[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

toolbar5.trafficgenerator.biz

How do i get rid of toolbar5.trafficgenerator.biz    I have used spybot, spysweeper, adware, norton internet seurity, and have a pop up blocker on my gogle toolbar.  Nothing seems to work. Help!!

Please and Thank You

Mike Lindeman
San Antonio Tx
mlindeman@satx.rr.com
0
mlindeman
Asked:
mlindeman
  • 3
  • 2
  • 2
  • +1
1 Solution
 
rossfingalCommented:
Hi!

Download HijackThis from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your log file here!

We'll take a look at it!  :)

Good luck!
RF
0
 
ViRoyCommented:

this is a very recent one. this is the first ive seen of toolbar #5

heres what some people did about the first one
http://www.techspot.com/vb/topic22649.html

heres what i would use to clean it:
http://www.download.com/1200-2018-5139934.html
0
 
caza13Commented:
Use the following link for removal instructions for the Unknown Toolbar5:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453080914
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
mlindemanAuthor Commented:
here is a link to the log file analysis produced by hijackthis
http://www.hijackthis.de/logfiles/538b540a0154bda0aa4453dc12797c53.html
0
 
mlindemanAuthor Commented:
Thanks caza13 -
I went to http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453080914
I can't access task manager - It hides itself when I try to click on a process that is running.  It won't stay on the monitor screen long enough to read all tasks that are running.  A little green box appears when I cntl/alt/delete down on the lower right by date and time.  any clues what to try next?
0
 
rossfingalCommented:
Hi!

Download the following utility to temporarily deal with the problem with Task Manager:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

You're running HijackThis out of a "temp" folder:
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1.99.1.zip\HijackThis.exe
It's important to run it from a folder of it's own - it should be moved.

I'm looking at your log right now.
Be back soon.

RF
0
 
caza13Commented:
Try booting in Safe Mode and see if you can delete the problem files.
0
 
rossfingalCommented:
Hi!
Sorry about the delay - having major problems with our Internet connectivity!   :)
See this:  http://www.tweakxp.com/DisplayNews.aspx?id=157845&fid=34

You're still running HijackThis from a "temp" folder:
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1.99.1.zip\HijackThis.exe
Make sure you move it to a folder of it's own -
soon; you're going to have to clean out all your temp files.

You're should be logged on to your computer with Administrative privileges.
Make sure "Show all Files and Folders", including hidden and system, is enabled.
Turn off "System Restore".

You should copy and paste these instructions into Notepad -
you're going to hvae to go into "Safe" mode - no Internet connection.

Using Windows Explorer, navigate to the following file:
C:\WINDOWS\system.ini - right-click on it and choose "Properties" -
If any of the boxes are checked - uncheck them all (Readonly, hidden, system) -
Click "Apply" - click "OK"
Open "system.ini" in Notepad and choose "Save As" -
Save the file as system.bak (save it in the Windows folder)
With the file still open (the system.ini file, not system.bak) - look for the line:
Shell=Explorer.exe C:\WINDOWS\Nail.exe
Edit the line so that the only thing remaining is Shell=Explorer.exe
Click on "Save" - close Notepad

Click on "Start" - click on "Run" - in the run box, type "services.msc" (without quotes)
In the list of running "Services" - scroll down to:
System Startup Service (SvcProc)
Double-click or right-click on it -
In the dialogue box that comes up; in the "General" tab:
Under "Service Status" - click on the "Stop" button - click "Apply" -
Under "Startup Type" - set it to "Disabled" - click "Apply" -
OK out of the dialogue box.
Do the same for anything related to "nail" or "Istsvc" (probably wouldn't find anything)

I hope you were able to download the replacement utilities above.
(If you can't get taskmgr1.exe to work - let me know)
Start taskmgr1.exe -
In the list of running processes look for the following -

svcproc.exe
yzcuxu.exe
ALCXMNTR.EXE
winupdt.exe
QGHVDLL.EXE
QGHVENC.EXE
wintask.exe
wzchu1.exe
?hkntfs.exe
nslo.exe
wucit.exe
abasa5jrp.exe
Nail.exe
nail[1].exe
thnall1ac.exe
gdiyfplm.exe
wxkpsjwn.exe
ibecdbv8.exe
Anything related to "nail"

Any that are present - "Kill" them.

With all browser windows closed -
Run HijackThis and have it fix the following: (put a check-mark in front of, and hit "Fix Checked")
c:\windows\system32\yzcuxu.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\winupdt.exe

C:\WINDOWS\QGHVDLL.EXE

C:\WINDOWS\QGHVENC.EXE

C:\WINDOWS\system32\wintask.exe

C:\WINDOWS\system32\wzchu1.exe

C:\WINDOWS\system32\?hkntfs.exe

C:\Documents and Settings\HP_Owner\Application Data\nslo.exe

C:\WINDOWS\system32\wucit.exe

C:\WINDOWS\system32\abasa5jrp.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll

O2 - BHO: (no name) - {747E2908-BFC7-CC4A-BB14-CDEE8FF7BDEF} - C:\WINDOWS\system32\wcij.dll

O2 - BHO: (no name) - {757E290D-BFC6-BA48-BB1C-BFEE8CF4BD9D} - C:\WINDOWS\system32\wcij.dll

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsaAD.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [rgaa] C:\WINDOWS\gdiyfplm.exe

O4 - HKLM\..\Run: [wxkpsjwn] C:\WINDOWS\wxkpsjwn.exe

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
                 
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16               

O4 - HKLM\..\Run: [QGHVDLL] C:\WINDOWS\QGHVDLL.EXE               
               
O4 - HKLM\..\Run: [QGHVENC] C:\WINDOWS\QGHVENC.EXE

O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe

O4 - HKLM\..\Run: [ibecdbv8] C:\WINDOWS\system32\ibecdbv8.exe

O4 - HKLM\..\Run: [33og33V] wzchu1.exe

O4 - HKLM\..\Run: [jmsidn] c:\windows\system32\yzcuxu.exe

O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe

O4 - HKCU\..\Run: [Oia] C:\WINDOWS\system32\?hkntfs.exe

O4 - HKCU\..\Run: [Srro] C:\Documents and Settings\HP_Owner\Application Data\nslo.exe

O4 - HKCU\..\Run: [I07mRTZ6U] wucit.exe

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe

Clean out all your "temp" files:  <-<- I sure hope you moved HijackThis!  :)

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Restart your computer into "Safe" mode -
hit the F8 key repeatedly, as soon as the computer begins to start
Check with services.msc and taskmgr1.exe to see that none of the processes listed above are running -
if they are: "Kill"/"Disable" them.

Search your entire computer for any instances of the following:

svcproc.exe
yzcuxu.exe
ALCXMNTR.EXE
winupdt.exe
QGHVDLL.EXE
QGHVENC.EXE
wintask.exe
wzchu1.exe
?hkntfs.exe
nslo.exe
wucit.exe
abasa5jrp.exe
Nail.exe
nail[1].exe
thnall1ac.exe
gdiyfplm.exe
wxkpsjwn.exe
ibecdbv8.exe

cfgmgr51.dll
Bolger.dll
wcij.dll
nsaAD.dll
AUNPS2.DLL
Pynix.dll
(Make sure you check the dllcache, Prefetch, and all "temp" folders) -
Delete all that you find

Clean out all your temp files.

Restart your computer into "Normal" mode.

Run HijackThis again -
Run your log through the Analysis site -
Post a LINK to your new HJT log file back here.

Any questions/problems - let us know!

Good luck!
RF
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now