Irritated beyond comprehension!

Hi…new here, and I have a problem. It’s not with avast, just with whatever Virus crap is on my computer, and it is getting VERY irritating.

I am using avast 4.6

Current version of virus defintion = 0519-2 05/12/05

Here is what has been happening.

I start up avast, and it detects some kind of trojan/virus in my memory, and asks me what it wants me to do. I follow the recommendation and send it to chest.

Now, it wants me to reboot so it can scan before windows starts. So I do, my computer reboots, and it scans.

It finds all sorts of crap. Mostly things in the windows system folder, and mostly trojans.

I forget the exact names of all of them. I have done the boot scans multiple times,and tried delete. Didn’t work. Recently I just tried Move. When I went in to open my moved folder, the files were there, but they immediatly disappeared on me :open_mouth:

So now I ran avast again, it didn’t find anything in my memory, so I am performing a thorugh scan.

It just found something as I am typing this. I am going to try and list everything it finds, and I am going to follwed the Recommeded action. BTW I am using Windows XP Home Edition. Also, I know most of this crap comes from Internet Explorer, so I tried removing it and I installed FireFox, but I have no idea if Internet Explorer is really gone, or if that made a difference. OK here we go. Here is what it just found.

Malware Name: Win32:Adan-003 [Adw]
Malware type: Adware

I moved to chest

It appears it just found the same thing location is

C:\Documents and Settings\Dead Reckoning\Local Settings\Temp\trz7B.tmp

I try to move to chest and it gives me an error. Says

The volume for a file has been externally altered so that the opened file is no longer valid.

Then it says Cannot process “C:\Documents and Settings\Dead Reckoning\Local Settings\Temp\trz7B.tmp” file

I click ok…now I will try and delete it…and now it continues to scan.

I will keep you guys updated.

In the meantime. WHY in the hell is it detecting the same things over and over during boot scan, and I try and get rid of it. BUT IT WON’T removie it.

It’s getting on my nerves.

Any recommendation on how to completly clean my system and then further protect it?

After reading some topics, I went and downloaded Hijack This.

This is the logfile.

Logfile of HijackThis v1.99.1
Scan saved at 11:46:15 AM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox 4\mim.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\wincv32.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Dead Reckoning\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxess.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {EE6513A2-ECF0-EC46-5C08-337375A1D7E6} - C:\WINDOWS\sysoz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [KAV50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe” -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM..\Run: [wincv32.exe] C:\WINDOWS\wincv32.exe
O4 - HKLM..\RunOnce: [atlge.exe] C:\WINDOWS\system32\atlge.exe
O4 - HKLM..\RunOnce: [mfcax32.exe] C:\WINDOWS\system32\mfcax32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111500282158
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcvf.exe" /s (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

I have no freaking clue as to what this means.lol

Any help?

Hi,
See if you have any of those:
Sahagent.log (in C:)
HKEY_LOCAL_MACHINES\Software\Vgroup (in the registry)
HKEY_LOCAL_MACHINES\Software\Vgroup\SAHAgent (in the registry)
Remove them if you do.

Also, try this:

  1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

    Then click OK. (The Registry Editor opens.)

    1. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    2. In the right pane, delete the value:

      “SAHBundle”=“%Temp%\bundle.exe”

    3. Navigate to and delete the key:

      HKEY_LOCAL_MACHINE\Software\VGroup

    4. Exit the Registry Editor.

If none of the above work:

  1. Download Hijackthis and post a logfile in this thread.
  2. Download and run:
    Ad-Aware and/or Spybot and/or MS antispyware and/or ewido and/or a-squared and try to clean with them.
  3. If that fails too, run MWAV & CureIt!

(All of the above programs are free - you can find links at my website)

If all of the above fails … pray! :wink: ;D ::slight_smile:

Thanks.

I did post a log btw.

Although you probably didn’t see it as you were typing :wink:

Anyway, I will try what you said.

I had this

HKEY_LOCAL_MACHINES\Software\Vgroup (in the registry)

I deleted. I didn’t have any of the others.

And I have tried like hell with adaware. I removed them, but it seems they just keep coming back…

One of them is Coolwebsearch, and I heard it’s a bitch to get rid of.

I even downloaded CWS Shredder, but that didn’t seem to work. So I have no idea.

Maybe you can tell me something about the log I posted.

Take a look here
http://hijackthis.de/logfiles/4093ff0a893d6642dda7ff961f5b0d3b.html

Fix those, but not the ones at O23 that deal with avast.
Also, I suspect the logfile is incomplete.
Also, I see you run avast + KAV 5. Those two don’t get along well. Decide which one you keep.

Follow the rest of my previous post & then take some time and read through my website to learn how to protect your system better.

**PS: just saw your new post. Look at the log analysis, fix them & run the rest of the stuff I told you.

OK I downloaded ewido security suite that I got from your site. I am running it now, and has found some cookies…irritating as all hell.

Is there anyway to completly remove internet explorer from my computer, and everything that goes with it, and just use FireFox?

No, IE is an integral part of your OS, it is used to display many things in windows, like explorer, OE email, Help files, Help and Support, etc., etc. Not to mention windows update, you can’t access it with firefox.

I use firefox as my primary browser and Avant for sites that I can’t access with firefox (windows update, etc.), there are many other IE based browsers you can use and still avoid IE directly.

I don’t know much of your pc-problem (too difficult for me ;D ) but I know for shure that if you remove IE completely you will have various problems with other programs depending on it and also you will not be able to update windows anymore.
So, whatever you do, don’t remove internet explorer…

@DavidR : maybe a silly suggestion, but is’nt it so that in these cases, to fully get rid of malware, one should disable system-restore temporarily ? ( and reanable it after reboot once the system is cleaned ?)

I would say that it entirely relies on the location of the malware.

If for instance it is in the Internet or Temp files, then I don’t believe there is a requirement to disable system restore.

If however, it is in one of the windows system folders (a common target of some malware), then windows will try to protect it by moving a copy to the system volume information folder, these are the times when you should disable system restore, boot, deal with the problem, enable and boot again.

One of the major problems is browsing when you are logged on with administrator privileges, then the malware also has admin permissions. If only people would use MS DropMyRights which allows you to be logged on with admin privileges but restricted browsing privileges.

ok I ran ewido and this is the report.

[b]---------------------------------------------------------
ewido security suite - Scan report

  • Created on: 1:43:55 PM, 5/13/2005

  • Report-Checksum: 8945284

  • Date of database: 5/13/2005

  • Version of scan engine: v3.0

  • Duration: 61 min

  • Scanned Files: 56108

  • Speed: 15.31 Files/Second

  • Infected files: 23

  • Removed files: 23

  • Files put in quarantine: 23

  • Files that could not be opened: 0

  • Files that could not be cleaned: 0

  • Binder: Yes

  • Crypter: Yes

  • Archives: Yes

  • Scanned items:
    C:\

  • Scan result:
    C:\Documents and Settings\Dead Reckoning\Cookies\dead reckoning@a.websponsors[2].txt → Spyware.Tracking-Cookie → Cleaned with backup
    C:\Documents and Settings\Dead Reckoning\Cookies\dead reckoning@ads.addynamix[1].txt → Spyware.Tracking-Cookie → Cleaned with backup
    C:\Documents and Settings\Dead Reckoning\Cookies\dead reckoning@search.msn[2].txt → Spyware.Tracking-Cookie → Cleaned with backup
    C:\Documents and Settings\Dead Reckoning\Cookies\dead reckoning@z1.adserver[1].txt → Spyware.Tracking-Cookie → Cleaned with backup
    C:\Documents and Settings\Dead Reckoning\Local Settings\Temp\sahagent.exe → Spyware.Sahat.m → Cleaned with backup
    C:\Program Files\YourSiteBar\ysb.dll → Spyware.YourSiteBar.c → Cleaned with backup
    C:\WINDOWS\aslth.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\cehlu.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\hbulj.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\hqtpi.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\HQTPI.DLL.VIR → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\jjard.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\Nail.exe → Trojan.Nail → Cleaned with backup
    C:\WINDOWS\ohqfh.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\SYSTEM32\atcwv.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\SYSTEM32\dcwvy.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\SYSTEM32\kfnhy.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\SYSTEM32\oxess.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\SYSTEM32\rcxgc.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\tnfex.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\twhjb.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\wwlgu.dll → Spyware.SearchPage → Cleaned with backup
    C:\WINDOWS\zexmt.dll → Spyware.SearchPage → Cleaned with backup

::Report End[/b]

Should I do anything else?

Do I need to disable system restore, then run avast in boot mode, then reenable it?

David, what is MSDropMyRights, what does it do, will it help protect my computer, and where do I get it?

Thanks for all of your help guys.

I’d say, run Mwav tool too. It doesn’t remove anything, but if any malware is left it will tell you the exact location, so you can delete it manually.

I may suggest running the online spyware and virus scans in my signature.

Ok here we go. This is the report file for avast for the last 2 boot scan. Both done today.

[b]----------------------------------------
05/13/2005 10:40
Scan of all local drives
File C:\Program Files\SideFind\sidefind.dll is infected by Win32:Trojan-gen. {Other} - Repair: Error 42060, Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP68\A0006056.exe is infected by Win32:Trojano-1175 [Trj] - Repair: Error 42060, Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006525.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006526.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006527.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006531.dll is infected by Win32:Trojan-gen. {Other} - Moved
File C:\WINDOWS\ahadp.exe is infected by Win32:Trojan-gen. {Other} - Moved
File C:\WINDOWS\applk.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\mfcjm.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\ntov32.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\apics.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\iepw.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\ipst32.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\javexulm.vxd is infected by Win32:Trojan-gen. {VC} - Moved
File C:\WINDOWS\SYSTEM32\mqexdlm.srg is infected by Win32:Exdl [Adw] - Moved
File C:\WINDOWS\SYSTEM32\msoe32.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\ntdh32.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\WINDOWS\SYSTEM32\Poller.exe is infected by Win32:Trojano-1267 [Trj] - Moved
File C:\WINDOWS\winbx32.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\WINDOWS\winin.exe is infected by Win32:Trojano-1175 [Trj] - Moved

Number of searched folders: 2540
Number of tested files: 46098
Number of infected files: 20


05/13/2005 14:01
Scan of all local drives
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006532.exe is infected by Win32:Trojan-gen. {Other} - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006533.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006534.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006535.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006536.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006537.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006538.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006539.vxd is infected by Win32:Trojan-gen. {VC} - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006540.srg is infected by Win32:Exdl [Adw] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006541.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006542.exe is infected by Win32:Trojano-1079 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006543.exe is infected by Win32:Trojano-1267 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006544.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006545.exe is infected by Win32:Trojano-1175 [Trj] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006905.dll is infected by Win32:Trojan-gen. {Other} - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006906.exe is infected by Win32:Trojan-gen. {Other} - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006907.vxd is infected by Win32:Trojan-gen. {VC} - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006908.srg is infected by Win32:Exdl [Adw] - Moved
File C:\System Volume Information_restore{7567B4DD-182B-478F-936D-490085F4AE51}\RP72\A0006909.dll is infected by Win32:Trojan-gen. {Other} - Moved

Number of searched folders: 2351
Number of tested files: 33671
Number of infected files: 19[/b]

I can also post the first 3 boot scans. But I think this is enough for you guys. What should I do?

Disable System Restore & reboot the PC. Do another scan, but you should be OK this time.

How do I do that exactly?

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm :wink:

Enable/Disable System restore on Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887
Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

Disable (and enable it after) System Restore
Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok