Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't remove WinTools from registry-Huntbar remains

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby madmurph » March 24th, 2005, 4:04 pm

This quote:
It Makes Me Wonder Makes Me Think Theres More To This Im On The Brink

It Cant Be All Coincidence Too Many Things Are Evident
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

Unread postby Bertha » March 24th, 2005, 4:24 pm

Oh thats from an Iron Maiden song that I was listening too the other day whilst helping other people with their HJT Log problems.

(Im a student you see although dont normally listen to Iron Maiden I listen more to Marillion and Placebo)

Why do you ask?

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 24th, 2005, 6:09 pm

Hi again - restarted, reset SpyBot, it still logs Huntbar in red and won't remove it. ??????
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » March 24th, 2005, 6:20 pm

Hey madmurph,

Run this tool - http://sarc.com/avcenter/venc/data/adware.huntbar.html

After running it restart your computer

Now run Spybot again see what happens if the problem still remains post a new Hijackthis Log back here and any relevant information

Oh and why ask about my quote I use?

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 24th, 2005, 7:12 pm

Hi Bertha - I've run Adware.Hunbar.exe before. However, this is WinTools Huntbar, so that program never detected it. On latest boot, I ran MS Spytool Beta 1 and it showed the following result (which I alledgedly cleaned using same program):

Spyware Scan Details
Start Date: 3/24/2005 2:52:22 PM
End Date: 3/24/2005 3:01:14 PM
Total Time: 8 mins 52 secs

Detected Threats

BrowserAid Browser Plug-in more information...
Details: BrowserAid is a group of Internet Explorer toolbars that are installed without your consent.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwindowsupdate
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwindowsupdate\Active 15 1054658311
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwindowsupdate Country US


Detected Spyware Cookies
No spyware cookies were found during this scan.

Here's the HJK log (following the previous scan):

Logfile of HijackThis v1.99.1
Scan saved at 3:17:38 PM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\SpyWare\New Folder\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://download.toontown.com/sv1.0.14.33/ttinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/act ... Atchmt.ocx
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » March 24th, 2005, 7:24 pm

Hye madmurph,

From what I see you are Clean

Try this though and get back to me with an new log

Add Remove Programs

Start - Control Panel – Add/Remove Programs (Might not be there)

Wintools (or similair)

Reboot Normally

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 24th, 2005, 9:26 pm

Hey There -- Wintools is not in the Program Group (or add/remove). It is in the registry under "Uninstall", but when I click on that WinTools folder I get an error message: "Access Denied". I can't open it, delete it, nothing. I'm further concerned that garbage would show up in the MS Spy program when I am alledgedly clean.

I like your quote because it paralells my life philosophy. It implies an "inter-connectedness" -- all the messages are present if you are conscious and pay attention to them. The "brink" being the threshold of that consciousness and understanding. (Sorry, I can't help my self.) Good night. MM
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » March 25th, 2005, 5:26 am

Well right now Microsoft Antispyware is in Beta testing (meaning it is not accurate and really should not be trusted)

This is just my opinion on it right nwo and I am not goign to download it until it even goes to its final copy and out of Beta testing.

Are there any problems with your computer at all (acting strangely,slowness)?

If you like post a new HJT Log and I'll take a look

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » March 25th, 2005, 9:01 am

Hey AVG,

I can also see that you dont have an Antivirus software.

Download this free one and update it everyday (ususally they have daily updates)

Run it at least once a week

http://www.grisoft.com/doc/71/lng/us/tpl/tpl01

Click on the first link "AVG 7.0 for Windows"

Post that New Hijackthis Log back here too as I think we have a little problem to resolve

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 25th, 2005, 10:13 am

Hey Bertha - - I was actually using two different virrus programs - McAfee ver 4.5.1, and then McAfee Enterprise. They were "borrowed" from my District so when advised my system was clean, I uninstalled them. It was my understanding that "Enterprise" would clean WinTools Huntbar, which it did not. I will reinstall Enterprise, run it and HJK, and repost. Cheers, T
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » March 25th, 2005, 11:02 am

Post that HJT Log when you can

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 28th, 2005, 1:08 pm

Hi Bertha -- like Chuckie and bad pennies, I'm back. Re-installed McAffee Enterprise with different settings and it found 217 Malware programs -- and it couldn't remove them all. Ran SpyBot and it's still finding a dozen programs, all of which it removes, except -again- Huntbar. HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:56 AM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\Mom & Dad\Application Data\tsad.exe
C:\WINDOWS\system32\n?lookup.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\SpyWare\New Folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Arma] C:\Documents and Settings\Mom & Dad\Application Data\tsad.exe
O4 - HKCU\..\Run: [Flpyxjlp] C:\WINDOWS\system32\n?lookup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://download.toontown.com/sv1.0.14.33/ttinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/act ... Atchmt.ocx
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » March 28th, 2005, 1:54 pm

Hey madmurph,

Well there are definelty some baddies there, I'll be back shortly

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » March 28th, 2005, 2:23 pm

Hey madmurph,

Please upload the following file to this website

aimsgr.exe

http://virusscan.jotti.org/

Click the browse button at the top of the page and locate the above file (look in the system32 folder or in the progrma files folder)

Then click "Submit"

It will then tell you the results further down the page,

Please post these results back here in your reply

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » March 28th, 2005, 2:47 pm

visual and "windows search" did not reveal this file. File not found. T
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware