1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XXXtoolbar/ ISTbar (HELP!!)

Discussion in 'Virus & Other Malware Removal' started by Fac51, Sep 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    Just signed up to "techguy.org" this evening for the very 1st time, as it appear's I've been yet another victim of a trojan-horse type parasite. I'm looking for help !.

    I'm not a computer whizz by any means and so I'm in need of some real help from anyone out there with knowledge on the problems that started over the weekend.

    Yesterday (Sat 09/20/03), started noticing that I was getting numerous pornsites in my Earthlink 'favorites'. After trying to find out what was going on (and reassuring my wife I'm not a porn-junky), looks like I may have got the 'ISTbar' trojan horse/parasite (as 'Spyware Nuker' identified it on it's report). I also have the 'xxxtoolbar' on my programs (when I go to settings and 'add or remove programs' and can't delete it.

    So, I downloaded 'Spyware Nuker' and got a report. I then spent about 2 hours deleting things from HKLM, HKCU ("Pugi", "Webdialer" etc) and thought that had done it. However, the 'xxxtoolbar' is still there and it won't go. Problems simply reappeared.

    I then downloaded 'CWS shredder' and 1st time I used it, it did find/kill 6 registery items...problem solved I thougt? ....MAYBE NOT, as I discovered a short time afterwards the same things occuring yet again, with and all the http's (porn ones mostly) back again.

    So, after reading up on the whole subject on Sunday via a non-infected PC, I downloaded 'Spybot Search and Destroy', which did fing somethings (it also removed Spyware Nuker from my PC!), but I STILL got same problems each time I connected to Earthlink.

    Then tried 'SpywareBlaster', which seemed to have a good review out there. Again, even after using that, I still get the same things ie, porn-sites on my Earhtlink Favorites and a couple of short-cut's appearing on my desktop ie, "odd-teen" icon, which seemed to be the ISTbar spy file, and which I thought I'd managed to get rid of by manually deleting the files given by the 'Spyware Nuker' report on Saturday.

    As of Sunday evening, I stilll have "xxxtoolbar" on my programs and also a "$$del" MS-DOS Batch File has appeared on my Desktop as a short-cut.

    OK, hope you all got that. Sorry for rambling on, but thought it worth giving a history of events.

    Just used "Hijack This" and the following report has been given: -

    Logfile of HijackThis v1.97.2
    Scan saved at 9:28:09 PM, on 9/21/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\windows\removed.exe
    C:\WINDOWS\System32\svc.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    O1 - Hosts: 66.250.171.136 auto.search.msn.com
    O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
    O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
    O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: test.exe
    O4 - Global Startup: TFTP728
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Which one's should I get rid of ?

    I hope someone can help me resolve the problem I'm having and educate me on this. Thanks in advance.

    PS - will be flying out of the country on Monday night (EST) and not back for a week. Will check this forum as soon as I return and maybe by then, someone has got some good advice on what I should doing!
     
  2. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Hang in there, I should have an answer for you in about 20 minutes.
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    It looks like we may have a new one here. I've asked Tony Klein to look in regarding the

    O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
    O4 - Global Startup: test.exe

    items.

    The rest of the info I have ready to go.

    We may ask you to ZIP and email us either one or both of those before removal.
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Here are my suggestions, but hold off on any action untill we hear from Tony on those other two.


    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mo...ton/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

    O1 - Hosts: 66.250.171.136 auto.search.msn.com
    O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
    O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com

    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll


    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
    O4 - Global Startup: test.exe
    O4 - Global Startup: TFTP728


    IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

    How to disable or enable System Restore in Windows XP


    Next reboot into Safe Mode and remove the following files and folders that are bolded

    Search for and delete
    winmain.exe

    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\svc.exe

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Reboot into normal mode

    RE-ENABLE SYSTEM RESTORE and create a new restore point


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks

    EDIT:
    Made changes to Symantec's links
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392


    About the above items, these are the files themselves, and NOT just startup items!

    Hijack This will have trouble fixing them, and if it were successful, there would be no file left to submit...

    I would indeed like copies of both Test.exe and C:\windows\removed.exe

    You can send them to this e-mail address.
    I'd appreciate it! :)

    Afterwards, start your computer in Safe Mode, and delete both Test.exe and TFTP728 from that global Startup folder (probably C:\Documents and Settings\All Users\Start Menu\Programs\Startup )

    Svc.exe is a brand new version of the ClientMan parasite, redirecting to Madfinder.com. It installs that BrowserHelper.dll BHO.
     
  6. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Thanks Tony, as always, your knowledge and wisdom are much appreciated.!!! (y)

    FAC51, please ZIP a copy of each of those files and email them to the email addy Tony provided BEFORE doing any of the other clean up.

    Thanks
     
  7. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    NiteHawk and Tony,

    Thanks form coming back so quickly on this. Tony, I did e-mail you the Test.exe and C:\windows\removed.exe files as you requested.

    NiteHawk, the link for how to disable or enable System Restore in Windows XP (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200111191) does not take me to anything. Is there another link you could post?

    I just did a HJT scan and deleted what you had listed, but the 04- test.exe won't go.

    Have to catch a plane today so won't be able to anything more on this for another week. Will be in touch as soon as I'm back and have done what you've asked. In the meantime, I've just had "yellow porn pages" and "goodthngxx" pop up as short-cut's on my desktop this morning !!!
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hiya! :)

    Here's how to disable System Restore:

    1. Close all open programs.
    2. Right-click My Computer on the Windows desktop, and then click Properties.
    3. Click the Performance tab.
    4. Click File System.
    5. Click the Troubleshooting tab.
    6. Check Disable System Restore, click OK, and then click Close.
    7. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.

    After rebooting, you'll want to re-enable System Restore, and create a new Restore Point right away.

    BTW, haven't received those files yet. :( Did you zip them before sending them?
    Might be a good idea.
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Oh man, I goofed up:

    Got your message, but MailWasher deleted it.... my bad...

    Would you mind terribly sending those files again, please?
     
  10. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    Tony,

    I got to the office and just logged on to see if there were any more posts on my thread.

    Alas, I won't be able to e-mail the files as I won't be a home for another week. Will do so, upon my return to NYC.

    In the meantime, that to you and Nitehawk for your help so far. It's greatly appreciated.
     
  11. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    PS.....just before leaving home this morning, I did another Hijack This scan. Here is the report: -

    Logfile of HijackThis v1.97.2
    Scan saved at 7:09:56 AM, on 9/22/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\windows\removed.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
    C:\WINDOWS\System32\mshta.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/1/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/1/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/1/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/1/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/1/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/1/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/1/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/1/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
    O4 - Global Startup: test.exe
    O4 - Global Startup: TFTP728
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download

    You will seem that....
    O4 - Global Startup: test.exe
    O4 - Global Startup: TFTP728
    Are still there!

    So, read your post's this morning and as I've mentioned previously, when I home next week I'll start doing the steps you've given me. So, expect a new post from me on October 01 about this guys!

    Thanks,
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You're welcome! :)

    About the files, no prob! There's no rush.

    TIA! :)
     
  13. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Fac51, I changed the links relating to System Restore vor both ME and XP, thanks for pointing that out to me. It seems that lately I can't keep up with all of Symantec's changes :( It's getting to be, what was good three hours ago, is no longer.
     
  14. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    OK, I’m back now and so I’ve done a HijackThis log and got rid of as many as I could. This is the latest HijackThis log:-

    Logfile of HijackThis v1.97.2
    Scan saved at 7:41:39 PM, on 9/30/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\windows\removed.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
    O4 - Global Startup: test.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I cannot delete O4 - Global Startup: test.exe. My PC came up with “Unable to delete file: O4 - Global Startup: test.exe. The file may in use. Use Task Manager to Shutdown the program and run HijackThis again to delete the files”. I tried many ways to delete it, but had no success.

    Back to your words of advice, I can disable SYSTEM RESTORE, but for some reason I can’t get my Windows XP Professional to do the ‘Safe Mode’. It will only allow me to either Turn-off/Standby/Restart.

    Can I disable system restore and then do what you propose without the ‘Safe Mode’ ???? Other than that, is there any other way I can get Safe Mode to work on my PC ????

    I also did a search for the files/folders mentioned by NiteHawk in his message. This is what I got from the search. Do I simply delete all of these then ????

    Search for “winmain.exe” gives:-
    Winmain C:\WINDOWS 4KB Application
    WINMAIN.EXE-0EF32BD2.pf C:\WINDOWS\Prefetch 4KB PF File

    Search for “clearsearch” gives a ClearSearch File Folder, which contains the following files (all created on 9/20/03 when my problems began!):-

    BI.DLL 62KB
    ClrSchIEPlugin/DLL 118 KB
    Control 1 KB
    IE_ClrSch.DLL 77KB
    Loader 76KB
    SS.DLL 63KB


    Search for “svc.exe” gives:-

    HELPSVC.EXE-2878DDA2.pf C:\WINDOWS\Prefetch 76KB PF File
    ISTSVC.EXE-0B9CA3A6.pf C:\WINDOWS\Prefetch 18KB PF File
    SVC.EXE-39E29058.pf C:\WINDOWS\Prefetch 7KB PF File
    cisvc C:\WINDOWS\system32 5KB PF Application
    mqsvc C:\WINDOWS\system32 5KB PF Application
    mgtgsvc C:\WINDOWS\system32 96KB PF Application
    smlogsvc C:\WINDOWS\system32 84KB PF Application
    svc C:\WINDOWS\system32 7KB PF Application
    vssvc C:\WINDOWS\system32 269KB Application
    HelpSvc C:\WINDOWS\PCHEALTH\HELP… 678 KB Application
     
  15. Fac51

    Fac51 Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    8
    Hoorah !!!

    After all that, it now seems that I've got rid of it/them !!!!.....thanks entirely to the advice of NiteHawk and Tony Klein.

    Cheers guys !(y) :cool:
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166492

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice