Help 911

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).

 

You also forgot to extract HijackThis from the ZIP file and to put it in the folder requested. You are running it from the ZIP file (see below). You will not get any backups this way.

C:\Documents and Settings\sean mcginnis\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

 

After correcting the problem with how and where you are running HijackThis, procede with the below.

Look in Add/Remove programs for uninstalls to the below and uninstall if found:
MyWay or MySearch or MySearchBar
iMesh
Toolbar
WinTools
Spyware Begone

Are the below two lines for SkateTycoon valid?
C:\DOWNLO~1\SKATET~1.EXE
O4 - HKCU\..\Run: [SkateTycoon2004.exe] C:\DOWNLO~1\SKATET~1.EXE /r

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SEANMC~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000002230} - (no file)
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {11B761D4-4B69-4531-BC66-E07526E40FBC} - C:\WINDOWS\System32\beip.dll (file missing)
O2 - BHO: (no name) - {2E98D047-2181-4852-8A95-B0C5259897FC} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {422008EE-AF7E-4953-BED8-D9B551FA8375} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)
O2 - BHO: (no name) - {5B3CAEA4-ED3A-408B-B0D4-CFBA1C62B021} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721316} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINDOWS\System32\wer3548.dll
O4 - HKLM\..\Run: [CSV7P26] C:\Program Files\CSBB\CSV7P26.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe

Note it's up to you, but BigFix is a resource hog. You should only run it when needed and not auto load like below at startup.
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovi...ffiliate=BRANDY
O16 - DPF: {6EC42D96-6DFB-7220-7848-46EB49286F97} - http://67.19.99.158/1/rdgUS871.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} -
O16 - DPF: {9EAC0186-5F5A-4362-B120-15C312CE012D} - http://www.awmdabest.com/cabl/379/tb.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/z/load.exe
O18 - Filter: text/html - {18876288-BC57-4DA1-889D-A9B6D22D4A21} - C:\WINDOWS\System32\beip.dll
O18 - Filter: text/plain - {18876288-BC57-4DA1-889D-A9B6D22D4A21} - C:\WINDOWS\System32\beip.dll

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\Toolbar <--- the whole folder
C:\Program Files\iMesh <--- the whole folder
C:\Program Files\MySearch <--- the whole folder
C:\Program Files\CSBB <--- the whole folder
c:\freescan <--- the whole folder
C:\Program Files\Common Files\WinTools <--- the whole folder
C:\Program Files\PartyPoker <--- the whole folder
C:\DOCUME~1\SEANMC~1\LOCALS~1\Temp\sp.html
C:\WINDOWS\System32\wer3548.dll
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\beip.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please see message #2 and #7. You still have HJT running from the ZIP file

C:\Documents and Settings\sean mcginnis\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\hijackthis.exe

Unless you install it as I requested we cannot continue. I do not want to make changes when we are not getting any backups. Please address this now and post a new HJT log when you have.

Just incase your problem is that you do not know how to do that, follow the steps below.

To get hijackthis.exe extracted from the ZIP File into the location we requested do the following.
The below will work for WinXP based system since it can deal with ZIP files.
You need to create the C:\Program Files\HJT folder. Do the following:
- Click START and select Explore.
- Select the drive where Windows is installed (normally drive C)
- Navigate to the C:\Program Files folder and select it.
- Now click the on the top menu where it says File and then select New.
- Then select Folder
- A new folder is created and highlighted.
- Just type HJT to overwrite the default name (New Folder)

To extract hijackthis.exe:
- locate the HijackThis.zip file you downloaded and right click on it
- Select Extract All and click Next
- Browse your way to the C:\Program Files\HJT folder created above
- Select the folder and click Next

 

No! You need to follow my steps! You are double click on the HijackThis.Zip file and then running the EXE. You need to take the EXE out of the ZIP file (extract it) and put it in the folder I requested and then run it from there.

No more red colors please! Hard on the eyes reading that much red.

 

Try this for your Desktop problem:


Right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.

 

Also not you should not be putting HJT logs into an HTML format. Just save the logs from HJT do not manipulate them.

Just follow my steps I gave you on extracting the hijackthis.exe file! Those steps are pretty straight forward. If you still cannot get it done correctly (and you should be able to tell that yourself just by looking at the log to see where hijackthis.exe is running from) then just procede with the cleanup steps I gave you below. You must make sure you follow those steps properly!

Also uninstall the stuff I requested earlier and answer questions.

What is SkateTycoon?
C:\DOWNLO~1\SKATET~1.EXE
O4 - HKCU\..\Run: [SkateTycoon2004.exe] C:\DOWNLO~1\SKATET~1.EXE /r

 

Have you completed all the steps in message #18? It does not look like it. I still see the items I wanted you to fix with HJT there.

 

Okay! Now you're clean! How are things working?

If everything is all fixed up, you should perform the steps in the below thread:

How to Protect yourself from malware!

 

Try doing a file search for a file named desktop.html

Let me know if you find it and where.


Also try doing what I gave you in message #14 after booting to safe mode.

 

All I said was too look for the file and to tell where you found it?

Was it named exactly desktop.html? Where was it located?

Do you still have a problem?

If so, did you do what I asked in safe mode?

 

Have you rebooted since doing this with desktop.html? If not, reboot and see what happens.

 

What do you mean it was in My Computer? That is not a folder. Where was it located? What was the complete path to the file?

If one had a FireFox icon and one had an IE icon then you did not find two files named desktop.html. What every is the default browser on your system would determine the icon for the file. So what was the exact name of the file you deleted. Was it EXACTLY "desktop.html" ? Are you sure you have enable viewing of all file type extensions?

What do you mean "When I rebooted the computer IE was in the same spot"
IE should always be in the same spot.

What program moved? Are you talking about IE? You just said it was in the same spot.
If you are referring to desktop.html, it is not a program. And if you mean desktop.html came back, where is located. Provide the full path. Make sure it is really desktop.html exactly letter for letter (no additional letters or different letters).

 

SpySweeper is a good program and we have it here on MGs for download. It is not freeware. It will let you get one free database update and it will fix problems. But it is only a trial version. Most of what SpySweeper is finding is left over registry keys not totally cleaned up by removing programs or using other scanners. Most are probably harmless but is does not hurt to have them fixed.

You could have tried MS Antispyware too for free.

Please check the following (and make sure you tell me if you had each of these set as indicated):
Click Start.
Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

I still don't understand where you are finding the desktop.html file.
If you do a windows search and after finding the files, click View and select Details. There should be a column labeled In Folder. What does that say? That's the path to the file. Also what exactly appears in the name column?

 

Please post a current HJT log. Also right click on the yellow icon in your tray. Can you get an info on what it is or who it belongs to that way? Do any options appear and what do they show?

Click Start, select Control Panel, select Display. In the Display Properties window select the Desktop tab. For Background scroll up and choose none. Then click the Customize Desktop button. In the next window that comes up select the Web tab. Make sure at the bottom of the window that the option to Lock desktop items is not checked. Then in the part of the window under Web pages: select and delete all items that are in there except My Current Home Page. Then make sure the last one is not checked. Now click OK. Then in the Display Properties window click Apply and then OK.

Did that work? Any problems? Make sure you clearly explain any problems you have.

What did you mean when you said

What did it break?

 

In message # 38 I asked but you never answered

In message # 44 I asked but you never answered or complete this request: