Can't get rid of a toolbar caused by a spyware program!! Please help!

'

That's a little vague. What did it remove? And if it removed the problem, it may have been necessary for it to close all windows to fix the problem. What windows are you referring too? It is always best to have nothing running except the scanners (online or others) when performing these steps.

Complete the remaining steps of the READ ME FIRST and then report back on all steps and on what problems remain.

Question: Are you saying you have a problem with StopZilla and you do not want to have StopZilla? If so, uninstall it using Add/Remove programs.

 

Viewpoint Toolbar is installed by AOL with both there standard software and when you install AIM. Even though you do not ask for it they install it anyway. Look in Add/Remove programs for a variety of Viewpoint stuff (like Viewpoint Manager and Viewpoint Toolbar) and just uninstall them.

If you just finish running the READ ME FIRST steps we can get around to fixing all of your problems. They are easy to fix. Just finish the READ ME FIRST and then I will give you the next steps.

While you are at it, why don't you uninstall StopZilla. Sounds like you only have the demo version anyway and the program is not really needed. Browsers like Mozilla Firefox have built in popup protection.

 

Okay you said that back in message 3. Are your talking about results from the whole READ ME FIRST?

Is it Viewpoint Manager and Viewpoint Toolbar that you are having problems with?

 

Your previous message said "but my sister has a "uninstall viewpoint toolbar"

Just complete the READ ME FIRST which was the first thing explained to you and then follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).


By the way it could also be possible that the following would help you: Toolbarcop

 

No Ad-ware 6 is too old. If you installed Ad-Aware SE from a removeable drive or had one installed at any point, you may need to reboot your PC to remove references to the external drive from your registry. Ad-Aware is trying to scan ALL drives. If you cannot get it to work, just skip it and continue.

You can post what Toolbar Cop found but don't you know which toolbars you use and which you do not use/need. Are you running Win XP SP2?

You know you really are not supposed to be logged in and running anything else while running the READ ME FIRST. They only time you should even be connected is while running the online scanners. After that, you should be in safe mode and disconnected from the internet.

Are you running Ad-Aware SE while in safe mode?

 

Let's ignore Toolbar Cop stuff for now. You need to complete the READ ME FIRST steps and then do what I gave you in message # 12. Don't waste any more time posting until you have completed ALL of those steps (include message # 12).

 

First thing to do is to uninstall all but one antivirus application. You have AVG and PC-Cillin. Pick which one you prefer and uninstall the other.

 

Your OS and IE versions are way out of date and represent a major security risk. After fixing your current problems you MUST get updated. We will cover that later.

You must remember to exit all browsers ( H:\Program Files\Internet Explorer\iexplore.exe ) before using HJT.

Goto Add/Remove programs and look for uninstalls to the below and uninstall if found:
H:\Documents and Settings\George\Desktop\dlc\SpySweeper v3.0 b113 with crack\Crack\SpySweeper.exe <--- do not use cracked software. You are asking for trouble.
Ares <--- contains malware and is a possible source for many of your problems
WinTools
Media Access
Internet Optimizer
SpyFighter <--- this is a rogue

I'm working on the rest of the fixes.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
H:\Program Files\Common Files\WinTools\WToolsS.exe
H:\Program Files\Media Access\MediaAccK.exe
H:\Program Files\Media Access\MediaAccess.exe
H:\WINDOWS\System32\systemp.exe
H:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
H:\Program Files\Common Files\WinTools\WSup.exe
H:\Program Files\Ares\Ares.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - H:\WINDOWS\nem220.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - H:\WINDOWS\System32\phvub.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - H:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - H:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - H:\WINDOWS\System32\phvub.dll
O4 - HKLM\..\Run: [SpyFighterMonitor] "H:\Documents and Settings\George\Desktop\George's Folder\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [wuviewer] H:\WINDOWS\System32\wuviewer.exe
O4 - HKLM\..\Run: [WinTools] H:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Media Access] H:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [[01]##############################################################################################################################] H:\Program Files\Internet Optimizer\update\rogue.exe
O4 - HKLM\..\Run: [onfsmta] h:\windows\system32\gsavqwc.exe r
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c356.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/028d2a69c1a7ed27f920/netzip/RdxIE601.cab
O21 - SSODL: systemp - {C7961D6B-B6ED-4C49-BEA8-590A8EF243F9} - systemp.dll (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - H:\Program Files\Common Files\WinTools\WToolsS.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
H:\Program Files\Common Files\WinTools <--- the whole folder
H:\Program Files\Media Access <--- the whole folder
H:\Program Files\Internet Optimizer <--- the whole folder
H:\Program Files\Ares <--- the whole folder
H:\Program Files\YOURSI~1 <--- the whole folder, probably really named YourSiteBar
H:\Documents and Settings\George\Desktop\George's Folder\SpyFighter <--- the whole folder
H:\Program Files\PartyPoker <--- the whole folder
H:\WINDOWS\System32\systemp.exe
H:\WINDOWS\System32\phvub.dll
H:\WINDOWS\System32\wuviewer.exe
h:\windows\system32\gsavqwc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

If the O23 Service is still there for WinTools, do the below before posting the HijackThis log.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to WinTools for IE service or WinToolsSvc. Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WinToolsSvc

 

You're welcome.

You still must remember to exit browsers ( H:\Program Files\Internet Explorer\IEXPLORE.EXE ) before using HijackThis.

Also you still have both AVG and PC-Cillin installed. You MUST pick the one you want to keep and uninstall the other. This will also speed things up.

You still have some problems. Please answer the below questions:

Did you find WinTools in Add/Remove programs last time? Are you sure you selected it in the HJT lines I gave you to remove?

Did you use the procedure I gave you at the end to remove the O23 service if the line was still in your log? It does not look like it.

Did you actually Reset Web Settings as requested? It does not look like it, otherwise Majorgeeks would be your home page. And websearch would be gone? If you did, then something reset it back.

 

After answer my previous questions and uninstall one of the antivirus applications, continue with the below:

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (You probably will not find the below but I want to be sure just incase they came back.)
H:\Program Files\Common Files\WinTools\WToolsS.exe
H:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
H:\Program Files\Common Files\WinTools\WSup.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - H:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [WinTools] H:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - H:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
H:\Program Files\Common Files\WinTools <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and CHECK your HJT log for the O23 service entry for WinTools. If it is still there run the steps below in the quote box to fix this. And tell us how things are working.

Now post a new HJT log and tell us how things are working.

 

Your log is now clean (just the two antivirus issue remains). The decision on what to keep is up to you. Both are good. I assume you have a paid version of PC-Cillin? Keep what you prefer. If you prefer free, keep AVG.

 

You're welcome. Your free copy of PC-Cillin is not free forever. Eventually you will need to pay to keep it updated.

AVG can also be downloaded from MG's and it is list in the link below. You should now follow the steps in that link to help keep you clean:

How to Protect yourself from malware!