Spyware Question

Hello,

My girlfriend's parents have this obnoxious blue toolbar that appears at the bottom of the screen everytime you open Internet Explorer. Sometimes icons are added to the desktop that can not be removed.

Now I've tried to remove this using the comprehensive spyware removal guide posted on this site, but to no avail. I am now willing to follow another guide posted by one of your expert members, but before I do so I would like to know if the fact that the computer has many (5) user accounts will make a difference?

The reason I am asking this is that my girlfriend had the exact same problem and I was able to remove it. She only has one account. I was later able to remove the spyware from her parents' PC, but only temporarily. After awhile the blue toolbar would reappear and I began to wonder if it had anything to do with the multiple user accounts.

BTW, Ad-aware SE and Spybot do not seem to be able to pick up the spyware installed on the PC. I was only able to remove it permanently on my girlfriend's PC, and temporarily on her parents' PC using a combination of small spyware removal tools found on other sites and Microsoft's Giant Anti-Spyware software. Any feedback would be much appreciated. Thanks.

Oh, and both PC's run on XP with the latest updates.

 

You need to post this in the Spyware forum so that we can address your issue. Also if you have not completed all the steps in the sticky please do so before we continue.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

I have followed Major Attitude's step-by-step guide in spyware removal... but it didn't work. I have also all the latest programs linked in the tutorial.

I am about to follow another guide posted in this forum...

but first I would like to know if having multiple accounts on the PC will make a difference due to the reasons I have outlined in my previous thread. Thanks.

 

You can also try these tools:

ToolBar Cop

OmegaKillerSM

Please provide BJ with as much information as possible so that he can assist you in a timely manner

PP

 

After trying all of the steps in the sticky and you still have the problem.

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Alright,

So I have managed to remove the blue toolbar using Omegakiller (Thanks a million PhilliePhan), but the desktop icons still reappear after 30 mins and so does a grey toolbar imbedded in IE.

I have attached my HJT log. I hope it will give you more information. Thanks again.

 

Go ahead and do another scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 127.0.0.41 active-max.com

O1 - Hosts: 127.0.0.238 www.active-max.com

O1 - Hosts: 127.0.0.84 allaboutsearching.com

O1 - Hosts: 127.0.0.230 amazingautossearch.com

O1 - Hosts: 127.0.0.48 www.amazingautossearch.com

O1 - Hosts: 127.0.0.38 www.contexualsearch.com

O1 - Hosts: 127.0.0.80 crap2.com

O1 - Hosts: 127.0.0.205 www.dialup2.com

O1 - Hosts: 127.0.0.63 www.ecpm.com

O1 - Hosts: 127.0.0.55 find-quick.com

O1 - Hosts: 127.0.0.237 www.find-quick.com

O1 - Hosts: 127.0.0.201 lop.com

O1 - Hosts: 127.0.0.4 ao.lop.com

O1 - Hosts: 127.0.0.92 srch.lop.com

O1 - Hosts: 127.0.0.38 www.lop2.com

O1 - Hosts: 127.0.0.83 search200.com

O1 - Hosts: 127.0.0.39 www.mysearchnow.com

O1 - Hosts: 127.0.0.91 www.netsearchsoft.com

O1 - Hosts: 127.0.0.242 www.rub.to

O1 - Hosts: 127.0.0.80 searchexe.com

O1 - Hosts: 127.0.0.92 www.searchweb2.com

O1 - Hosts: 127.0.0.91 www.spawnet.com

O1 - Hosts: 127.0.0.59 tdmy.com

O1 - Hosts: 127.0.0.212 www.tfil.com

O1 - Hosts: 127.0.0.245 www.tdko.com

O1 - Hosts: 127.0.0.225 wrn.net

O1 - Hosts: 127.0.0.87 www.wrn.net

O1 - Hosts: 127.0.0.89 www.mp3search.com

O1 - Hosts: 127.0.0.97 www.lyricsdomain.com

O1 - Hosts: 127.0.0.241 omega-search.com

O1 - Hosts: 127.0.0.92 www.omega-search.com

O1 - Hosts: 127.0.0.72 trinityacquisitions.com

O1 - Hosts: 127.0.0.36 www.trinityacquisitions.com

O1 - Hosts: 127.0.0.253 wethere.com

O1 - Hosts: 127.0.0.88 asearchforyou.org

O1 - Hosts: 127.0.0.37 www.asearchforyou.org

O1 - Hosts: 127.0.0.24 intelesearch.com

O1 - Hosts: 127.0.0.205 www.intelesearch.com

O1 - Hosts: 127.0.0.83 www.isearchhere.com

O1 - Hosts: 127.0.0.80 www.iwantosearch.com

O1 - Hosts: 127.0.0.236 opensearch.org

O1 - Hosts: 127.0.0.7 searchbee.net

O1 - Hosts: 127.0.0.227 searchhotsex.com

O1 - Hosts: 127.0.0.50 www.searchhotsex.com

O1 - Hosts: 127.0.0.221 ifsearch.com

O1 - Hosts: 127.0.0.35 www.ifsearch.com

O1 - Hosts: 127.0.0.203 mastersearcher.com

O1 - Hosts: 127.0.0.40 look-today.com

O1 - Hosts: 127.0.0.250 aavc.com

O1 - Hosts: 127.0.0.247 www.aavc.com

O1 - Hosts: 127.0.0.56 acjp.com

O1 - Hosts: 127.0.0.86 www.acjp.com

O1 - Hosts: 127.0.0.225 www.ecmh.com

O1 - Hosts: 127.0.0.34 wabu.com

O1 - Hosts: 127.0.0.59 wabq.com

O1 - Hosts: 127.0.0.97 maximumexperience.com

O1 - Hosts: 127.0.0.27 www.maximumexperience.com




O17 - HKLM\System\CCS\Services\Tcpip\..\{2A510CA5-6BEA-4805-AC93-2023072A323A}: NameServer = 206.47.244.14 206.47.244.61

O17 - HKLM\System\CS1\Services\Tcpip\..\{2A510CA5-6BEA-4805-AC93-2023072A323A}: NameServer = 206.47.244.14 206.47.244.61

Are these two entries part of your ISP settings?
DO NOT FIX THESE TWO YET!


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Good Luck!