XXXtoolbar/ ISTbar (HELP!!)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
Just signed up to "techguy.org" this evening for the very 1st time, as it appear's I've been yet another victim of a trojan-horse type parasite. I'm looking for help !.

I'm not a computer whizz by any means and so I'm in need of some real help from anyone out there with knowledge on the problems that started over the weekend.

Yesterday (Sat 09/20/03), started noticing that I was getting numerous pornsites in my Earthlink 'favorites'. After trying to find out what was going on (and reassuring my wife I'm not a porn-junky), looks like I may have got the 'ISTbar' trojan horse/parasite (as 'Spyware Nuker' identified it on it's report). I also have the 'xxxtoolbar' on my programs (when I go to settings and 'add or remove programs' and can't delete it.

So, I downloaded 'Spyware Nuker' and got a report. I then spent about 2 hours deleting things from HKLM, HKCU ("Pugi", "Webdialer" etc) and thought that had done it. However, the 'xxxtoolbar' is still there and it won't go. Problems simply reappeared.

I then downloaded 'CWS shredder' and 1st time I used it, it did find/kill 6 registery items...problem solved I thougt? ....MAYBE NOT, as I discovered a short time afterwards the same things occuring yet again, with and all the http's (porn ones mostly) back again.

So, after reading up on the whole subject on Sunday via a non-infected PC, I downloaded 'Spybot Search and Destroy', which did fing somethings (it also removed Spyware Nuker from my PC!), but I STILL got same problems each time I connected to Earthlink.

Then tried 'SpywareBlaster', which seemed to have a good review out there. Again, even after using that, I still get the same things ie, porn-sites on my Earhtlink Favorites and a couple of short-cut's appearing on my desktop ie, "odd-teen" icon, which seemed to be the ISTbar spy file, and which I thought I'd managed to get rid of by manually deleting the files given by the 'Spyware Nuker' report on Saturday.

As of Sunday evening, I stilll have "xxxtoolbar" on my programs and also a "$$del" MS-DOS Batch File has appeared on my Desktop as a short-cut.

OK, hope you all got that. Sorry for rambling on, but thought it worth giving a history of events.

Just used "Hijack This" and the following report has been given: -

Logfile of HijackThis v1.97.2
Scan saved at 9:28:09 PM, on 9/21/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\WINDOWS\System32\svc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: test.exe
O4 - Global Startup: TFTP728
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Which one's should I get rid of ?

I hope someone can help me resolve the problem I'm having and educate me on this. Thanks in advance.

PS - will be flying out of the country on Monday night (EST) and not back for a week. Will check this forum as soon as I return and maybe by then, someone has got some good advice on what I should doing!
 
Joined
Mar 9, 2003
Messages
4,699
It looks like we may have a new one here. I've asked Tony Klein to look in regarding the

O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - Global Startup: test.exe

items.

The rest of the info I have ready to go.

We may ask you to ZIP and email us either one or both of those before removal.
 
Joined
Mar 9, 2003
Messages
4,699
Here are my suggestions, but hold off on any action untill we hear from Tony on those other two.


In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll


O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
O4 - Global Startup: test.exe
O4 - Global Startup: TFTP728


IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP


Next reboot into Safe Mode and remove the following files and folders that are bolded

Search for and delete
winmain.exe

C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\svc.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode

RE-ENABLE SYSTEM RESTORE and create a new restore point


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks

EDIT:
Made changes to Symantec's links
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Originally posted by NiteHawk:
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.


O4 - Global Startup: test.exe
O4 - Global Startup: TFTP728




About the above items, these are the files themselves, and NOT just startup items!

Hijack This will have trouble fixing them, and if it were successful, there would be no file left to submit...

I would indeed like copies of both Test.exe and C:\windows\removed.exe

You can send them to this e-mail address.
I'd appreciate it! :)

Afterwards, start your computer in Safe Mode, and delete both Test.exe and TFTP728 from that global Startup folder (probably C:\Documents and Settings\All Users\Start Menu\Programs\Startup )

Svc.exe is a brand new version of the ClientMan parasite, redirecting to Madfinder.com. It installs that BrowserHelper.dll BHO.
 
Joined
Mar 9, 2003
Messages
4,699
Thanks Tony, as always, your knowledge and wisdom are much appreciated.!!! (y)

FAC51, please ZIP a copy of each of those files and email them to the email addy Tony provided BEFORE doing any of the other clean up.

Thanks
 

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
NiteHawk and Tony,

Thanks form coming back so quickly on this. Tony, I did e-mail you the Test.exe and C:\windows\removed.exe files as you requested.

NiteHawk, the link for how to disable or enable System Restore in Windows XP (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200111191) does not take me to anything. Is there another link you could post?

I just did a HJT scan and deleted what you had listed, but the 04- test.exe won't go.

Have to catch a plane today so won't be able to anything more on this for another week. Will be in touch as soon as I'm back and have done what you've asked. In the meantime, I've just had "yellow porn pages" and "goodthngxx" pop up as short-cut's on my desktop this morning !!!
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Hiya! :)

Here's how to disable System Restore:

1. Close all open programs.
2. Right-click My Computer on the Windows desktop, and then click Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore, click OK, and then click Close.
7. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.

After rebooting, you'll want to re-enable System Restore, and create a new Restore Point right away.

BTW, haven't received those files yet. :( Did you zip them before sending them?
Might be a good idea.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Oh man, I goofed up:

Got your message, but MailWasher deleted it.... my bad...

Would you mind terribly sending those files again, please?
 

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
Tony,

I got to the office and just logged on to see if there were any more posts on my thread.

Alas, I won't be able to e-mail the files as I won't be a home for another week. Will do so, upon my return to NYC.

In the meantime, that to you and Nitehawk for your help so far. It's greatly appreciated.
 

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
PS.....just before leaving home this morning, I did another Hijack This scan. Here is the report: -

Logfile of HijackThis v1.97.2
Scan saved at 7:09:56 AM, on 9/22/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
C:\WINDOWS\System32\mshta.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/1/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/1/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/1/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/1/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - Global Startup: test.exe
O4 - Global Startup: TFTP728
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download

You will seem that....
O4 - Global Startup: test.exe
O4 - Global Startup: TFTP728
Are still there!

So, read your post's this morning and as I've mentioned previously, when I home next week I'll start doing the steps you've given me. So, expect a new post from me on October 01 about this guys!

Thanks,
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
You're welcome! :)

About the files, no prob! There's no rush.

TIA! :)
 
Joined
Mar 9, 2003
Messages
4,699
Fac51, I changed the links relating to System Restore vor both ME and XP, thanks for pointing that out to me. It seems that lately I can't keep up with all of Symantec's changes :( It's getting to be, what was good three hours ago, is no longer.
 

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
OK, I’m back now and so I’ve done a HijackThis log and got rid of as many as I could. This is the latest HijackThis log:-

Logfile of HijackThis v1.97.2
Scan saved at 7:41:39 PM, on 9/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\test.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - Global Startup: test.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I cannot delete O4 - Global Startup: test.exe. My PC came up with “Unable to delete file: O4 - Global Startup: test.exe. The file may in use. Use Task Manager to Shutdown the program and run HijackThis again to delete the files”. I tried many ways to delete it, but had no success.

Back to your words of advice, I can disable SYSTEM RESTORE, but for some reason I can’t get my Windows XP Professional to do the ‘Safe Mode’. It will only allow me to either Turn-off/Standby/Restart.

Can I disable system restore and then do what you propose without the ‘Safe Mode’ ???? Other than that, is there any other way I can get Safe Mode to work on my PC ????

I also did a search for the files/folders mentioned by NiteHawk in his message. This is what I got from the search. Do I simply delete all of these then ????

Search for “winmain.exe” gives:-
Winmain C:\WINDOWS 4KB Application
WINMAIN.EXE-0EF32BD2.pf C:\WINDOWS\Prefetch 4KB PF File

Search for “clearsearch” gives a ClearSearch File Folder, which contains the following files (all created on 9/20/03 when my problems began!):-

BI.DLL 62KB
ClrSchIEPlugin/DLL 118 KB
Control 1 KB
IE_ClrSch.DLL 77KB
Loader 76KB
SS.DLL 63KB


Search for “svc.exe” gives:-

HELPSVC.EXE-2878DDA2.pf C:\WINDOWS\Prefetch 76KB PF File
ISTSVC.EXE-0B9CA3A6.pf C:\WINDOWS\Prefetch 18KB PF File
SVC.EXE-39E29058.pf C:\WINDOWS\Prefetch 7KB PF File
cisvc C:\WINDOWS\system32 5KB PF Application
mqsvc C:\WINDOWS\system32 5KB PF Application
mgtgsvc C:\WINDOWS\system32 96KB PF Application
smlogsvc C:\WINDOWS\system32 84KB PF Application
svc C:\WINDOWS\system32 7KB PF Application
vssvc C:\WINDOWS\system32 269KB Application
HelpSvc C:\WINDOWS\PCHEALTH\HELP… 678 KB Application
 

Fac51

Thread Starter
Joined
Sep 21, 2003
Messages
8
Hoorah !!!

After all that, it now seems that I've got rid of it/them !!!!.....thanks entirely to the advice of NiteHawk and Tony Klein.

Cheers guys !(y) :cool:
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top