FreshBar

I have this FreshBar toolbar appearing on Internet Explorer and I can't get rid of it. Also homepage forced to About:Blank and there is a search page appearing. Please help.

Thanks
POHOHO

 

Thanks for your reply. I did Housecall online, detected TROJ_STARTPAG.AG at beginning of the scan. Symantec online scan, Mcafee AVERT Stinger both came up nothing. Spybot Search & Destroy detected CoolWWWSearch.bootconf and DSO Exploit. All detected removed. However, after reboot, the toolbar still exists. Please advice.

Thanks
POHOHO

 

Hi Pohoho,

If you are certain that you've exhausted the options in the tutorial Star17 linked, then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

Here is the HijackThis log

 

Hi Pohoho,

Please have About:buster and HSRemove from the Cleanup Tutorial on hand, updated and ready to go. Let's see how bad this really is. . . .



Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {37C3BE05-5D91-4E91-B2A9-94A000E57268} - C:\WINDOWS\System32\qwsxp.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{115C3C9A-4880-44BB-88A3-97BAD4B5DE84}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFA8ABF9-D211-4207-B8EF-6FFDEBC7C861}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{115C3C9A-4880-44BB-88A3-97BAD4B5DE84}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{115C3C9A-4880-44BB-88A3-97BAD4B5DE84}: NameServer = 69.50.176.156,195.225.176.31

O18 - Filter: text/html - {FD4C2DF1-5E96-4D0D-9EA6-C6B4187F2D30} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5?òDÆR - {9AD3F5BA-A56A-42D2-934F-319E428178B7} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5?òyEÆR - {040B43B7-06A7-46CB-8402-C3B4A7377CDE} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5?ò¾EÆR - {FD4C2DF1-5E96-4D0D-9EA6-C6B4187F2D30} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5?ò¿EÆR - {79AF48E2-864E-4C20-A778-B93939B75877} - C:\WINDOWS\System32\qwsxp.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\qwsxp.dll
C:\WINDOWS\System32\iesp2.dll

NEXT:
Please run About:Buster and HSRemove.

NOW:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when I can find some time.

Best luck
PP

 

Hi PhilliePhan,

Thanks for your help. The toolbar is gone. And the computer seems to be running faster now. Here is the new log. If this is it, thanks so much for your help.

Thanks
POHOHO

 

You're Welcome HJT Log looks good!

You can go ahead and fix this remnant from running HSRemove with HJT if you desire:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

While you're here, check out Chaslang's Suggestions!!

PP