Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Please help. I have been trying to remove the Ibis Toolbar and Hunt bar. In the process I have deleted a number of different applications that self loaded. I've used Ad-aware 6.0 and Pest Patrol. I think I have successfully removed Hunt Bar but the Ibis Toolbar sticks around because I can't delete a file named: c:\Program Files\Toolbar\Cursor\cursor.xml
Additionally, I noticed two different register values and start up applications:
1. Bashbluebold, Super spam.exe
2. c:\\windows\system32\drpcpzit.exe with a reg key value of djitaiabkzI deleted the file bashbluebold and removed the reg key associated with it (which coincidently causes an internal server error 505 on the auto browser pop up problem I'm having...)
Should I delete the other reg key? How do I delete the Ibis Toolbar cursor to be able to delete the whole file?
Thanks!
Dee
Dee, you have done really good work. Yes, I do believe that file is one of your problems so delete it to the Recycle Bin. If you have probs after just restore it from the Recycle Bin. I have found that most of the time those generically, random-characted generated files are malware/virus. Unfortunately, there are morphers that also generate random characters when they regenerate, so if you still have the same problems afterwards, but that file is gone, look for another in the same area with random characters. You then have a morpher. Post back and we will try the HiJack this thing and identify the spyware.
0 
Yes, if you boot to safe mode you should be able to delete this without trouble. OR try safe mode command prompt only. (either way no networking so it doesn't try to call home during the clean)
Good luck,
J.
j e r u v y a t y a h o o d o t c o m
0
Follow-up:
Thank you for your responses.
I deleted the random reg key and haven't seen any problems yet. I am still getting the forced "open browser" thats entitled 69.20.62.53/yyy3.html before it sends it to some advertising web page.
So after having deleted those other applications and reg keys, I believe the problem child is still the Ibis Toolbar. I have tried to delete the file that is preventing me from being able to remove the application (cursor.xml), but have failed. I've rebooted in safe mode and still can't delete it. It says that it is in use.
Thoughts? Thanks again.
0
Once you got this done, if you are still seeing some wierdness post a hijackthis log and ALERT me.
J.
j e r u v y a t y a h o o d o t c o m
0
Dee, I have done some research into the IBIS toolbar, and it's a bad one, so I think we are going to have to bring out the heavy artillery. As I mentioned earlier, we will need HiJack This, but let's do some preparation first. Here is what I suggest:
Enter Explore/Tools/Folder Options/View;
>ENable (add a check)Hidden Files and Folders/"Show Hidden Files and Folders".
>DISable "Hide Operating System Files" (no check mark). XP will "yell" at you but we must disable this.Enter Explore, and on your C drive (or whatever your main drive is containing Windows-usually C), create a new folder and label it HIJACK THIS (or whatever you want). Download and drag&drop into this folder HiJack This.
link: http://www.spywareinfo.com/~merijn/downloads.htmlThis is very important: Do not run HT at this time. Do not install HT directly to the root C directory.
Next, please download and install the following free programs off the web:
AD Aware: http://www.lavasoftusa.com/software/adaware/
SPYBOT:http://www.safer-networking.org/
SPYWAREBLASTER: http://www.javacoolsoftware.com/spywareblaster.html
COOL WEB SHREDDER:
http://www.spywareinfo.com/~merijn/index.htmlOkay, now you have them all together. There are many virus/spyware (such as Cool Web Search) that prevent you from accessing antispyware sites; they can do nothing if you already have the programs on your computer.
Now Install the programs in the order I have here. BEFORE you run them, update all the indexes from within each program first (except for CWS, that must be re-downloaded occasionally as the author updates the program).
Ad Aware is extremely powerful; to get the most efficiency, configure it this way:
after it is installed and open and you have downloaded the newest updates:
-Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:Now press "Next" to let Ad-aware scan your drives... kill anything it finds.
Then run Spybot and allow it to kill anything that it finds.
Now go here and run the free, online virus scan: http://housecall.trendmicro.com/
After this, open HiJack This; after it is open, close all other open windows including
Internet Explorer, Explore, and anything else that is open. Click "Config.." on the Right.
Make sure the following are enabled:
>"Make Backups Before Fixing Items"
>"Confirm Fixing and Ignoring of Items"
>"Include List of Running Processes in Log Files"Click "Miscellaneous Tools":
>Enable "list also minor sections"
>Enable "List empty sections (complete)".Click "back", and click "Scan". You will see the scan log, and the button changes to Save Log. Copy and Paste this log into our thread here.
At this point do not make any fixes or changes-HT is extremely powerful and does not know the difference between good files and spyware. The majority of files you see are needed by XP.
We will review your log together later.
0
I'm having a very similar problem on a friend's laptop. Keeps randomly opening web browser windows and loading *something*/yyy3.html . There also seems to be something preventing me from accessing windows update. I can go to the windows update site, and it lists 47 (47!!!) critical patches... but when I go to "Review and Install Updates", IE just tries to access for a few minutes then gives a "Page Not Found" error. blech!
I've got AdAware (most recent updates), Spybot Search and Destory and Hijack This installed. Adaware finds this file:
c:\windows\system32\ajtxprxy.dll and identifies it as a part of "VX2.BetterInternet" but can't delete it -- even from Safe Mode. I told it to delete it on next startup, but it won't go away...Here's the HT log:
Logfile of HijackThis v1.97.7
Scan saved at 10:35:06 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\winnt\system32\qossrv\aysshell.exe
C:\winnt\system32\qossrv\secure.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\HPONE-~1\OneTouch.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\DENTFO~1\Great Style.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\windows\temp\oRyJ.exe
C:\WINDOWS\System32\WLANSTA.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\cleblr.exe
C:\WINDOWS\System32\tvintprf.exe
C:\Software Depository\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTDLM] C:\winnt\system32\qossrv\csrss.exe
O4 - HKLM\..\Run: [peak cool] C:\PROGRA~1\DENTFO~1\Great Style.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [ssecd] C:\WINDOWS\System32\ssecd.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [oRyJ] C:\windows\temp\oRyJ.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [hgmseaiz] C:\WINDOWS\System32\dfrhhb.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.exe START
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AutoLoader20u61JIWPYPK] "C:\WINDOWS\System32\cleblr.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [275g37V] cleblr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [JwumRXZ2U] tvintprf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37190.4250578704
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabAny help would be greatly appreciated!
Thanks,
--Paul
0
I have also been having problems with this ibis toolbar. Have gone through all the solutions so far, but nothing is really working. I have created a log from the HijackThis program, hopefully someone can shed some more light on this issue. Thank you ahead of time.
Logfile of HijackThis v1.97.7
Scan saved at 2:48:14 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Documents and Settings\Tom\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lineage2.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://www.alienware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.exe /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.3993402778
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
I have had the same problems. I already had the various programs that ranchhand mentioned so I followed the directions exactly. Ad-aware had been unable to delete them.
I tried everything in your instructions. I use norton anti-virus, zone alarm pro, ad-aware 6.0, spybot, spyblaster, cw shredder.
Thanks for any help that you can give me.
Terrill Ann Browne
0
I've got an almost identical problem, and have followed the instructions above.
Hijackthis produced a logfile which I can't post yet, but I have storedThanks in anticipation of your help.
0
Folks, this was not a call for everyone to post hijackthis logs. =)
Please start your own threads but only after following the instructions prior to posting any hijackthis logs.
Thanks!!
J.
j e r u v y a t y a h o o d o t c o m
0
Alright, so Ive seemed to fix my computer now. After doing all the things mentioned etc, I tried removing programs through cntrl alt del. Certain programs that wouldnt shut down were wtoolsA.exe, wSup.exe and wtoolsS.exe. So, I ran my computer in safe mode, searched for those specific files and deleted anything similar to them. Reran my adaware programs and such and so far I have a clean bill of health.
0
I too am trying to remove Huntbar. I am running Spybot free ware but it will not get rid of it. How can I do this for free?
Bob
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
