• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 780
  • Last Modified:

Spyware toolbar wont go away

I accidentally asked this question under the wrong category at first.  My apologies

I  think I have fixed some of the problems in my ie browser with hyjack this but I am still getting a spyware toolbar that wont go away It looks like this:


   Make money   Music   Casino
 
  Investing   Travel   Mortgage
   Dating - Singles - Personals - Escorts - Chat Rooms  Travel - Airline Tickets - Hotels - Cruises - Vacations  Careers - Job Listings - Education - Work At Home - Part Time
 Credit - Credit Cards - Cash Advance - Mortgage - Car Loans  Computers - DVD - Games - Digital Camera - Ink Cartridge  Insurance - Car Insurance - Health Ins. - Life Ins. - Renters Ins

Its properties when I right click on it look like this:

Search Now!

HyperText Transfer Protocol
   
HTM File

Not Encrypted

http://search200.com/passthrough/newpass2.html

size is 7320 bytes -

It only appears when I am connected to the internet and it goes away when I click on its close box but it always comes back when i use explorer

My Hyjack this log file now looks like this

Logfile of HijackThis v1.97.7
Scan saved at 5:10:31 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Stealther\stealth26.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Working Docs\White Papers\Computer Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://epihtbmqskudwyzibhl.com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:14000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - Startup: Stealther Startup.lnk = C:\Program Files\Stealther\stealth26.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.2661921296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D99612C-19B8-48F7-8629-EE97FA51D2DC}: NameServer = 65.247.64.21 209.41.196.13

Any suggestions???
0
MonroeDowling
Asked:
MonroeDowling
  • 3
  • 3
  • 3
  • +5
1 Solution
 
KerryGCommented:
Use the analysis tool to see whats up with your log file:
http://www.hijackthis.de/index.php?langselect=english

First you will see you arent using the latest version of HiJack This.
So get the latest version first and recheck your system.

Next download, install and update both AdAware and Spybot Search and Destroy, reboot into safe mode and run the scans in safe mode. That should help get you all cleaned up.
0
 
sunray_2003Commented:
Not sure if you had done virus scanning and used other spyware tools before running hijacthis ..

This is the norm

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup

virus scanner:
---------------
When you scan for virus,do all the below in both Normal mode and Safe mode.

a) Update your virus definitions in your Anti-virus and run it.

b) Download Stinger from here : http://vil.nai.com/vil/stinger/  and run it.

c) Use this Online virus scanner also : http://housecall.trendmicro.com/ 

Spyware:
--------

Please donot run spyware before running Anti-virus tools and making sure there is no virus in the machine.
Run spyware both in Normal and Safe mode to be sure that the system is free of spywares,adwares and Malwares.

PLEASE GET THE SPYWARE REMOVAL TOOLS FROM THE BELOW WEBSITE. THAT PAQ IS CREATED SO THAT ALL THE TOOLS ARE NOT GUMMED UP IN THIS THREAD.

Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

My recommendation would be to start with Spybot ,Ad-ware ,CWshredder.After installing them, First Update them and then run

Once running all the above tools and others given in that thread, download and run Hijackthis.
Download Hijacthis from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml.
Get the log from Hijackthis and save the log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it. The analyser site is used so that you donot gum up the thread with the entire log.

Remove the bad ones that the site reports. If it says unknown process, then use a search engine to check if those are bad ones. If bad remove them , if you still cannot find then post those files alone here.

*********
Now make sure to scan your hijackthis log in the analyzer tool and remove all the unwanted/bad entries that the site says. Then post back if you still have any issue.

Use this to remove unwanted toolbars
Using ToolbarCop to remove the unwanted Toolbands, Toolbar icons and Browser Helper Objects
http://windowsxp.mvps.org/toolbarcop.htm

After all these ,
Remove temporary internet files, folders and cookies
Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%


Post back if you still have issues

SR
0
 
rossfingalCommented:
Hi!

Here's some very interesting information on:
C:\winnt\180solutions\saap.exe
Take note of the removal instructions -
http://www.sawtoothdistortion.com/Articles/Uninstall180Search.html

Good luck!

RF
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
SheharyaarSaahilCommented:
>> C:\winnt\180solutions\saap.exe

this means u are having a 180solutions parasite on ur machine =\
read here to remove it completely from ur system >> http://www.sawtoothdistortion.com/Articles/Uninstall180Search.html
0
 
sunray_2003Commented:
Rossfingal,

I would appreciate if you can look at my comment in Experts Input question of yours about Hijackthis Log
0
 
SheharyaarSaahilCommented:
im sorry ross, didn't refresh the page before posting =\
0
 
MonroeDowlingAuthor Commented:
I am almost ready to give up.  It seems my only solution thus far to keep from getting the malicious spyware toolbar I mentioned above when I invoke internet explorer is to use another web browser.  When I use mozilla firefox I have no problems whatsoever, but when I use ie I still get numerous popups and that strange spyware toolbar that only appears when I am connected to the internet.  I have been working on this problem for months.  I have used adaware, spybot search and destroy and I have tried some of your suggestions including toolbar cop, hyjack this, and I also tried the tedious 180solutions removal suggested by SheharyaarSaahil.  This was a nice article about going into the registry and everywhere else to remove the problem.  Unfortunately, it did not solve the problem.  Perhaps the host program software is still on my machine.  I have no idea what it is.  Looks like this is one of those questions that won't get resolved.
0
 
SheharyaarSaahilCommented:
Monroe,,,, u have WinXP system,,,, are u sure u disable system restore before doing the cleanup process ??
and after running the removal tools, do u manually check for the exe files and their registry entries to make sure they are all gone ??
0
 
MonroeDowlingAuthor Commented:
I have been dealing with this long enough.  None of the responses I have received have helped me resolve this problem.  In fact I remember getting one message from someone somewhere along asking me not to print a hyjack this log.  Fine.  I think what I need to do is cancel my membership here.  Thanks to everyone who has earnestly tried to help.  Goodbye.

Monroe
0
 
sunray_2003Commented:
It is sad to see that your issue is still not resolved..

So you have tried all the above suggestions and you still have the same issue or do you see some improvement.

Have you tried using this tool http://windowsxp.mvps.org/toolbarcop.htm
to see if you can remove any toolbar using it .

Regarding Hijackthis log, this website is taking lot of changes as to how to make questions and thread more user-friendly.
Apart from experts , users or questioners are lead in a direction so that they can do some work on their own and come back if they need further help . It is NOT that you cannot post the logs but it is like use the analyzer website to search for bad ones in your log and see if the issue is solved and if not , post the log.

Hang on and post back and see if we can resolve your issue

SR
0
 
ElKermCommented:
Have you tried running a simple Ad-aware SE or Spybot ?
Often these programs are a very good help!
0
 
gonzal13RetiredCommented:
Here is one I downloaded and used. It found spyware etc that the others do not. It is a fully functional 15 day trial program called 'Great Antispyware'

www.greatantispyware.com

It gave me some interesting results. I ran it in the normal mode. You might run it in the safe mode also. I normall have not run these spyware programs in the safe mode. I just posted a question why is it recommended to run these program in the safe mode.

Try it before you give up.

gonzal13(joe)
0
 
gonzal13RetiredCommented:
This program is uded for web browser hijacks
Web websearch remover

http://www.subratam.org/?page=removal
0
 
MonroeDowlingAuthor Commented:
While I almost gave up I finally was able to resolve this issue myself.  I must admit I did not try disabling the system restore utility because a restore point had saved my computer during a previous problem.  I did try most of the software tools recommended above along with half a dozen others.  The link to the 180solutions spyware removal did help some but did not resolve the main issue which was the recurring spyware toolbar in internet explorer.

I have been working for months on this problem.  The recommendation for trying hyjack this software did not help because many of the entries were unknown.  Even some of the experts gave incorrect info on some things to remove.  Fortunately, serendipity smiled on me tonight in the form of a piece of software called Security Task Manager.  It can be downloaded from download.com and originates from www.neuber.com.  This software analyzes all the active and inactive processes in the task manager and provides detailed information on all the ones that it recognizes.  For those that it does not recognize, it provides a link to google search where they can be found.  With this software, I isolated the problem to 2 malicious programs.  One called long2.exe and the other called bin kind.exe.  (Yes, there is a space after bin.)  I was able to quarantine and delete these programs and other spyware on my computer with a few key strokes.  The software is a free trial version for 30 days and $29 for a registered version.  I will probably buy it .  Thanks to all who helped and my question is finally resolved.

Monroe
0
 
moduloCommented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 3
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now