Posts by dlh6213

What is where now? In reglite or the system32 folder?

Well it is OEM what difference does it make if it's OEM of a boxed CD version?

Microsoft rules (as I understand them). You can find out about Windows XP product activation by reading this document and its related links:

http://support.microsoft.com/default.aspx?kbid=326851

Here's a quote from that website: "These OEM licenses are single-use licenses that cannot be transferred to another PC. Windows XP can also only be installed on a single computer. Installation and subsequent activation on a different computer requires a new license."

If you have any questions after reading the information at this website, you should contact Microsoft.

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\ctlek.dll <- delete this line , (the name may have changed since you played with it)
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible.

If it is, delete it.

I'm afraid I'm a bit confused. I ran reglite and renamed the folder, but after that it became unclear so I changed the name back until I get some clarification.

Where do I click on "AppInit_DLLs"? In the right hand pane? If so, nothing happens, so there's nothing to delete.

After that part is cleared up, my next question will be, if the dll's name changes, how will I know which one to delete?

I have a computer (no OS yet) that will not boot from the floppy drive. I checked all the connections and everything seems fine. I checked the BIOS and made sure it was set to boot from the floppy. What I noticed, however, during startup, the floppy is shown as a "B" drive instead of the normal "A" drive. The ribbon cable for the floppy has only one connector, so it can't be connected wrong. Any idea how to fix this so the computer will see it as the "A" drive?

Did you get your RAM problem fixed?

for the gateway router, I have only dialup, is it feasible for to have a router with that?

You may want to ask this question in it's own thread, under the operating system you're using.

Most likely, if you're using a Windows OS, you will want to use ICS (Internet Connection Sharing). How to set this up, and which computer to use as the main connection point, will depend on the OS of each computer.

Keep in mind, too, that if you are both using the internet at the same time, your speed will be even slower than it is now.

if you have mcafee or norton then do a virus scan if not you might want to get a virus protection program. Then scan using ad-aware and spybot S&D to scan fro spyware and delete those files. Now you should also clear your internet temp files and set the browser cache to a lower level by going opening internet explorer goto tools<internet options<delete files then delete cookies then click settings goto amount of diskspace used and lower down to about anywhere from 80-200.
Now if you are not familiar with p2p programs then look in progam files for names like bit torrent, kazaa, emule, edonkey, gnutella, limewire, k-lite, bearshare. I would uninstall these programs becuase your son might be downloading illegal material. Now just look through your son's folders for anything like movies(.avi,.mpg,.wmv,.vob files),
music(.mp3,.wav,.asf,.mp4) and others that you think shouldnt be there.
Now that you have done all that you might want to set an admin password so you can select what your son is able to do on the computer. Then when comes out update to windows xp sp2 which has better security options that are easy to use.

hope this helps and if you need help setting the admin password you have to ask some one else.

One more program to look for is imesh.

I'm pretty much just going to reiterate what has already been mentioned here, but first I'd like to ask if this system has always run slow or if it just started running slow recently?

My XP system originally had 128MB and it ran very slow; Microsoft says this is the minimum, but 256MB is the actual minimum for it to run well. I have 384MB now and I frequently feel like I still need more. If you can get 512MB in your system, your wife and son should be happy... unless there's another problem.

At work we just did a upgrade on machines and OS’s (approx 300)

They are all using Windows XP Pro and each and everyone has a unique key. (All activated all ready)

Now if I want to take one of those boxes and reformat it, can I use that key that was activated on it and re-use it on other machine? If not how the hell do I deactivate it I am so tired right now google.com has temp failed me.

Just want to take a activated WinXP Pro box and reformat it and put that key on another machine I know this has to be possible but, how?

Please help me this is important to me. Thanks a lot guys I owe you big time.

With XP Pro, you can do it one time (remove from one computer and install in another), as long as it's not an OEM version (OEM can only be used on the original computer).

When you go to activate it, you will get a message -- including the phone number -- to call Microsoft and tell them that you removed it from the original computer. As long as this is the first time it has been moved, there should be no problem.

Hi; I'm not qualified to instruct you regarding your log, so I'm not going to even try, but the first thing a "real tech" is going to suggest is for you to

"update hijackthis to version 1.98.1 -- Run your current version of hijackthis & go to *Config\Misc Tools\Check for update on-line. Then remove 1.97 from the folder it is in & replace it with 1.98.1."

So you may as well do that now then post a new log.

Good luck!

Hi; I'm not qualified to instruct you regarding your log, so I'm not going to even try, but the first thing a "real tech" is going to suggest is for you to "update hijackthis to version 1.98.1 -- Run your current version of hijackthis & go to *Config\Misc Tools\Check for update on-line. Then remove 1.97 from the folder it is in & replace it with 1.98.1." So you may as well do that and post a new log.

Also, it appears to me that you are infected with the about:blank hijacker; while you're waiting for a tech to review you log, you may want to review some other threads regarding this topic.

Good luck!

What do you need to work with? All you need to know really is that any spurious entries in any of the hijack this logs mentioned in ANY threads related to this problem are deleted accordingly, however they come back. The registry setting that needs to be deleted is also non-existent on my machine.

If you've done any research on the "about:blank" problem, then you should know that recent versions have become very sophisticated and difficult to remove.

You need to start somewhere, so start with the tools you've already found in other posts, then post an hjt log here so the techs have someplace to start.

Well i try to reinstall windows but i won't let me since it has the HDD Password. When it turns on that's the first thing that ask. That's not the password that you put in windows as different users or administrator. That's the Hard Disk Drive, if that's what HDD means.

Also is a Gateway Solo.

Contact Gateway and see if they can give you a password.

Here are the results you asked for:
C:\WINDOWS\System32\ctlek.dll

By the way, I updated and ran Norton AV this morning in Safe Mode; it found one item: c:\windows\system32\notepad.exe.bak and called it Adware.Mainsearch. It was able to delete it and I haven't had the problem since, but I've gone through streches before without getting it but it eventually comes back. Don't know if this fixed it for good or not. Also, I'd like to mention that I ran NAV in Safe Mode last week and it didn't find this item, so either the file is new or the updates added it.

Norton didn't fix the problem, it's back again. :(

Does anyone here know of a reasonably priced, reliable data recovery service? I have a drive that won't boot anymore, I put it in an external USB drive bay and was able to recover only a few files. It has approximately 5GB of data on it, stuff I'd like to have, but not important enough to spend hundreds of dollars on it.

if HDD Password= A 3rd pardy password software !
http://www.soft32.com/download_25507.html

If this is the case then you may need to Fdisk ,and format the harddrive to solve the problem ,Me thinks :)

With an HDD password, you can't use fdisk either; if you can't get the password, you have an expensive paperweight.

I went to the link you posted and all I saw were programs to use a password, not remove one. If there is a program out there to remove this type of password, I'd sure like to have it!

BTW, a HDD is excellent protection for a laptop in case it gets stolen, but as shown here, you can't forget it! The HDD can be replaced and the computer will still be useable, but no one can get to your data.

True as this is, Dell's not going to be able to get past an Administrator password. It's key to know exactly what password we're talking about here.

He said it was a HDD password, not an Administrator password; I've dealt with this before and the only way is to contact the vendor that I could find. Someone else suggested putting it in another computer, which he can try, but it didn't work for me.

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Here are the results you asked for:
C:\WINDOWS\System32\ctlek.dll

By the way, I updated and ran Norton AV this morning in Safe Mode; it found one item: c:\windows\system32\notepad.exe.bak and called it Adware.Mainsearch. It was able to delete it and I haven't had the problem since, but I've gone through streches before without getting it but it eventually comes back. Don't know if this fixed it for good or not. Also, I'd like to mention that I ran NAV in Safe Mode last week and it didn't find this item, so either the file is new or the updates added it.

Hi everybody!

I have a laptop and it has a HDD Password, but i forgot the password. I was wondering what can i do to take the password off or to format it. :sad:

Is this a Dell laptop? If so, you can contact them and they'll give you a password to unlock it if you can offer them sufficient proof that you are, in fact, the owner of this laptop. This may be true with other makes as well, but Dell is the only one I know for sure.

Could you possibly go into more detail on the problem you are having? There is nothing else (that I can see) in your log.

Well, I first started out having a browser hijacking problem, about:blank. I don't have that problem anymore, though I'm afraid it will return if I don't get this resolved.

After reopening my browser (IE6) several times, I get a message from Norton (see attachment) saying "High Risk," and gives the virus name "Trojan.bookmarker.gen."

I've gone through all Norton's suggested steps to remove it but it keeps coming back. Putting the cursor over the Object Name gives the location as being in the C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, then the file name. I go to that folder and clear everything, then click OK on the Norton warning; the same message comes up again, but with a different file name so I click OK again (since I've already cleared that folder), and then I get a final message that says there is also a .dll file in the System32 folder. The .dll always has a different name (examples are in a prior post), but I can never find it in the System32 folder (I've also tried using the Search function for it and PV's runme.bat, but nothing finds the .dll that Norton says is there), so I click OK again and everything is fine till after the browser is reopened a few more times then it comes back.

I haven't tried it, but I'm …

i am interested in changing to windows xp from current version of windows 2000, will all of my drivers that i am currently using under 2000 be compatible to xp

This link to Microsoft's HCL (Hardware Compatability List) may help you:

http://support.microsoft.com/default.aspx?scid=kb;en-us;314062

i got xp pro from some one else who got rid of it and wanted to know if there was any big or any difference at all from windows xp home.

Here's a link to a comparsion of the two products from Microsoft:

http://www.microsoft.com/windowsxp/home/howtobuy/choosing2.mspx

In general, for the casual/home user, the Home Edition should be adequate, for a network, business, or advanced user, the Pro would be a better choice.

That is incorrect information, RyanBoggs001.

I would strongly suspect that following the advice of those friends would get you into trouble sooner or later ;)

You will find out the correct information about Windows XP product activation by reading this document and its related links.

Thanks Catweazle for the link; I searched and searched and couldn't find this information. Here's a quote from MS verifying that what you and Bentkey said are, in fact, correct (in case anyone else is wondering):

"Product Activation works by validating that the software's product key, required as part of product installation, has not been used on more PCs than is allowed by the software's end user license agreement (EULA). In general, Windows XP can be installed on one PC and Office 2003 or Office XP can be installed on one PC and the laptop computer used by the user of the one PC. (For specifics, please see the EULA accompanying your product.)"

First log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

***********************

Second log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
*******************************************

Is Comcast you service provider? That is what comes up when I check the IP next to the proxy in your log.

Well, I fixed the items you suggested, but my problem remains. I won't bother posting another hjt log since it hasn't changed other than those few items. Any other ideas?

It's ok thanks I think I've fixed it. The problem with this is that there are a lot of advice and fixes and they are pretty much all incorrect. You should follow the registry fixes etc but there is still one final step:

Users will need to search for the latest dll in windows/system32 (i.e. list by date), rename it. Reboot into safe mode and delete it.

Hey all you senior techies out there, is this a good fix?

First log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

***********************

Second log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
*******************************************

Is Comcast you service provider? That is what comes up when I check the IP next to the proxy in your log.

Yes Comcast is my service provider, would that mean I'm "behind a proxy?"

I fixed the other items you suggested, and I also changed some of my security settings (activex & java). I'll run it for awhile and see if my problem is gone or not. I'll let you know either way. Thanks again!

hi Can anyone help me with problems regarding the dreaded about:blank homepage. There are various posts on this site concerning this nasty little problem. I've followed them all however the problem still reappears no matter what I try. Please can someone help?

Do I need to post my hijackthis log here or something? I've not used this site before. Thanks.

This needs to be put in the Security section and you can also post your hjt log there. I would move it for you, but I don't know how yet.

I noticed there are a few differences between the hjt logs from my user account and another user account, so I'm going to post both logs (using v1.98 now):

Logfile of HijackThis v1.98.0
Scan saved at 12:51:43 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Utilities\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: …

I've heard that XP Pro can be installed on more than one computer and I was wondering if it's true and, if so, how many? I've tried searching the MS website but can't find an answer to this. Thanks.

With the proxy, to better explain it, I have a program called *proxomitron* on my computer. I use it to filter out anything on a website that I do not want loaded. It works through port 8080 on my computer, not the regular port. Another is a remote proxy where things are filtered out before getting to you, can be adult oriented material etc. This works through whichever port the remote site proxy requests. One I used a while ago operated through port 3195.
The two R1 lines in your log indicate that you are using a proxy of some kind.

There is nothing bad in your log.

AdbeRdr60_enu_full.exe is adobe reader, so do not be concerned.

Are you still having problems.

For some reason, this reply was hidden until I just clicked on "First unread."

As explained here, I don't believe I'm using a proxy -- not that I'm aware of anyway. Can anything bad happen if I delete them?

Yes, I'm still having the same problem, although it seems less frequently.

Does anyone have anymore suggestions?

Okay, I spent most of the day scanning in Safe Mode, here are the results:

AdAware -- I changed the tweak to 'Automatically try to unregister objects prior to deletion,' everything else was already set as you requested. It didn't find anything.

Trojan Hunter -- Didn't show anything, I'm not that familiar with the program (eval ver), could it have fixed anything without notifying me?

Trojan Remover -- Nothing

CWShredder -- Nothing

Pest Patrol -- Found 6 items on my E drive, all related to GameSpy. I used Add/Remove Programs to remove GameSpy.

Spybot -- Fixed 2 problems (it says nothing done, but I did the fix after copying the files):
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-329068152-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3


Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-329068152-682003330-500\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=


AboutBuster -- I don't think it found anything either, but again I'm not familiar with this program; here are the results:
-- Scan 1 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!


-- Scan 2 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!


Latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 7:56:07 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe …

A proxy is where you use something like a 3rd party to access the web, similar to a web filter.
You have the about:blank hijacker which deposits a hidden dll that reinstalls itself if not removed completely. I will leave instructions at the end of my post for you to do.
First though, you will need to run hijackthis & remove an 02 entry from the log & also any randomly named files from the 04 section of the log. You should be able to pick them. Do not remove the RO & R1 entries though.

****************************

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan …

A proxy is where you use something like a 3rd party to access the web, similar to a web filter.
You have the about:blank hijacker which deposits a hidden dll that reinstalls itself if not removed completely. I will leave instructions at the end of my post for you to do.
First though, you will need to run hijackthis & remove an 02 entry from the log & also any randomly named files from the 04 section of the log. You should be able to pick them. Do not remove the RO & R1 entries though.

****************************

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan …

No don't start a new thread .

Download and run this fully working 30 day trial version Trojan Hunter.
http://www.misec.net/trojanhunter/?aff=12129
.................................................

Yes ,you can edit the registry and delete all incredimail stuff.
Don't forget to backup you registry first !:)

Also hijack this should be in afolder and not just on the c like this .
C:\HijackThis.exe
create a new folder call it HJK or something like that , and move it there .so it looks like this
C:\HJK\HijackThis.exe

To night when i have more time i will start from your first post and read this thread over again an see if i can see what I'm missing .

Thanks a lot; I appreciate the help. I would also like to mention that when Norton finds this trojan, it says there is a .dll file in the system32 folder. The name is always different (adm.dll & lcji.dll are a couple of examples), but when I try to find these files (while Norton is still showing it), they aren't there. I'd still like to know what "behind a proxy means."

Okay, Understand (now) that XoftSpy uses deceptive practices in selling it's software. Now that I have already purchased it, does it in fact do what it claims; is it safe to keep running on my computer or should I remove it?

Thanks! I'll check them out ASAP!

Thats because the program installed the things it said it found ,when you installed the program ,to Dupe you into buying it !!!!

There is a list of bogus spyware removal tool for sale on the net and your makes the list ,Check it here for the discription of the one you bought ,[
http://www.spywarewarrior.com/rogue_anti-spyware.htm
]Sorry to here you were duped into buying something that can be had for free and are better ..like Spy-bot ,ad-aware ,Spywareblaster ,spywareguard.IE-Spyad.to name a few .

Well, looks as if I've been taken. But I found XoftSpy via a link from this site so that gave me the little extra nudge of encouragement I needed to break down and make the purchase. That really irritates me that "companies" can lie like that to sell something. Not to mention that the problem has returned. So how do I go about removing XoftSpy and get rid of the trojan.bookmarker.gen? This thread is getting kind of long now, should I start a new one?

1. Quit any web browser program if open and then have HJT fix all of the entries ending in: (no file).

2. You can also kill this one:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

3. Are you behind a proxy? If not, fix these as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>

4. For every user account in C:\Documents and Settings, delete the contents of the following folders:

- Cookies
- Local Settings\Temp
- Local Settings\History
- Local Settings\Temporary Internet Files

5. Empty your Recycle Bin

6. Reboot

Hi, thanks a lot for your help.

Below is my latest hjt log. Before I got this reply, I purchased and ran XoftSpy. It found many things no other programs had, it even found several instances of BonziBuddy that I thought I had cleared out ages ago. It also found a CoolWebSearch item. The program doesn't let you save the scan (not that I could figure out anyway), but I used the print screen function and saved it into a Word doc if anyone is interested in seeing what I had. I haven't had any trouble (yet) since I ran it. The program cost me $40 which I was real hesitant to spend, but I was desperate. Hopefully the problems are gone for good!

You asked if I was behind a proxy but I'm afraid I'm not sure what that means. Would you mind explaining it? …

In your helping yourself section, there is a link called "Deciphering the log file." When I click on it I get the message "This page cannot be displayed." I get this message often when trying to go to Spywareinfo.com, is there a problem with my browser or is that site having problems? Is there anywere else to get information on log deciphering?

Here is a copy of my first hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 4:02:05 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aadministrator\Desktop\Computer Care Kit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6FC31A35-725D-4CA9-81D0-E4697F335906} - C:\WINDOWS\System32\bbeg.dll (file missing)
O2 - BHO: (no name) - {9ABD2CE8-B2D5-45B9-96D8-AA957810A3F6} - (no …

First off, I'd like to mention that I'm new to this so I'm not sure if I'm posting correctly. Please advise me if not.

The OS is WinXP Home, SP1
The make and model is Dell, Dimension 4400, P4-1.6G, 384mb RAM
Browser is IE, v6

Started having problems after installing Incredimail, may or may not be related. Incredimail removed using Add/Remove Programs, but still remains in Registry Editor.

Had (have?) CWS and Trojan.bookmarker.gen infections, used CWshredder and Norton instructions to get rid of most problems.

I'd like to post my first hijackthis log as well as the current one to make sure I didn't delete something I shouldn't have and to find out what else I need to fix.

Current problem is the .gen keeps coming back. Norton finds it but can't fix it. I go to the temp folder where it says the files are and delete them, but it also says there's a .dll in the System 32 folder but I can't find it; I've even tried the PV runme.bat.

Is it okay to post both logs here? Thanks for your help!

First off, I'd like to mention that I'm new to this so I'm not sure if I'm posting correctly. Please advise me if not.

The OS is WinXP Home, SP1
The make and model is Dell, Dimension 4400, P4-1.6G, 384mb RAM

Started having problems after installing Incredimail, may or may not be related.

Had (have?) CWS and Trojan.bookmarker.gen infections, used CWshredder and Norton instructions to get rid of most problems.

I'd like to post my first hijackthis log as well as the current one to make sure I didn't delete something I shouldn't have and to find out what else I need to fix.

Current problem is the .gen keeps coming back. Norton finds it but can't fix it. I go to the temp folder where it says the files are and delete them, but it also says there's a .dll in the System 32 folder but I can't find it; I've even tried the PV runme.bat.

Thanks for any assistance you can offer!

Since you were able to create this thread, you're account has been activated. Your activation ID was built into the URL that you clicked on. Only if that link doesn't work do you need to fill in your activation code.

As far as having to login everytime you visit any page, that's definitely not the way it is supposed to work. Are you using Internet Explorer? What version? It seems like a cookie problem to me. Do you have cookies enabled - that's probably the problem. When you login, do you check off the "remember me" checkbox?

I hope I'm replying right. I am using IEv6; cookies are enabled. After I log on, I clear the checkbox to remember me. Thanks for your first answer :).

Hi, I'm new here and I was wondering how I know if my user name has been activated? I clicked on the link in the email sent to me, but there was no place to put the activation code. It says I've been activated, but when I try to post, it says I'm not. I am also wondering why I have to log in again everytime I go to another page? Is it because I haven't been activated yet or is that the way it will always be? Thanks for any help.

Well, I finally got something to post so I suppose I'm activated. How did this happen without my putting in the activation code anywhere? I'd still like to know about the logging in everytime I go to a different page, it's still happening.