• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Malicious search toolbar is now appearing on my IE windows and Windows Explorer windows.

Looks like I picked up some sort of malicious search toolbar. It's appearing in both my IE windows and my Windows Explorer windows. It has a bogus "Remove Toolbar" button that just takes you to various pages for spyware software and other advertisements. I haven't been able to find anything on it in Google or your own Experts Exchange database. How do I remove this thing from my system?
0
jaerob
Asked:
jaerob
  • 7
  • 4
1 Solution
 
war1Commented:
Greetings, jaerob !

Some website has hijacked your search.

1. Use the following scanners to find and remove the website.

Ewido
http://www.ewido.net/en/
or
Spy Sweeper
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

2. Some shopping and porn websites redirects links to their websites using your HOSTS file. Do a search for the HOSTS (without extension) file and remove the entry.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
rpggamergirlCommented:
Hi jaerob,
I second the suggestion of hijackthis. It is an excellent diagnostic tool (as well as malware remover) which can tell us what toolbar you're talking about, or what malware is in your system.
We can then let you know the right tool to fix it IF hijackthis alone can't fix it.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
jaerobAuthor Commented:
Hi guys. Thanks for responding so quickly. Here's my Hijackthis analysis file URL: http://www.hijackthis.de/logfiles/bcb3c3f0998288c559a4f89fde1c148d.html. Whatever this thing is, it has really crippled my machine. It's very slow and regular programs like Outlook lock up every time I try to use them.  
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
rpggamergirlCommented:
There's the toolbar! you also have a wareout infection there as well.

1. Uninstall UnSpyPC from Add/Remove Programs list.

You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt)


2.  Run Hijackthis and put a check next to these entries and click "Fix Checked":(some of the entries will no longer there after you run "fixwareout"

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\twffm.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\twffm.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/ install3.0/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer = 85.255.113.109,85.255.112.141    
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFA2A172-FC1A-4A65-B8DA-7E2C46C62006}: NameServer = 85.255.113.109,85.255.112.141    
O17 - HKLM\System\CS1\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer = 85.255.113.109,85.255.112.141    
O17 - HKLM\System\CS2\Services\Tcpip\..\{008C48EA-C3DD-4077-95F5-A3784C5EBDAF}: NameServer = 85.255.113.109,85.255.112.141  
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ieee.exe (file missing)


Make sure that this file is gone --> C:\WINDOWS\System32\twffm.dll

3. Go to START > RUN > type in

services.msc

In the next window, look on the right hand side for this service name:
 Network Security Service

Double click on it and STOP the service
In the drop down menu, change the startup type to "Disabled"

4. If the toolbar persists, please run AboutBuster:
download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
0
 
jaerobAuthor Commented:
Hi there rpggamergirl!
Wow! Those were very detailed instructions.
What's more... they definately seem to have worked!!!
1. The toolbar is gone and my machine is functioning normally again.
2. I was able to delete c:\windows\system32\twffm.dll.
3. Here's the post of the text from Fixwareout.exe:

----------------------------------------------------------------------------------------------
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xnfmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmfnx.exe"=-
...
 
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
 
»»»»» Search by size and names...
* csr.exe  C:\WINDOWS\System32\CSBFG.EXE
 
»»»»» Misc files
* thequicklink  C:\WINDOWS\System32\TWFFM.DLL
 
»»»»» Checking for older varients covered by the Rem3 tool
 
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSBFG.EXE       51 249 2006-05-29      
C:\WINDOWS\SYSTEM32\DMFNX.EXE       44 088 2003-05-11
--------------------------------------------------------------------------------------------------

Is there anything more that I need to do?
I haven't attempted a reboot as yet.
0
 
rpggamergirlCommented:
You didn't mentioned in your topic about "re-directions" did you have that symptom? just curious.


Rename this file for now, it looks very much part of wareout  --> C:\WINDOWS\System32\CSBFG.EXE

Blacklight will see this file, you can use Blacklight to rename it if you want, then delete it later if everything is OK.

Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
0
 
rpggamergirlCommented:
I suggested Blacklight because it might find other hidden files, :)

Or you could just submit this file --> C:\WINDOWS\System32\CSBFG.EXE
at jotti, and if it's clean then leave it.
http://virusscan.jotti.org/

0
 
jaerobAuthor Commented:
Hello again.    :)
Nope, there were no re-directions; however, if you clicked on the bogus "Remove Toolbar" button it would open a new window and send you to a random solicitation site of some kind.
I installed and ran Blacklight but it found nothing.
Jotti, on the other hand,  found the following problems with  C:\WINDOWS\System32\CSBFG.EXE...

--------------------------------------------------------------------------------
 Scanner         Malware name
AntiVir       X
ArcaVir       X
Avast       Win32:Ardamax-U
AVG Antivirus       X
BitDefender       Dropped:Trojan.Keylogger.Ardamax.D
ClamAV       X
Dr.Web       Program.Ardamax
F-Prot Antivirus       X
Fortinet       X
Kaspersky Anti-Virus       not-a-virus:Monitor.Win32.Ardamax.k
NOD32       X
Norman Virus Control       X
UNA       X
VirusBuster       X
VBA32       Trojan-Dropper.VB.22
---------------------------------------------------------------

What's next?
Do I try to rename the file manually?
0
 
rpggamergirlCommented:
Yes you can try to rename the file manually, renaming it will make it inactive.
then delete it later.

Or just delete it now, I trust Kaspersky and Avast(they use the same scanning engine)
0
 
rpggamergirlCommented:
BirDefender also found the file as bad and BitDefender is a very good antivirus scanner, but I always put it second to Kaspersky, :)
0
 
jaerobAuthor Commented:
Ok...
I was able to rename and delete the file with no problem.
I then did a reboot and all seems to be A-OK!
No system slowness, no toolbar, no program lockups, and those 2 dll files did not reappear.
Whew...
You, rpggamergirl, are a genius!!!
I can't thank you enough!
I am deeply grateful for your help.
May God bless you and yours.
0
 
rpggamergirlCommented:
No problem, glad to hear it's all resolved.

Hijackthis is a great tool, if it can't fix it it will always point us to where the culprit is.

Thank you for the points with an "A" grade!
Thanks, May God Bless you too.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now