old server

Ok, I'm trying to clean up my computer before asking for help again but apparently I"m on the old forums server... but I don't know what that means and I don't know how to fix it... when I click on something it says
"You are still on the old forums server. If you reading this, please try to clear your DNS cache with "ipconfig /flushdns" or add "70.85.60.244 forums.majorgeeks.com" to your hosts file."
and i'm not sure how to do either of these things... if someone could give a quick tip for my lack of computer knowledge I'd appreciate it... thanks!!

~Pam

 

Things should be back to normal now

 

sadly... i'm still getting the same message ... i'm not sure what to do. Thanks again!

~Pam

 

Hi Pam,

To Flush DNS Cache, do this:

Go to Start > Run > enter cmd > OK

Then, type: ipconfig /flushdns & hit ENTER.

See if that helps.

PP

 

Thanks for you continued help... but it's still not working... I really feel like my computer is just falling apart ... I don't know if there is anything else you can suggest... thanks again

~Pam

 

I don't like the idea of adding items to the Hosts file. Try this:

Restart your computer and repeat the DNS Flush instructions. Then, come back online and see if that remedies the problem.

PP

 

still no luck... I have most of the programs that I'm supposed to have and have run them... I just can't seem to get to several of the steps because of this "old server" stuff... any more suggestions? thanks!

 

What Malware problems are you having?

Go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I have to run shortly - Will check back as time permits.

PP

 

thanks so much for you help... I'm having problems with the home search assitent/ search extender/ shopping wizard spyware stuff... and lately when I restart I get a whole bunch of trojan viruses and signatures, so I run all my spyware/virus scans which usually keeps them under control for awhile, but they always come back. Recently I noticed ALOT of .exe files in my windows folder that I"m not sure of what they are... but they don't look good. Any kind of help would be GREATLY appreciated. Thanks in advance!

~Pam

 

Hi Pam,

I see a number of issues we will need to address - I am a bit overextended with threads here and have some "real life" work to do as well, but will try to post some removal steps for you Friday evening/night. Hang in there

PP

 

Thank you so much... the anticipation of getting some help is so relieving! I won't be around alot this weekend... but I will be back as soon as I can and look forward to making my computer happy again! Thank you!!!

~Pam

 

First lets open Control Panel and select Add/Remove Programs. Uninstall the following applications:

WeatherBug

Stop-the-Pop-Up


Now run HJT again and have it fix the below entries. Before fixing anything with HJT please close all browsers.



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.etown.edu/myetown

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.etown.edu/myetown

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D9362F75-D876-961B-C243-0BA9967868E7} - C:\WINDOWS\system32\ieum32.dll

O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized

O4 - HKLM\..\Run: [mfcky.exe] C:\WINDOWS\mfcky.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Frde] C:\WINDOWS\system32\explorer.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Pam\Desktop\CWShredder.exe

O23 - Service: Remote Procedure Call (RPC) Helper (?%AF夶À¨) - Unknown owner - C:\WINDOWS\netda32.exe (file missing)


After you have completed the above steps please move on to the next set of instructions. After you have fixed the entry "R3 - Default URLSearchHook is missing" go ahead and "Reset Web Settings" and default all security settings. Do this by going into "Internet Options" and selecting the "Security Tab" and then the "Programs Tab". For the next step, I would like you to reboot into "Safe Mode" by pressing F8 when you see the BIOS screen flash. When the list of options come up select "Safe Mode". Now that you are in safe mode please follow below. Be sure you have "view hidden files and folders" enable per the tutorial.

1) Go into the directory C:\WINDOWS and locate the file named mfcky.exe and delete it.

2) Now go into the folder C:\WINDOWS\system32 and locate the file appbo.exe and delete it.

3) In the same directory C:\WINDOWS\system32 locate the file ieum32.dll and delete it.

4) Same directory, locate the file named explorer.exe and delete it. This file is a part of the W32.HLLW.Spirit Worm.
Note: Before deleting this file be sure its in the location C:\WINDOWS\system32\explorer.exe

Not To Be Confused With C:\WINDOWS\explorer.exe as this is a critical system file.

5) Now go into the folder C:\Program Files and look for the directory named AWS and delete it. (If It Exist)

6) Same directory, C:\Program Files look for a folder named Stop-the-Pop-Up and delete it. (If It Exist)

7) Now go into the folder C:\WINDOWS and look for the file named netda32.exe and delete it. (If It Exist)

8) Now, Close all open windows and follow me below. We will attempt to remove any entries made by the W32.HLLW.Spirit Worm infection.

NOTE: Just to be safe, always make a backup of the registry before modifying it.


9) Click Start, Run, In the box type in regedit.

10) Navigate to the following key,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for any entries that contain the following file,
C:\WINDOWS\system32\explorer.exe
If found right click and delete!

11) Now navigate to the following key,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

Look for any entries that contain the following file,
C:\WINDOWS\system32\explorer.exe
If found right click and delete!



12) Now, Reboot in normal mode, post a new HJT log and tell us how things are running.

NOTE: I would also recommend you running a FULL SYSTEM SCAN with Symantec AntiVirus or Norton AntiVirus whichever your running and delete all infected files as there may be more that we cant see. Also to be sure go ahead and run TrendMicro's Online Virus Scan

Thanks Bj

 

Thanks for your help... I did everything you said with a few minor glitches :

1. I didn't have a Stop-the Pop program
2. I didn't have a ieum32.dll but had a ieum32.exe instead (I didn't delete it b/c I didn't know)
3. I didn't have a netda32.exe but had a netdq32.exe (agains I didn't delete)
4. neither of the registry commands had the explorer.exe in them

Hopefully I did things correctly, my new HJT file is attached, although I"m not sure it looks any better. Thanks again!

 

And to add... my virus protection just popped up that I had 8 signatures of a Trojan virus .
Also, I remembered that when I restarted it said a windows start-up program could not be found (appbo.exe) which was one of the things I was supposed to delete and did. I don't know if this is important or not. Thanks for the continued help!

 

Okay, This is good that it does not exist.

Yes, Go ahead and delete this file ieum32.exe in safe mode.

Also delete this file netdq32.exe in safe mode.

This is a good thing! Lets move on.

This is why I wanted you to run the online virus scan which you have not completed yet and also the fulll system scan.

This is because the file we removed was trying to load but its no longer there. We will get this fixed in the next few processes.

Also I wanted to add, Do you use WildTangent for anything? If not go into control panel and uninstall this.


Now I want you to run HJT again and have it fix the below entries. Make sure all browsers are closed before fixing anything with HJT.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {03986A99-8487-BF06-A53A-7D6D4ED76483} - C:\WINDOWS\netea32.dll

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O23 - Service: Remote Procedure Call (RPC) Helper (?%AF夶À¨) - Unknown owner - C:\WINDOWS\netda32.exe (file missing)


After fixing these entries boot into Safe Mode and delete the following files.

1) Go into C:\WINDOWS and locate the file named netea32.dll and delete it.

After completing the steps above, reboot and move to my next step.

1) Download TrojanHunter 4.1

2) Install this program!
Note: After installation setup will prompt you to download the latest update, be sure you do this!

3) Now run a FULL SCAN and let it do its job, after the scan is complete it will display a window and allow you to clean the infections

After this scan is complete, post new HJT log and let me know how things are working.

Thanks Bj

 

Thanks for replying! I did everything in the post with the exception that I didn't have the
netea32.dll file

I downloaded and ran the trojan hunter program and it got rid of 23! I was shocked! I copied everything that it got rid of if you need to see anything. My new HJT file is attached... I'm actually leaving for the weekend but i'll be back for more fixing sunday afternoon! Also, just to let you know... the reason I came for help in the first place is my home search assistent/ search extender stuff... I don't know if that is somewhere in my log file... but...Thanks in advance!

 

Ok, Yeah I did notice the HSA infection. Please follow these instructions below.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

tibs5.exe




Now scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A2341EC7-2146-9AD5-C963-1C8D49C2EB4C} - C:\WINDOWS\system32\sysdk32.dll

O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe

O4 - HKLM\..\RunOnce: [addbt.exe] C:\WINDOWS\system32\addbt.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)




NOW:
Please reboot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\sysdk32.dll

C:\WINDOWS\system32\tibs5.exe

C:\WINDOWS\system32\addbt.exe


NEXT: Reboot into normal mode and download the following programs.

CCleaner

SpyBot Search & Destroy 1.3

HSRemove & About:Buster

NEXT:
Run the following programs. Be sure you update Spybot before scanning. Also use the Immunize feature.

Note: If you get a "bad checksum" error during update of Spybot, select a different server and download from there.

Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Now run About:buster and HS Remove and let it delete what it finds. If you have any problems removing anything with these programs let me know.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot, and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Good Luck!

 

For the entries below, please follow these instructions closely.


O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

After this is complete, reboot and post a new HJT log.

Be sure you do post 19 & 20 before posting new HJT log.

Thanks Bj

 

Ok... first thank you so much BJ!!! I really appreciate everything you're doing for me!! Almost everything worked really well... I hope... the only issues I had were/ are

when I was supposed to delete addbt.exe, I only had addbt.exe.tcf which showed an icon witha picture of a bug w/ a red circle and line through it... I didn't delete it because the program extension wasn't exactly the same

Then... my question is... do I need to allow my system restore again since I had disabled it? And, can I delete the move.reg file off my desktop? I think thats it right now. My new HJT file immediately after reboot is attached (which still appears to have the one trusted site.... but) Thanks again for your help. Let me know how its looking!

 

You can delete the file addbt.exe.tcf. Its where it was renamed by an anti virus/trojab program.

Not just yet, lets make sure everything is clean and back to normal first.

Yes!

Please allow me a moment to analyze the log.

 

Go ahead and do another scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.static.topconverting.com (HKLM)



After you have removed the above entries with HJT. Please do the following.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file remove.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.

Double-click on the remove.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Then, reset your web settings.

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


After this is complete, reboot and post a new HJT log.

 

I did those steps and I have everything in my tray closed except my windows security thing which doesn't really close. I don't know if it's important that I'm connected to the internet through a LAN so i'm connected all the time... but my new HJT file is attached. Thank you again for your continued help!!!

 

Your log is clean! Are you still experiencing any problems? As long as you keep your computer updated with the latest virus defs and security updates from Microsoft you will be fine. Just browse safely!

Also, I wanted to ask you. Do you use/need WildTangent?

 

I don't really know what WildTangent is for... I think it was something w/ AIM but I guess I don't use it if I don't know, right? haha but I did delete the program from my program list previously...
Everything seems to be operating smoothly now...
I can't thank you ENOUGH for all your help! You're amazing!! But I think I'm gonna stick with Firefox browsing as it seems to be safer!! THANK YOU SOOO MUCH!!!!

 

Your Welcome! If you do NOT use WildTangent I would go into control panel and uninstall it. Glad things are running better for you!! If you have anymore problems just let us know.

Also probably would be a good idea to see Chaslang's article on How to Protect yourself from malware!