Malicious search toolbar is now appearing on my IE windows and Windows Explorer windows.

Posted on 2006-05-29
Last Modified: 2010-04-11
Looks like I picked up some sort of malicious search toolbar. It's appearing in both my IE windows and my Windows Explorer windows. It has a bogus "Remove Toolbar" button that just takes you to various pages for spyware software and other advertisements. I haven't been able to find anything on it in Google or your own Experts Exchange database. How do I remove this thing from my system?
Question by:jaerob
    LVL 97

    Expert Comment

    Greetings, jaerob !

    Some website has hijacked your search.

    1. Use the following scanners to find and remove the website.

    Spy Sweeper
    SpyBot S&D searches your harddisk for so-called spy- or adbots;

    2. Some shopping and porn websites redirects links to their websites using your HOSTS file. Do a search for the HOSTS (without extension) file and remove the entry.

    3. If still no joy, download HijackThis

    Run the program and you will find many entries. Most are OK. Post the log at and click Analyse, Save.  Post a link to the saved list here.

    Best wishes!
    LVL 47

    Expert Comment

    Hi jaerob,
    I second the suggestion of hijackthis. It is an excellent diagnostic tool (as well as malware remover) which can tell us what toolbar you're talking about, or what malware is in your system.
    We can then let you know the right tool to fix it IF hijackthis alone can't fix it.

    Please download HijackThis 1.99.1
    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
    Notepad will also open, copy its contents and paste it to either these sites:
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or paste the log at -->
    and click "Analyse", click "Save".  Post the link to the saved list here.

    Author Comment

    Hi guys. Thanks for responding so quickly. Here's my Hijackthis analysis file URL: Whatever this thing is, it has really crippled my machine. It's very slow and regular programs like Outlook lock up every time I try to use them.  
    LVL 47

    Accepted Solution

    There's the toolbar! you also have a wareout infection there as well.

    1. Uninstall UnSpyPC from Add/Remove Programs list.

    You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

    If you have problems with your connection:
    Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

    Please download FixWareout from one of these sites:

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Once the desktop loads please post the text that will open (report.txt)

    2.  Run Hijackthis and put a check next to these entries and click "Fix Checked":(some of the entries will no longer there after you run "fixwareout"

    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\twffm.dll
    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\twffm.dll
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - install3.0/installer.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer =,    
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DFA2A172-FC1A-4A65-B8DA-7E2C46C62006}: NameServer =,    
    O17 - HKLM\System\CS1\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer =,    
    O17 - HKLM\System\CS2\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer =,  
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ieee.exe (file missing)

    Make sure that this file is gone --> C:\WINDOWS\System32\twffm.dll

    3. Go to START > RUN > type in


    In the next window, look on the right hand side for this service name:
     Network Security Service

    Double click on it and STOP the service
    In the drop down menu, change the startup type to "Disabled"

    4. If the toolbar persists, please run AboutBuster:
    download About:Buster 6.0.

    Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

    Exit AboutBuster and reboot into safe mode.
    Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.

    Author Comment

    Hi there rpggamergirl!
    Wow! Those were very detailed instructions.
    What's more... they definately seem to have worked!!!
    1. The toolbar is gone and my machine is functioning normally again.
    2. I was able to delete c:\windows\system32\twffm.dll.
    3. Here's the post of the text from Fixwareout.exe:

    Fixwareout ver 1.003
    Last edited 04/26/2006
    Post this report in the forums please
    Reg Entries that were deleted

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    Example ipsec6.exe is lagitamate
    »»»»» Search by size and names...
    * csr.exe  C:\WINDOWS\System32\CSBFG.EXE
    »»»»» Misc files
    * thequicklink  C:\WINDOWS\System32\TWFFM.DLL
    »»»»» Checking for older varients covered by the Rem3 tool
    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSBFG.EXE       51 249 2006-05-29      
    C:\WINDOWS\SYSTEM32\DMFNX.EXE       44 088 2003-05-11

    Is there anything more that I need to do?
    I haven't attempted a reboot as yet.
    LVL 47

    Expert Comment

    You didn't mentioned in your topic about "re-directions" did you have that symptom? just curious.

    Rename this file for now, it looks very much part of wareout  --> C:\WINDOWS\System32\CSBFG.EXE

    Blacklight will see this file, you can use Blacklight to rename it if you want, then delete it later if everything is OK.

    Download and save blacklight to your desktop.
    Doubleclick blbeta.exe, accept the agreement, click scan > next.

    You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
    LVL 47

    Expert Comment

    I suggested Blacklight because it might find other hidden files, :)

    Or you could just submit this file --> C:\WINDOWS\System32\CSBFG.EXE
    at jotti, and if it's clean then leave it.


    Author Comment

    Hello again.    :)
    Nope, there were no re-directions; however, if you clicked on the bogus "Remove Toolbar" button it would open a new window and send you to a random solicitation site of some kind.
    I installed and ran Blacklight but it found nothing.
    Jotti, on the other hand,  found the following problems with  C:\WINDOWS\System32\CSBFG.EXE...

     Scanner         Malware name
    AntiVir       X
    ArcaVir       X
    Avast       Win32:Ardamax-U
    AVG Antivirus       X
    BitDefender       Dropped:Trojan.Keylogger.Ardamax.D
    ClamAV       X
    Dr.Web       Program.Ardamax
    F-Prot Antivirus       X
    Fortinet       X
    Kaspersky Anti-Virus       not-a-virus:Monitor.Win32.Ardamax.k
    NOD32       X
    Norman Virus Control       X
    UNA       X
    VirusBuster       X
    VBA32       Trojan-Dropper.VB.22

    What's next?
    Do I try to rename the file manually?
    LVL 47

    Expert Comment

    Yes you can try to rename the file manually, renaming it will make it inactive.
    then delete it later.

    Or just delete it now, I trust Kaspersky and Avast(they use the same scanning engine)
    LVL 47

    Expert Comment

    BirDefender also found the file as bad and BitDefender is a very good antivirus scanner, but I always put it second to Kaspersky, :)

    Author Comment

    I was able to rename and delete the file with no problem.
    I then did a reboot and all seems to be A-OK!
    No system slowness, no toolbar, no program lockups, and those 2 dll files did not reappear.
    You, rpggamergirl, are a genius!!!
    I can't thank you enough!
    I am deeply grateful for your help.
    May God bless you and yours.
    LVL 47

    Expert Comment

    No problem, glad to hear it's all resolved.

    Hijackthis is a great tool, if it can't fix it it will always point us to where the culprit is.

    Thank you for the points with an "A" grade!
    Thanks, May God Bless you too.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    Title # Comments Views Activity
    Legal hold, eDiscovery: device or data 12 92
    Web browsers 1 79
    What is this ? 6 74
    Multiple Antivirus Providers  - Corporate 2 12
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now