this seemed to get rid of it for now, although it has come back in the past....... it might have been since i didnt double check the files were deleted:
Here is the URL if some of this comes out fucked up
http://forums.us.dell.com/supportfor...ssage.id=13809
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy (including the zip copy) so it can't be used.
hahahahahahahahahahahahahahahahahahahahahahahahaha hahahahahahahahahahahahahahahahahahahahahahahahaha hahahahahahahahahahahahahaha
Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Folder > C:\Program Files\Common files\WinTools\
All contents (BUT not the folder itself) > C:\documents and settings\claudette allen\local settings\temp\ -- all contrents--
Reboot
hahahahahahahahahahahahahahahahahahahahahahahahaha hahahahahahahahahahahahahahahahahahahahahahahahaha hahahahahahahahahahahahahaha
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kfiif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about
:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {C4B42104-8016-4F96-A1BD-2AF627BE9410} - C:\WINDOWS\System32\kfiif.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
The following have randomly named file names, and as such are normally malware, UNLESS you know what they are, and they are from a safe source, please check for removal.
O4 - HKLM\..\Run: [OP61nF] C:\documents and settings\claudette allen\local settings\temp\OP61nF.exe
Then Reboot to safe mode (F8 on boot) and delete the following files/folders:- (Check to make sure they have gone)
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Folder > C:\Program Files\Common files\WinTools\
All contents (BUT not the folder itself) > C:\documents and settings\claudette allen\local settings\temp\ -- all contrents--
Then Reboot and post a fresh log for me to check.