Posts by kylethedarkn

Wow man ur comp is a mess. Well lets get started then. First of all this isn't a complete log there should be 023 entries at the end of the log and urs ends with 016, please get the other part of the log. We cant get rid of anything till i have that other part, or it will just keep coming back. Thx.

Look at the Stickies and download HiJack This from those directions run it and copy and paste the log to here. Thx.

Your log looks clean and AVG cleaned everything it found. Could you be more specific and tell me exactly what the problem is in detail. Thx.

It could be one of two things, one is that the malware on the comp isn't the best and is only able to connect thru her internet settings/type, or she might be the target of a hacker who just wants to annoy her. Reguardless let's see the HJT log.

From what i have been researching yes. Every example of this i could find the user said that they had Itunes for NT, but then again starting the service worked in alll the examples i could find, but not in yours. What i would do is uninstall it and see if that clears things up if not reinstall it and we'll go from there.

The folder thing is this. C:\Documents and Settings\Family\Desktop\HiJackThis_v2.exe is where HJT is right now which is on the desktop right? but i want u to make a new folder by right clicking and then going to new>folder. Then click and drag HJT into that folder. Anyways I've been looking around for more info on this and most people computers worked after starting up that service again. Its looks like Itunes is what starts all of this though. There was only one other reason that i could find for the taskbar turning grey and that was a spike in svchost.exe CPU usage. Try the following Open task Manager click on the processes tab and see how much CPU svchost.exe is using. If it is high try ending it and restarting it. If it isn't then try ending all itunes processes and see if it will work.

First before we do anything please put HJT into its own folder. I looked over your log and i didn't see anything malicious. It's seems that this is caused by some sort of confict between Itunes and Windows NT. Try going to Control Panel>Administrative Tools>Services and making sure "Windows Audio" is running. And is it just the taskbar that turns grey or is it the entire desktop as well?

The Indexy ones. lol. prolly hes refering to the index.dat. Thats my best guess.

And now onto the HJT log. I don't see anything malicious in this log which is a little weird. A couple questions though. First what is the D:\ drive is it a main drive for the company or a secondary drive on the computer. Also most of the stuff seem to be in the temp folders. There a great program called CCleaner that will clean the temp very nicely.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files …

Terasad please do not "piggyback" off other people's threads. Please start a new one. Thx

Looks like you have got infected with a little thing called my websearchbar. Not that bad, but very annoying. Ok heres what to do.

First of all Open Control Panel and go to add/remove programs.
Look for any thing like My Way, My Websearch bar or something similar and remove it.

Now run HJT and put a checkmark next to the following items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm801YYUS

There are also a few others that are not mywebsearch check these as well.

O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\spamblockerutility\sbtv\sbtvhelper.dll
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.6.0\SbOEAddOn.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Now click fix checked.

Now Using My Computer Navagate to the following files/folders and delete them.
C:\Program Files\MyWebSearch\
c:\program files\spamblockerutility\
C:\PROGRA~1\BFGTOO~1\(~1 could be anything probably toolbar)
C:\Program Files\Optimum Online\
C:\Program Files\HbTools\
C:\Program Files\SpamBlockerUtility\

After you delete …

First thing he did.

My friend has a microsoft windows wireless mouse and all of a sudden it just stopped working. I have check his comp for viruses and other malware and its clean. I only had view point. Im wondering if there is anyway any mouse related files could have been corrupted or if there is anything that could have caused this to happen. Thank for any help.

Hmm.. This might be bad. I remember a couple years ago when i had the same thing. I chose to reformat my hard drive, but lets see if we can keep you from having to do the same. Download this rootkit analyzer. Install it and Run it. Put a checkmark in the box that says show hooked services only and then hit analyze. Click export at the bottom and then save the notepad file to My Documents. Post the contents of that text file. Sorry for the delay too I was on a Ski Trip in Wisconsin and i didn't have access to a computer.

unfourtunetly my keyboard is broke right now and i'm using an onscreen keyboard. when my keyboard is fixed i will type a better response. for now see if your able to download avg-anti spyware. your log is still clean. we'll have to check rootkits next.

Move HJT to a permanent folder. Right now it is running from your temp. Move it to somewhere like C:\HJT\ or something similar. Also rename it to something else like scanner or hello. Then run it again and post a new log.

Okay thanks for that screeny. It looks like the trojan is running from the temp only. Okay do the following.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

…

First press alt+crtl+del and end any norton porcesses. Then cancel the avg scan and delete the ones its found so far. If you can get to Start>Run. Then type in Msconfig and enter. A box will pop up. go to the start up tab and uncheck all of the norton processes and avg processes. Now turn off your computer and turn it back on. That should get rid of the process lag. From there we should be able to get a beter hold of things.

First of all Norton is the worst firewall protection available. GEt mcafee or something better. Norton takes up more memory than any other thing and its protection is third rate. AVG is fine let in run and then delete everything it finds. There is a norton removal tool that you can get by googling norton removal tool. That should help the process lag.

Run HJT and check the following.
O11 - Options group: [INTERNATIONAL] International*
click fix checked.

If you think theres still crap left over i suggest getting crap cleaner. Heres the instructions for it.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
…

Ok. Not too bad.
First move HJT to a permanent folder such as C:\HJT\ or somthing similar. Now run HJT and place a checkmark next to the following.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O11 - Options group: [INTERNATIONAL] International*
Now close all other windows and click fix checked.

Now boot into safe mode by restarting your computer and tapping F8 during startup and delete the following using My Computer.
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\

Reboot back to normal mode.

And could you give me the details of the comp crash you mentioned in the last post.

Currently I am at my public library but when i get home i will tell you how to get rid of that annoying little trojan.

Cuts ya deep. Eh, crunchie

Could you please post this not in code format so that it is easier to read and fix. After you do that i will take a look at it and well fix this trojan.

Your log looks clean. If your not expiriencing any problems then you can mark this thread as solved. There should be a link at the top of the page.

No Problem, but we really didn't do anything.:)

First of all move HJT to a permanent folder such as C:\HJT\ or something similar.
Okay a couple things are left on your computer.
First run HJT and place a checkmark next to the following.
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd">
O1 - Hosts: <html>
O1 - Hosts: <head>
O1 - Hosts: <script LANGUAGE="JavaScript">
O1 - Hosts: <!--
O1 - Hosts: if (window != top)
O1 - Hosts: top.location.href = location.href;
O1 - Hosts: // -->
O1 - Hosts: </script>
O1 - Hosts: <title>Site Unavailable</title>
O1 - Hosts: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O1 - Hosts: <style type="text/css">
O1 - Hosts: body{text-align:center;}
O1 - Hosts: .geohead {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;width:750px;margin:10px 0 10px 0;height:35px;}
O1 - Hosts: .geohead #geologo {width:270px;display:block; float:left; }
O1 - Hosts: .geohead #rightside {width:480px;display:block; float:right;border-bottom:1px solid #999999; height:27px;}
O1 - Hosts: .geohead #rightside #welcome {width:50%;display:block; float:left; text-align:left;}
O1 - Hosts: .geohead #rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
O1 - Hosts: .ftr { margin:0px; color:#404040; font:x-small Arial,sans-serif; text-align:center; width:750px;}
O1 - Hosts: .bodywrap{display:block;height:470px;}
O1 - Hosts: .bodycnt{width:510px; display:block; float:left; background-color:#EEE9F5; height:auto; text-align:left; font-family:Arial, Helvetica, sans-serif;font-size:13px; color:#000000; padding:20px 20px 35px 20px;}
O1 - Hosts: .title { font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:24px; color:#7C56A9}
O1 - Hosts: .adcnt{width:172px; display:block; float:right; text-align:left;cursor:pointer;cursor:hand;}
O1 - Hosts: .adcnt td {text-align:left;}
O1 - Hosts: .adsubt{font-size:10px; font-family:verdana; font-weight:bold; color:#b4b4b4; …

Please download and install ewido anti-spyware tool(Now called AVG)

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be …

Thanks for the advice but after doing a little more research i found the most common cause of this was loose wires. And sure enough when i tightened all of the wire in my computer no more error. Thanks anyways though.

The log is clean, however i noticed a few things while checking it out. You have a long list of start up processes and a large list on running processes as well. You said you had to exit out of a program once to see the toolbar, that might indicate you dont have enough memory to be running all the things you do. Could you give me the size of your hard drive and your memory.

Getting back to the hacking theory. If this is a hacking attempt it would probably be a live person that chose to hack YOU personally. THe hacking possibility though is very low and im sure he/she would have a purpose of hacking you other than just slowing you computer down.

You said you could no longer log into guru.com with ff. Well at the top of ff go to tools>options. When that menu pops up go to the privacy tab. Then click on exceptions and make sure guru.com or www.guru.com are not in there and being blocked.

Also have you run a scan with ewido/AVG since this problem started? if you haven't, then run one and post the log here.

One last thing i want to check is your Rootkits. So go here and download rookit hook analyzer. ONce dowloaded install and run. Click analyze and then check the box that says show only hook processes. Then hit export and it sould …

Suddenly upon booting my computer i get the error ntdlr is missing press alt+crtl+del to reboot. I have tried some of the fixs online but they all include using the win xp disc to boot to command prompt. I dont have the win xp recovery disk, but i do have my emachines recovery disk which allows me to boot to command prompt. The fixes i saw all say that the command prompt should start with c:\ but mine starts with a:\>. also i cannot find which drive is my cd drive because i have 7 drives on my computer. I tried d:\ but it says invalid drive so i dont know if thats because my cd drive isnt the d drive anymore or because something else is wrong. Im posting this in the mod section because i think this is where the smartest of each forum gather. THanks for any help i get.

Is it one of the pop up where it asks you to either send or dont send the error report to microsoft. If it is there is usually a view details thing you can click. Click and that and post what it says.

I had the victim rename hijackthis.exe to hello.exe. But it came out as hello.exe.exe. I was underthe impression that antivir was aol's firewall but i guess not. Ok you should get rid of so go to control panel and then add/remove programs and look for avira or antivir and remove it.

Hmm. Still clean. I'm gonna pm so more expirienced members. We'll figure out whats wrong.

Becaue the log was saved before you actually clicked apply all actions. So as far as the log knew you didn't do anything, when really you did.

Just ignore it. It is just telling you that a exe file's name is being change and that the exe might be harmful and its just diguising itself as something harmless. Except in the case we know its not so just select ignore.

Ok. Still didn't rename it. Go to the actual Hijackthis.exe(the one you double click to make the logs) and then right click it and click rename. Type in hello.exe and then enter. Now it should be called hello.exe instead of hijackthis.exe. Run the HJT with the changed name and then put that log here.

Also you mentioned someting in your private message to me. Could you please clarify that.

Thank you.

I'm Stupid.
I haven't tried the most obvious thing yet. Ok rename hijackthis.exe to something else such as hello.exe. Do another scan and post the log here.

Forget to do something?:)

I'm Stupid.
I haven't tried the most obvious thing yet. Ok rename hijackthis.exe to something else such as hello.exe. Do another scan and post the log here.

Also there is still one thing left of mcafee so do the following.
Run HJT and check the following.
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
Click fix checked.

Go to the delete a service thing again and type in McAfee SystemGuards (McSysmon).

Ok now just waiting for that renamed HJT log. Thank you for your patience im sorry its taking so long.

Ok well that clears thing up for me. I thought you had uninstalled Macafee and then AOL gave you another Macafee for free. Ok now that i know that please do the following.

First open up task manager(alt+ctrl+del) and end Mpftray.exe.
Now run HJT and check the following.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
Click fix checked

Now in HJT click on config and then go to the misc tools tab.
Click on delete an NT service and then copy and paste the folloiwng in and hit ok.
First this one. McAfee SystemGuards (McSysmon)<--Might not need parens. Then click Ok.
Now this one. SiteAdvisor Service. Then click ok.

Now go in to my computer and go to the C drive and then program files. Delete the Mcafee folder and the mcafee.com folder. That should get rid of any traces of Mcafee on your computer. This might be the conflict that caused all of this, but i guess we will see.

Ok two things. First uninstall macafee completely using the add/remove program feature in the control panel. Second reinstall it from AOL.

I need the hooked services. When you click export it should open up the save menu.(sorry bout that didn't clarify)So save it somewhere and then open it in notepad and copy and paste the stuff here.

Are you saying that you hade Macafee online and then when you joined AOL they gave u the real version of MAcafee. Or do you mean you had Macafee and when you got AOL you got something completely different. Also with firewall are you talking about?

Now to check for those rootkits i mentioned. Please download Rookit Hook ANalyzer from here. Install and run it. At the bottom check the box that says "Show Hooked Services Only". Then click analyze. Then click on export and it should open up notepad. Copy and paste the contents of the notepad file in you next post.

That should help us see if this is really being caused by malware or weather it might be some sort of conflict between 2 programs.

Found a couple more things.
Run HJT and check the following.
O2 - BHO: XBTP06069 - {902A0E4E-447D-4b4c-AD09-505E1C04DAE8} - (no file)
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
Click Fix Checked

Please post a new HJT log and tell me if that did anything. If it didn't then i'm gonna take a look at your rootkits.

Ok use the log to check the other computers for any of the same infections that were on your 2k computer. If you find any on the other 98 computer then go into safemode and delete them.

A couple questions. When do these popups occur?Is it when you go online or just randomly even if you not in an internet browser.

Also please delte the following folder
C:\Program Files\WeatherStudio\

Now run HJT and check the following.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
Click fix checked.

Double check to make sure that the file didn't just comeback. Also Norton really isn't a good Anti-Virus So i would recomend getting Macafee or AVG.

Also can you post the log from that AVG scan on the 2k computer.

Run HJT and put a check next to the following.
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Click Fix checked.

I couldn't find any info on that BHO which usually means that its a random one created by malware. Tell me if deleting it did anything.

Ok looks like its gone then.
Are you still having problems?
If so could you give a detailed response of whats happend exactly.

Well that complicates things a bit. Ok now do the following.

First try and just delete the file in normal mode.(probably wont work)

If that doesnt work then download pocket killbox from here. Once you have it running click the folder icon and then navagate to the file mentioned in my last post. After you select it, it should be in the drop down box next to the folder icon. Now check the box that says delete on reboot. Then click the red X button. It should ask you to reboot. Click ok and let it reboot. After it reboots check that the file is gone.

Tell me if that works.

Ok i'm pretty sure win98 has a safe mode, so do the following. Boot into safe mode by tapping F8 during startup and selecting safe mode and delete the following file.
C:\DRIVER\WIN98II\SUCATREG.EXE

See if that helps considering thats the one norton says its cleaning.