Locksky and adware that I can't resolve

[lc7collie]

The computer was infect by coolwebsearch and spy axe and locksky. Looking over your forums and using the tools you suggested I have been able to get the system almost clean. I am running windows XP. Before listing this post I have looked over the 5 steps you suggest before posting, so I hope I'm ready for your help.

I will include my HJT and Panda's log.
Logfile of HijackThis v1.99.1
Scan saved at 10:07:37 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\alt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.taboo.com/
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = taboo.local
O17 - HKLM\Software\..\Telephony: DomainName = taboo.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E958F73E-FFBC-4BE5-80D0-8672C41C2AEA}: NameServer = 192.168.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = taboo.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = taboo.local
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

This is panda's log.
Incident Status Location

Adware:Adware/WinHound Not disinfected C:\boot.inx
Virus:Trj/Mitglieder.GB Not disinfected Personal Folders\Deleted Items\Samuell\Ellyn.zip[1.exe]
Virus:Trj/Brospy.K Not disinfected C:\WINDOWS\1993.exe
Adware:Adware/Miamore Not disinfected C:\WINDOWS\system32\browsela.dll
Virus:Bck/Galapoper.IE Not disinfected C:\WINDOWS\system32\paradise.raw.exe
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\per.exe
Virus:W32/Locksky.AB.worm Not disinfected C:\WINDOWS\system32\sachostc.exe
Virus:W32/Locksky.AB.worm Not disinfected C:\WINDOWS\system32\sachostp.exe
Virus:W32/Locksky.Z.worm Not disinfected C:\WINDOWS\system32\sachosts.exe
Virus:W32/Locksky.X.worm Not disinfected C:\WINDOWS\system32\sachostw.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\tttttt.exe
Adware:adware/adsmart Not disinfected C:\WINDOWS\system32\vx.tll
I am thanking you in advance because I have seen what a complete job you guys do.

Thanks
Linda

[greyknight17]

Welcome to TSF.

Go into your email program (Outlook or Outlook Express) and in your deleted items folder (or maybe trash bin) make sure you empty it out.

Download win32delfkil.exe http://users.telenet.be/marcvn/tools/win32delfkil.exe and save it on your desktop. Double click on win32delfkil.exe to install it. This creates a new folder on your desktop called win32delfkil. Close all windows. Open the win32delfkil folder and double click on fix.bat. The computer should reboot automatically (if you, restart it yourself). Post the contents of c\windelf.txt in the forum.

Check and fix these in HijackThis if found:

O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\boot.inx
C:\WINDOWS\1993.exe
C:\WINDOWS\system32\browsela.dll
C:\WINDOWS\system32\paradise.raw.exe
C:\WINDOWS\system32\per.exe
C:\WINDOWS\system32\sachostc.exe
C:\WINDOWS\system32\sachostp.exe
C:\WINDOWS\system32\sachosts.exe
C:\WINDOWS\system32\sachostw.exe
C:\WINDOWS\system32\tttttt.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\adsldpbf.dll
C:\WINDOWS\alt.exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...Run a new Panda scan and post that log here along with a new HijackThis log.

[lc7collie]

I have followed your instructions and now Panda says I'm clean. I have no report to post from Panda - because its clean.

This is my new HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:40:18 AM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.taboo.com/
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = taboo.local
O17 - HKLM\Software\..\Telephony: DomainName = taboo.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E958F73E-FFBC-4BE5-80D0-8672C41C2AEA}: NameServer = 192.168.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = taboo.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = taboo.local
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

You also asked for the contents of c\windelf.txt
* WIN32DELFKIL.EXE *
********************

win32delfkil.exe removes Trojan-Downloader.Win32.Delf.pa, also known as Trojan.Stwoyle, from the computer.

Use this tool on your own risk.

Unzip the files to your desktop. A new folder will be created: win32delfkil.
Close all open windows and save all your documents.
Open the win32delfkil folder and double click on fix.bat.
If the computer does not reboot automatically when the batfile is finished, you'll need to reboot your computer manually, by turning the power off and then back on.

At this moment the random filenames q*.dll and g*dll in the windowsdirectory are NOT deleted.(* = random numbers)
After rebooting, you can delete these files by using windows explorer and looking for the files. Rightclick on the files and choose "delete".

A Logfile is saved in c:\windelf.txt

If the tool doesn't work, there will be probably a new clsid under Sharedtaskscheduler and / or a new notify key.


BHO's which are being deleted:
----------------------------
{B212D577-05B7-4963-911E-4A8588160DFA}
{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
{0976BE78-EA53-4DD6-91E6-E6175940032B}
{405132A4-5DD1-4BA8-A181-95C8D435093A}
{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}
{16875E09-927B-4494-82BD-158A1CD46BA0}
{C7CF1142-0785-4B12-A280-B64681E4D45E}
{8D82BB89-B58C-4F21-9C5D-377F65947806}
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
{826B2228-BC09-49F2-B5F8-42CE26B1B711}
{826B2228-BC09-49F2-B5F8-42CE26B1B712}
{C0E5FF11-4AE0-4699-A6A7-2FB7118F2081}
{FCADDC14-BD46-408A-9842-111111111111}
{E412F14A-E998-4543-9E7A-1031A3189A87}
{D8569837-3CD6-4AD7-9A77-65975B581925}
{08DF42F3-792D-4944-941B-512582B87219}
{11111111-2222-408A-9842-CDBE1C6D37EB}
{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}
{7507739F-BC2E-4DC3-B233-816783C25DC9}
{EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6}

Notify keys which are being deleted:
------------------------------------
style2
Style32
st3
st3i
gg
gggg
ggggg
gs
st3d
browsela

Sharedtaskscheduler keys which are being deleted:
-------------------------------------------------
{B212D577-05B7-4963-911E-4A8588160DFA}
{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}
{16875E09-927B-4494-82BD-158A1CD46BA0}
{C7CF1142-0785-4B12-A280-B64681E4D45E}
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}
{86AA461F-2A5B-4889-B543-E1BBA6746D61}
{31EE3286-D785-4E3F-95FC-51D00FDABC01}

Run keys which are being deleted:
---------------------------------
ClearCookies

Files which are being deleted:
------------------------------
windows\q*_disk.dll (or WINNT\q*_disk.dll)
windows\adsldpbc.dll (or WINNT\adsldpbc.dll)
windows\adsldpbd.dll (or WINNT\adsldpbd.dll)
windows\adsldpbe.dll (or WINNT\adsldpbe.dll)
windows\adsldpbf.dll (or WINNT\adsldpbf.dll)
windows\slassac.dll (or WINNT\slassac.dll)
windows\cc.exe (or winnt\cc.exe)
windows\mpatrol.dll (or WINNT\mpatrol.dll)
windows\netdde.dll (or WINNT\netdde.dll)
windows\prflbmsgp32.dll (or WINNT\prflbmsgp32.dll)
system32\winstyle2.dll
system32\winstyle3.dll
system32\winstyle32.dll
system32\prflbmsgp32.dll
system32\st3.dll
system32\browsela.dll


---------------
Version History
---------------
Version: 1.0

Version: 1.1
Fix for windows 2000 if shutdown.exe is not present.

Version: 1.2
new bho and Sharedtaskscheduler key added: clsid {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

Version 1.3
new bho and Sharedtaskscheduler key added: clsid {7A7E6D97-B492-4884-9ABB-C31281DCC4F2}

version 1.4
new bho and Sharedtaskscheduler key added: clsid {16875E09-927B-4494-82BD-158A1CD46BA0}

Version: 2.0
Logfile added: After running the tool you can find logfile in c:\windelf.txt)
Fixed the automatically reboot for windows 2000.

Version: 2.1
new bho and Sharedtaskscheduler key added: clsid {C7CF1142-0785-4B12-A280-B64681E4D45E}

Version: 2.11
new bho added: clsid {8D82BB89-B58C-4F21-9C5D-377F65947806}

Version: 2.2
new bho and Sharedtaskscheduler key added: clsid {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
new key under notify: st3

Version: 2.21
new key under notify: st3i

Version: 2.30
new keys under notify: gg and gggg
new bho's: {826B2228-BC09-49F2-B5F8-42CE26B1B717} and {826B2228-BC09-49F2-B5F8-42CE26B1B712}
If the notifykey gg is present you need to reboot manually, by turning the power off and then back on.

Version: 2.31
new key under notify: ggggg
new bho: clsid {C0E5FF11-4AE0-4699-A6A7-2FB7118F2081}

Version: 2.32
new key under notify: gs

version: 2.33
run key added: ClearCookies
new file: C:\WINDOWS\cc.exe
added a few older CLSID's (thanks to Ton)

version: 2.34
new files: adsldpbe.dll
new bho: {7507739F-BC2E-4DC3-B233-816783C25DC9}

version: 2.35
new random files in windows directory: g*.dll

version: 2.36
run key added: AlexaToolbar
new file: c:\windows\alt.exe

version: 2.37
new file added: st3d.dll
new notify key: st3d
new sharedtaskkey: {86AA461F-2A5B-4889-B543-E1BBA6746D61}

version: 2.38
new notify key: browsela
new sharedtaskkey: {31EE3286-D785-4E3F-95FC-51D00FDABC01}
new file added: c:\windows\system32\browsela.dll
If the notifykey browsela is present you need to reboot manually, by turning the power off and then back on.

version: 2.39
new file: C:\WINDOWS\adsldpbf.dll
new bho added: {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6}



-------------------------
Contact: marcvn@gmail.com
-------------------------

Thank you for your help
Linda

[sUBs]

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[lc7collie]

When I try to run control sysdm.cpl,,4 I get the following error message.

An exception occured whiel trying to run "Shell32.dll, control_runDLL sysdm.cpl,,4

Thanks for your help.
Linda-

[sUBs]

Please try this...

Start > Run - type sysdm.cpl

• Select the System Restore tab
• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

[lc7collie]

When I try to run sysdm.cpl

I get the following error message.
An exception occured while trying to run "Shell32.dll,Control_RunDLL"

Is it possible that I corrupted the Shell32.dll before I asked for help and if so is there any way to correct this?

I have also tried downloading AVG Antivirus and it installed OK but I keep getting a error on updating. Could this be related?

Thanks
Linda

[sUBs]

Linda,

Go to Start >Run - type Inf <Press Enter>

In the ensuing Window, locate this file - sr.inf

Right click on it & select Install

# # If the Files Needed dialog box appears, click Browse and point to the C:\Windows\ServicePackFiles\i386 folder.

You may need to reboot before it takes effect.

Let me know how that went

[lc7collie]

That worked. However, when the files needed box came up, I don't have a C:\Windows\ServicePackFiles\i386folder, but I put the XP disk in and was able to work that way. System Restore seems to work ok now. I have tried downloading AVG and got an error message
Error: Action fialed for registry key HKLM\SOFTWARE\Classes\AVG.Kernel: creating registry key Acces is denied (5)

So I logged in as Administrator and downloaded it and itstalled ok. However now I'm in a circle it tells me that the update needs to restart. So I restart, then try to update then it tells me update unsucessful. Then it will tell me it needs to restart for the update to take affect. Now I'm in a circle. Can you help with this or should I contact Grisoft.

Thanks again for all your help.
Linda

[sUBs]

Best that you contact Grisoft. I have no experience with AVG.

[lc7collie]

Thank you so much for your help.

Linda