Yoursitebar

[ccrashh]

I have multiple user accounts on one Win XP Pro (SP2)
machine. On one of them (only), when I log in,
Antispyware tells me that YourSiteBar is trying to
install. It asks me if I want to remove it. Of course,
I say Yes. But this message happens each time I log in.
I then said No to let it "install". Nothing did. Is the
application issuing a false positive? Has anyone else
seen this?

 

[Ron Chamberlin]

Hi ccrashh,

I would opt for the safe side of the coin, and run from Safe Mode ,and clean
out all the temp etc files as noted below:

Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files* C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

Ron Chamberlin
MS-MVP



*The .tif are Temporary Internet Files, and are stored in a different barn
than 'normal' temp files.
Here's how I kludge thru to them: Open Windows Explorer--->C:\Documents and
Settings. Then it's to the Tool Bar--->Folder Options--->View--->Hidden
Files and Folders and check the box "Show hidden files and folders" > Now
expand C:\Documents and Settings and under each user you will now see a
folder "Local Settings". Open that puppy and choose Temporary Internet
Files. I am not concerned about the cookies therein, but everything else
can go for now.

 

[ccrashh]

Thanks for the tip, but I already tried that. It is odd,
since I can find absolutely no evidence that YourSiteBar
is there anywhere. I used BHO Demon and HijackThis to
analyse things, but everything seems to come out clean. I
keep my PCs so clean, that there are few, if any, entries
in HijackThis.

So, my thought is that this is some sort of false positive.

 

[Bill Sanderson]

Have you tried using the System Explorers to look at all the startup
locations, etc, when logged in as the user which gets this symptom--to see
if there's anything "strange" there?

I'm wondering if there is a leftover from cleaning--an executable intended
to reinfect, but which doesn't end up doing it because everything else
related is gone?

 

[Guest]

Yup. Tried that too I used Regcleaner and RegSeeker
to check the startup lists. I even went directly into the
Registry to check and there's nothing there. Very
strange. I will check again, in case I missed something.
Who knows, it could be masking as something legit.

Is there a way to turn on some sort of MSAS logging so
that I can see exactly what is triggering that message?

 

[Andre Da Costa]

Try this, by Ron Kinner:
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then
send it to me as an attachment. I can probably tell you
what to do to get rid of it.

 

[ccrashh]

Okay...forwarded the HijackThis log. I did go through the Registry again
and found a couple of keys left behind. I checked the cleaner.log file and
those keys were missing. The program wasn't on the PC, but these
legacy/left behind registry entries may have been the cause. I deleted them
and will check to see if the problem persists.

 

[ccrashh]

As you saw, there was nothing odd in the HijackThis log.

The behaviour is even stranger than I first thought. If I boot up
and log directly into the problematic account, there is no problem. I have
to log into another account (and no messages appear), then log out and then
back into the one with the problem. THEN the warning message appears.
Strange. I think I will have to uninstall MSAS then reinstall to see if
that clears it.

 

[ccrashh]

Okay...

Tried uninstalling it. Then reinstalled. Same issue.

Just a note: in the warning message, there is a typo. The line reads: "If
you would like to allow YouSiteBar to install the Internet Explorer
rowser...". The "b" is missing in "browser".