hiper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\SYSTEM\BTXPPANEL.DLL

Here is the Housecall Log ...........

Trend Micro Housecall Virus ScanNo virus detected

Results:
We have detected 0 infected file(s) with 0 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed. 
Detected FileAssociated Virus Name

Trojan/Worm CheckNo worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed.
Trojan/Worm NameTrojan/Worm Type

Spyware Check2 spyware programs detected

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed. 
Spyware NameSpyware Type
COOKIE_1802Cookie
COOKIE_3182Cookie

Microsoft Vulnerability Check

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed. 
Risk LevelIssueHow to Fix

Thank you


----------



## Timadams (Mar 21, 2005)

Ad Adware SE has found the two spyware cookies and deleted them...


----------



## Flrman1 (Jul 26, 2002)

Now let's remove some of those startups:

This should be done through the System Configuration Utility. Go to Start > Run and type in *msconfig*.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by these:

*PCHealth
AtiPTA
WorksFUD
Microsoft Works Portfolio
Microsoft Works Update Detection
CreateCD50
AdaptecDirectCD
BtStart
SSDPSRV
ATIPOLL
Microsoft Office*

Click "Apply" then "OK"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Also you have several others there that probably should be disabled. You need to check out the links provided below and get more info on any that are left and decide for yourself which others need to go. A couple you have there refer to different dialup internet providers. Disabling as many as you can will help the performance of this pc a lot. DO NOT disable any antivirus or firewall related entries.

Go here for info on msconfig:

http://www.pacs-portal.co.uk/startup_index.htm

You can look up the startups here to help determine what is needed and what is not:

http://computercops.biz/StartupList.html

here:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

And here:

http://www.windowsstartup.com/wso/browse.php?l=8&start=50&end=75


----------



## Timadams (Mar 21, 2005)

Dear Firman

Forgive me for asking but why do I need to remove startups?

Whilst MS Works etc is no longer on the system, we do use
MS Office; CreateCD50; BB (British Telecom Broadband etc).

Also, may I ask this question too.
Whilst I was waiting for your reply, a run a full virus scan with our
resident Norton Anti Virus software.

It reported that an Adware threat Adware.GAIN exists in file:
C:\!killbox\HDPlugin1019.dill. I tried to have Norton Anti Virus delete the file but it said deletion attempt failed.

Tim


----------



## Flrman1 (Jul 26, 2002)

The C:!Killbox folder is a folder where Killbox keeps backups of files it deletes. The file is harmless, but go ahead and delete it.

You need to remove those startups because they do not need to be running all the time for those programs to work. They are running all the time when they are not needed slowing your system down. You can start them when you need to manually.


----------



## Timadams (Mar 21, 2005)

All done !

The system is still running but has failed to reboot properly on restart three times. Twice it reached the point where the blue desktop background was present, the start key in bottom left and clock in bottom right but NO desktop icons or task bar icons. Had to be switched off manually - would not shut down. Other time gave the DOS like screen with message "an error has occured press ctrl-alt-del to restart" but again it had hung and I had to power down.

Strange though as it re booted successful to completion on two occasions (like now) and I changed nothing after the failed attemps.

Does not appear to be rebooting any quicker but seems stable once it is up.

May I delete the desktop icons for HJT, cleanup and killbox as I don't want my 13 year old clicking these to see what they do?

Tim


----------



## Flrman1 (Jul 26, 2002)

Yes you can delete those. 

I recommend you defrag the Hard drive and run chkdsk.


----------



## Timadams (Mar 21, 2005)

Will try that tomorrow (late here in UK now) and monitor over the weekend and report back to you.

Thank you so much for all your help.

Would appreciate the links to the helpful posting to assist me in setting sensible IE security settings to try to avoid this again without totally compromising a kid's wish to surf the web sites that use Active X games and the like.

Thanks again sir


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! 

Now turn off System Restore:

Click Start, Settings, and then click Control Panel.
Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

Click the Performance tab, and then click File System.
Click the Troubleshooting tab, and then check Disable System Restore.
Click Apply then OK.
Click Yes, when you are prompted to restart Windows.

Now reenable System Restore by following these directions

To enable Windows Me System Restore:

Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## Timadams (Mar 21, 2005)

I have not cleared the _RESTORE yet. I thought that I would first run a thorough scandsk and defrag. However, I have hit a problem that has baffled me ever since the laptop was new. Scandsk can never seem to complete in one pass. It starts checking the allocation tables then moved on to checking folders and then (usually, but not always) something triggers it to start again right at the very beginning before it has completed. It is just as though something has re-set it, or a disk write from something else has intervened so it feels it needs to re-check everything it has done so far, again. As a result I have not yet been able to run scandsk to completion so I am very worried about performing a defrag without first thoroughly checking the disk.

In desparation, I booted in safemode. Checked the task manager via 'ctrl-alt-del' and see that the only process running is EXPLORER. But even in safe mode, scandsk is suffering the same symptoms.

Any idea what I can do to work out why I can't get a full scandsk without interruption please?

Thanks


----------



## Flrman1 (Jul 26, 2002)

Let it run in safe mode overnight and it should complete even with all the restarts.


----------



## Timadams (Mar 21, 2005)

The scandsk produced no errors and defrag ran okay too. Thank you for your help Firman, How do I make a donation....?.


----------



## Flrman1 (Jul 26, 2002)

You're welcome! 

You can donate here ...http://www.techguy.org/donate.html or at the link in my signature.


----------



## Timadams (Mar 21, 2005)

Can you also point me to the link that helps me set up sensible IE security settings that stop us getting into this mess so easily again please? I need a balance between no security and something that allows the kid to surf safely and run her internet games and so on.....

Tim


----------



## Timadams (Mar 21, 2005)

I made a donation using the link on your signature but I sure as heck cannot see how to make sure it goes to the Tech Support Guy site. I should have used the link you gave me which looks much easier. Sorry..


----------



## Flrman1 (Jul 26, 2002)

Don't worry. I can assure you that all the money goes to TSG! 

I posted this for you a few posts back, but maybe you missed it:

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

