Posts by DMR

Is there any more specific information available in the error message dialog box (under a "more info" button, perhaps? If so, please post it in its entirety.

The info I'm looking for would be similar to the following format:

AppName: rundll32.exe AppVer: 5.1.2600.0 ModName: srrstr.dll
ModVer: 5.1.2600.1142 Offset: 00009765

In the mean time, you can try:

1. http://www.windowsbbs.com/showthread.php?t=35941

2:

1. Click Start | Control Panel | Administrative Tools | Services.
2. Right-click System Restore Service and click Properties.
3. From the Startup Type drop-down, select Disabled.
4. Click OK.
5. Close the Services and Administrative Tools windows.
6. Right-click My Computer, click Properties, and click the System Restore tab. The System Restore tab should now display properly; however, the System Restore service will be disabled.
7. Enable System Restore and click Apply.

OK- keep us posted.
In terms of not being able to change the file association/extension, you do have to be logged in to an account with administrative rights to make such changes.

If the added entries you found in your hosts file refered to sites such as Panda's, Symantec/Norton, McAfee, etc., you should be able to reach those sites now that you've deleted their entries.

Just FYI:

The entries in the "hosts" file are mappings of host names/URLs to their respective IP addresses. This is essentially like having a small DNS server on your own computer, in that when you type a URL into your browser (or click on a link to a URL on a web page), Windows will look in the hosts file to see if the URL you typed/clicked has a matching IP address there. If so, Windows will direct your browser to that IP address; if not, Windows will then look to your DNS servers to match the URL with an actual IP address. (The use of hosts files was how hostname-to-IP address mapping/resolution was done before DNS was invented.)

The problem with this method is that:

A) By default, Windows will consult the local hosts file before consulting any DNS servers on your network or on the Internet.

B) There is no error checking at all concerning validity of the mappings in your hosts file. You (or someone else) can put any hostname-to-IP mapping entry you …

I think it is the power supply..

upcsue,

You said you might have access to a voltmeter. If so, it would be worth checking the DC feeds from your power supply to see if you at least have the proper voltages on each connector. Do the test with everything connected just make sure that still get good voltage levels under full load.

The sound coming from the hard drive is prob. the read right heads o nthe disk it self..... touching the DISKS...

Actually, that would be more of a grinding or whining/squealing noise.

A *tap* or *click* is usually more indicative of an engage/disengage problem with the head actuator mechanism rather than a problem of the heads themselves contacing platters.

OK- keep us posted...

could they have damaged my internet access prior to their removal?

Yes, in a couple of different ways.

If you can reach some/most sites, but cannot reach anti-virus, anti-spyware, or other such security-oriented sites:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Navigate to your C:\windows\system32\drivers\etc folder and find the file named "hosts".

- Open that file in Windows Notepad. Aside from the comment lines at the beginning of the file (the lines which begin with a " # "), it should contain only the following entry:

127.0.0.1 localhost

If you find other similar-looking entries below that, delete all of them and save the file.

Important: Notepad will want to add a .txt extention to the newly-saved filename, so after saving the file and closing Notepad you will need to rename the file back to simply "hosts" (that is, remove the .txt from the end of the filename).

If the connection problem occurs with all/any sites you try to reach, let us know that.

Extracting a fresh copy of msvcrt.dll from your Windows install disk might do the trick. Which version of Windows are you running?

I have checked for spyware and viruses.

Which exact anti-virus/anti-spyware programs did you run, and did they find anything? If they did detect and fix problems, tell us the names of the "nasties" if you can remember any of them.

- Have you had any recent power outages, surges, etc. lately?

- Have you checked inside the computer? Are the fans running? Are all cards and cables firmly seated? Do you see (or smell) any signs of damaged/blown circuitry or other hardware? Do the drives sound like they at least try to spin up, or not?

- Does the computer emit any beeps when you try to start it up? If so, describe the pattern/sequence of the beeps.

- Remove any PCI cards (network card, modem, sound card, etc.) one by one. Will the computer boot whenone of those cards is not installed in the system?

- If you have more than 1 RAM module installed, test the modules by installing each one individually and attempting to boot. If the computer fails to boot only when a certain RAM module is installed, replace that module.

- If you have (and know how to use) a voltmeter, check the internal power connection points to make sure the motherboard, drives, etc. are all getting good power.

is this due to overheating? but I never had this prob before the home page hijack

Coincidences do happen, so it's best not to rule out possibilities too early in the game. Some of what you've described could indicate overheating, especially since you said that leaving the machine off for a bit seems to stabilize things.

Some basic things to check in terms of thermal/hardware problems:

- Make sure there's no dust buildup on the circuit boards or in the fans and air vents. If there is, buy a can of compressed air and blow the dust out.

- Make sure that all of the computer's fans are running smoothly. Check fans on the CPU, in the power supply, and possibly on the video card. If a fan has failed entirely or doesn't seem to be rotating freely, it should be replaced ASAP.

- Check the heat-sink on the CPU and make sure it is seated properly and securely.

- Check that all circuit boards and cables are firmly seated into their connectors.

If it's a software problem, here are some things to try:

By hitting the F8 key as your system is booting (right at the point where Windows first starts to load) you can bring up the startup menu, which has a few boot options which can be helpful in diagnosing boot/shutdown problems. From the menu:

- Boot the computer into Safe Mode. Does it operate …

Well, gee.

For once, Google's no help. I tried searching, and this is the only thread that came up!!! :o

Alex, sometimes ya just gotta be more creative in your Googling... :p

The "Dreaded German Error Message" seems to indicate problems with one or more Windows files related to Rich Text editing/manipulation.

Here's the result of the whole Google search:

http://www.google.com/search?hl=en&q=richedit+spybot+error&btnG=Google+Search

And here are a few of the links which relate specifically to our problem:

http://forums.techguy.org/archive/index.php/t-187967.html
http://www.lavasoftsupport.com/index.php?showtopic=46113&st=0 <-- skip to the end of this thread; most of the middle is just whining
http://www.computing.net/windowsme/wwwboard/forum/40717.html

Hope this helps; let us know if it doesn't.

As was responded in that other thread, you suggestion of using FireFox is a good one to not have to deal with this stuff, but you still need to deal with the other browser's issue-- that it has been infected by something, and needs to be handled, for the sake of system security.

True- and unfortunately, Windows users will still need to have Internet Exploder available and functioning, if for nothing else but the simple fact that Windows Update will not work with any other browser. :(

um just a stupid little suggestions ... have you tried *flush dns* from cmd prompt ??

And the exact syntax for that command would be:

ipconfig /flushdns

Can you post a new log please?

Yes- your first log shows quite a few problems. This time, please make sure you have no instances of Internet Explorer running when you run HijackThis; your last log indicated that Internet Explorer was running at the time you ran HijackThis:

C:\Archivos de programa\Internet Explorer\iexplore.exe

Recently we've had a number of questions regarding Anti-Virus programs finding infected files in the C:\System Volume Information\_restore folder, but not being able to delete or fix those files.

One of our members (thanks dlh6213!) suggested that we post instructions for removing those files someplace permanent rather than having to retype or cut-n-paste the instructions into each individual thread on the matter, so here you have it:

The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot", the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling …

Oh, great: you're upper-tier support for Dell, and "ipconfig /all" just came to your mind today....

Sheesh, no wonder I bought an IBM...

Tee :mrgreen: Hee :mrgreen: !

OK- see if any of the suggestions help, and keep us posted. :)

Hrm...

Additionally, you can open a command prompt in Windows and try ipconfig /all-- that should give detailed IP address, Gateway, and DNS information.

Oh, sure Alex- just give them the easy way out... :mrgreen:

it's just that I know nothing about computer...

Don't worry about that, you're not alone. If it wasn't for the people who make and distribute viruses, spyware, and the like, no one who just wants to use their computer for their daily tasks would have to know anything about this stuff.

I have to disenable restore and then scan my computer again? This should work?

Yes.

I just did it but my AVG still saying everything is OK and virus free.

That's a good sign.

so should I wait to see if the note of Trojan horse apprears again, or do something else?

If your AV program detects the trojan again you should let us know. The other things you should do right now are to make sure that you have the most current critical Windows updates/fixes/patches installed on your system by using the "WIndows Update" feature, and to make sure that you keep your anti-virus software up to date by making sure to regularly download the most current virus definition updates for the porgram.

When I go to the "Support" separator of my connection Properties...

That description doesn't sound like you're looking at the standard Windows XP Local Area Connection properties in your Network Connection settings under the Start menu. Seems like you're looking at some vendor-provided connection utility instead.

I have to log off right now ("real life" work calls), but in the mean time can you look at (and post) the settings in the Win XP Local Area Connection properties please? I don't think the Gateway IP of 127.0.0.1 (the local loopback address) you gave is going to work in the Linux setup.

Oh, I see- it's an Internet Connection Sharing setup with the Linux/XP laptop getting its Internet access through the desktop machine, yes?

If so, you should check (on the laptop) the TCP/IP settings that you have in XP's Local Area Conncetion properties, as you'll need to replicate those in Linux's configuration. The first thing to look for in the XP TCP/IP setup is:
is it set to obtain an IP address and DNS server addresses automatically, or is the IP information entered manually under the "Use the following..." options?

Let us know which way XP is configured, and if it's set up manually, please give us the IP/Gateway/subnet mask/DNS info that's entered there.

http://www.google.com/search?hl=en&lr=&q=%22internet+explorer%22+previous+installation+has+pending+work&btnG=Search

I still have the problem with the "Error in unknown".... Oh and I am also getting another error message too sometimes. User32.dll error?

Please give us the full and exact text of the errors, including any numeric codes that might be in the error dialogs.

What else does the message say? If there's more to the message, give us all of it, exactly as it reads.

rundll.exe is a Windows system program which is responsible for loading/handling a number of Windows library files (.dlls). Given that, the error could actually be being caused by one of the dlls, but it's impossible to say which one.

- Had you installed/modified/upgraded/deleted any programs, device drivers or other software just prior to this happening?

- Does this happen when you're booted into Safe Mode?

- Do you notice any other strange behaviour or get any other errors? If so, knowing what thye are could help us pinpoint the culprit.

- Exit/close all unnecessary programs (including those running in the tray on your taskbar) and see if the problem persists. If not, reactivate the programs one at a time to see if you can find the one that causes the error.

If it's a corruption of the operating system, you can try to facilitate a repair by booting into rescue mode from the Windows installation CD and seeing if you can do an automatic repair.

If it's been formatted it doesn't matter.

Right- and because it has no operating system on it now, it needs no entry in boot.ini.

I believe DMR suspected this; the virus has made it's way into your System Restore folder.

Yup, that's the direction my brain was moving in. Thanks for grabbing the follow-up. :)

Glad to hear the "solution" was only temporary! :mrgreen:

Seriously though, here's a bit more of an explanation of what I said earlier:

The programs I mentioned fix damage done by malicious programs to your LSP stack:

LSP = Layered Service Provider. Very basically, this is a Microsoft networking software component which is an extention/addition to the core TCP/IP software (TCP/IP stack). The word "layered" refers to the fact that many different individual networking components can be layered/stacked/chained together such that they act as a single "pipeline" for network communication. Unfortunately, malicious programs can insert themselves into this chain to alter that communication; think of it as a parasitic biological organism grafting itself into the ladder structure of DNA.
When the offending program is removed, it leaves a broken link in the chain, which needs to be repaired.

The two programs I mentioned (links below) can do just that, but they should not be used unless you know what you're doing or have received instructions from an expert. Having the programs "fix" the wrong thing can break your networking software even further.

http://cexx.org/lspfix.htm
http://www.bu.edu/pcsc/internetaccess/winsock2fix.html

What you should do:

1. Run Ad Aware and SpyBot again, having them fix everything they find.

2. Download and run the HijackThis utility; among other things, it can detect the presence of a broken LSP stack. In our Security forum you will find many threads containing instruction on just how …

Cool- glad we could help you get it sorted! :)

when you say reboot, is that the synonamous with restart?

Yes, that exactly it.

In terms of the advice given by deonnanicole and dlh6213, follow all of that advice. You should definitely not install SP2 on an infected system; even Microsoft advises against that.

Hang in there- I remember running across this exact problem/message about 2 months ago, but I won't be able to dig back for the information until tomorrow.

I'll post here when I find it.

Can you please give us some information as to where (in what folders) AVG found the infected files and what it said it was able (or not) to do with them.

As much information as you can give us will help us get you sorted out most quickly.

Yes, the _restore folders under your C:\System Volume Information directory are indeed when the System Restore backups are stored, and they are protected systems folders which even anti-virus programs don't have permissions to modify.

One of our members had a similar situation only two days ago; read through that thread for more info and (hopefully) a solution:

http://www.daniweb.com/techtalkforums/thread13142-restore+system.html

Also keep in mind that any anti-virus program is only truly effecitive if you keep it updated with the most current virus definitions. Most AV programs have an option to install those updates automatically, but many will only give you a limited free subscription to those updates. If your subscription has expired, you do need to renew it (even though it will cost $$).

Yes....I did save Hijackthis pragram to a permanent file.

What the others meant is that your log shows that you are running HijackThis from within a Temp/Temporary folder ( C:\Documents and Settings\Stephanie Walker\Local Settings\Temp\HijackThis.exe in your case). I won't go into the details of why, but you should create a new and separate folder for HijackThis, and that folder should not live within/under any Temp folder.

I was referring to the log that I scanned with the Hijackthis program is what i saved to wordpad...not the program itself. Sorry for the confusion.

OK- confusion cleared on that one- thanks.

Your last log showed that you had many programs open when you did your hijackthis scan, including Internet Exploler. HJT cannot perform all of the fixes it needs to if Internet Explorer is running when you attempt the fixes; you need to make sure IE is not running when you do the following, and it's a good idea to close down any other open programs as well.

In terms of the log itself, I'll let crunchie field that for you since he's already picked up on this (and also because he's in a different time zone and probably doesn't have dinner cooking right now.) :mrgreen:

would you direct me to a section on the forum where I can ask about alternatives to microsoft, different browers and internet servers?
joal

General opinion-type questions such as "what browser would you guys recommend using instead of Internet Explorer?" should really be posted in the Geeks Lounge, because the technical areas of the forum are more meant for getting help with specific technical problems. For browsers, if you've already installed a browser other than Internet Explorer and have questions or problems with it, the Windows Software forum is probably the most appropriate place to post.

In terms of non-Microsoft solutions for operating systems or networking/server software, you'll probably get more responses from members experienced in those areas if you post any questions you might have in the Linux/UNIX, Mac, and Networking forums (despite what I just said above regarding the Geeks Lounge).

so I restored the ad's that were quarantined on the day I had the problem... and all is back to normal

Um, let's ponder this for a moment: you "fixed" your connectivity problem by reinstalling the malicious or infected files??

Isn't that sort of like a doctor removing a diseased liver from a patient, but then putting it back because he discovered that the patient couldn't function without a liver? :eek: :p

Some malicious programs do integrate themselves into the chain of your networking software in such a way that removing them "breaks" the chain of network communication. The solution, however, is not to reinstall the offending programs, but to use one of the utilities such as LSPFix or WinsockXPfix to repair the damage.

By restoring the quarrantined objects, you've almost certainly reintroduced malicious code into your system.

Just edit boot.ini to correct the entries.

You don't need an entry in boot.ini for the second drive unless it has an operating system installed on it, and you would like the choice of booting into that OS or the other.

Assuming that the only OS you have installed is Win 2000 on the first primary partition of the primary master drive (drive "0"), a stock boot.ini like this should work:

[boot loader]
  timeout=30
  default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2000" /fastdetect

As I couldn't copy/paste the result, I took a screenshot... As for DMR, I'm afraid I don't know what a NIC is

Sorry- NIC = Network Interface Card; the network card in your computer (eth0).

Your screenshot shows the network card to be up and running, with what appears to be a valid IP and subnet mask. That's a good first sign.

I'm using cable access; this computer connects to another one in my network; not sure: I know I get a different IP everytime I reset my modem :o

OK- how exactly are the computers networked? Describe in detail how everything is physically wired together; it makes a difference in terms of what network settings you'll need use on the Linux box.

You can find more hijackthis tutorials...

Here: ;)

http://hjt.wizardsofwebsites.com/
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://www.angeltowns.com/members/zupe/lsps.html
http://www.help2go.com/article153.html
http://www.fbeej.dk/NewHJTEntries.htm

In terms of viruses and the like, Norton, Sophos, Trend Micro, and other AV companies have areas on their support sites where you can find detailed info on thousands of known malicious programs.

One very helpful thing is to become quite familiar with what files and folders should exist on Windows systems; that will help you more quickly spot possible suspects when you're weeding out an infected computer.

There haven't been any further triggers of trojans recently.

This is a Good Thing. :)

However evertime I deny access to svchost I get a constant string of device install errors.

svchost.exe is a normal windows process which loads/handles other services, most of which are valid. You can read more about it here:
http://support.microsoft.com/?kbid=314056

Unfortunately, malicious programs can and do "attach" themselves to svchost in such a way that svchost will load them in the way that Windows loads valid services.

Given the above, if you try to restrict the actions of svchost in general you're bound to have problems such as you describe.

Strangely under one of the accounts there was no content.IE5 folder, the files were just in the temporary internet files folder for some reason.

If it was one of the built-in Windows accounts, that could be normal. Which account name was it?

Also under the main user account in the cookies folder I was unable to delete the index dat file because it was in use

Normal for the index.dat or desktop.ini files in the main folders under which I asked you to delete content. The subfolders also have their own versions of those files; it was the those I was refering to.

Well here is the log.

Actually, you log looks clean.

Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer.

It isn't the version of your anti-virus program itself that's important- what's important is that you have downloaded the most current virus definition updates for that program; new definition updates for any of the major AV programs can be released as often as every other day. If you haven't kept current with those updates since installing the program itself, your AV program is pretty much useless at this point. Both McAfee and Norton offer free updates for a certain period of time (which varies by product) after installing the programs. Within that time period you can freely download all of the current product updates, but after the time expires you will have to pay a monthly or yearly fee in order to download the updates.

Ok I did that, but i'm still uinable to go through my system restore files even though I disabled restore. My antivirus was still denied permission.

Yes, the AV program will still not have permission to modify the restore area, but disabling the restore function should have purged the files there. Are you saying that the AV program still finds virus-infected files there?

It's a little worrying that there are viruses in the restore points too!

What happens is this: system restore works by making scheduled backups of critical windows components, including the registry. That way, if your system becomes corrupted you can (ideally) "roll back" to a previous, working configuration. Unfortunately, if your system is already infected at the time when Windows takes a restore "snapshot", the infected files get backed up along with everything else. Thank Microsoft for not having the forethought to check the intergrity of the files before backing them up, but that's another story....

As for your log:

1. Have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Omar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {98C4149B-4E13-41B1-8079-9E8965E3AD8A} - C:\WINDOWS\System32\jnp.dll (file missing)
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O18 - Filter: text/html - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll
O18 - Filter: text/plain …

Your version of HijackThis is out of date; you should download the newest version (1.98.2), run it, and post the new log.

Also, you said:

i have a problem.

Sooooo..... what is the exact problem? Give us as much info/background as you can.

You are running an older version of HijackThis; please download the latest version (1.98.2), run it, and post the log here.

I keep getting reports of the same virus in system volume information? I think this is whare my restore points are stored.

That's correct. The Restore folder is a protected system folder, which is why your anti-virus program can't delete the infected files there. To erase the contents of the Restore folder you need to turn off the System Restore function:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "Apply" button.

3. Click "Yes" in the resulting confirmation box and then click "OK" in the main Properties window.

More info on your network setup would help also:

- What make/model of NIC?

- Cable or DSL Internet access?

- Is there a router in the picture, or does the computer connect directly to your cable/dsl modem?

- Are you using DHCP or static IP assignment?

If you're using static IP addressing, check out some of the suggestions in this article:

http://www.stevewolfonline.com/Downloads/DMR/Doc/Linux/Network/NICConfig.txt

(will get back to you on the USB thing [need a convertor] )

OK- keep us posted.

Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?

The Win 32 Driver and smsc.exe entries indicate an infection by one of the variants of the AGOBOT/FORBOT worm; assuming that you're using current virus definition updates, any of the major AV packages (including McAfee's) should be able to deal with it.

In terms of your log- it now looks clean, except perhaps for the MaxSpeed entries:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe

At least one anti-virus company (Sophos) links it to a trojan.

I suspect, (after reading many other posts) that the culprit is spyware.

Um, ah, yeah- you could say that... :mrgreen:

You have several infections, and HijackThis alone isn't going to fix them. Let's clean out some of nasties first, then you can post a fresh log and we'll see what's left:

1. Your log shows no anti-virus software running. You should install a good anti-virus/Internet security software package such as those offered by Norton Utilities/Symantec or McAfee. After installing one of these programs and downloading the latest virus definition updates for it, run a full system scan and have the program fix/remove what it finds.

If you don't have/can't buy one of the above programs, go to these two sites to get free online scans:

http://housecall.trendmicro.com/
http://www.pestscan.com/

2. Reboot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such …

Temporarily turn off your anti-virus program entirely. If doing that allows you to send photos, turn the AV program on again and try changing the program's settings/preferences to see if you can find a configuration which doesn't interfere with your image uploads/emailings.

Also check the various security settings in your Internet Options control panel; there may be something there which is restricting your ability to transfer certain filetypes.

Hotbar is spyware and has probably messed up your system.

Agreed. HotBar is definitely spyware/adware, and like many such programs it may not totally remove itself from your system if you try to uninstall it via the Add/Remove Programs control panel. You shoould scan your system with the (free) "spyware" utilities Ad Aware and SpyBot Search & Destroy. Download links for those programs are in my sig below, and you can find information on how to use them in many of the threads in our Security forum. As Mike suggested though: please start a new thread in the Security forum if you have more questions regarding HotBar or other spyware.