Wierd Toolbar has installed itself

Hi there,Im new to all this so if ive posted in the wrong place,,sorry in advance.Ealier today I opened a file and my Avast 4.7 said there was a Trojan.I deleted it straight away but theres a toolbar on my homepage now that I didnt install.It has the following on it,,Remove Popups Scan Spyware Security Test Spam Protection.When I right click the toolbar its checkmarked with the letters ekvgsnw.How do I remove it permantely???
Also when i click my SuperAntiSpyware shortcut,,my screen goes black and its like its on standby except moving the mouse or hitting any button wont restart it.Its wierd.Any help would be greatly appreciated.

 

Hi jimy1971,
Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST and attach the requested logs.

Thanks.
abri

 

2 quick questions. 1 How do I save MGTools.exe to a root folder in C?
2 In my add/remove I noticed the following MSXML 4.0 SP2 (KB936181) . Ive never seen this before.Is it a valid program from Microsoft?

 

Here are the Combofix,HJT and SuperAntiSpyware logs

 

This depends on which browser you are using.

If you're using Firefox, go to Tools / Options and in the window that opens up, the first tab is called Main. In the middle of the page is the downloads section where you can specify how your downloads should be stored. Choose "Always ask me where to save files". Then when you download MGTools, you can tell it to save the file directly to your root drive which is the drive where your operating system is located. For most people's computers, this would be C:\

If you are using Internet Explorer, when you click on the link for MGTools.exe in the READ & RUN ME, a window will open up where you can choose to open the program, save the program or cancel. Choose save and a Save As window will open up where you can browse to the place in your computer where you want to save the file. Choose the drive where your operating system is located, which is C for most people. It might be called Local Disk C. Then find the Using MGTools link in the instructions and do what it tells you go produce the set of logs. The logs are called MGlogs.zip. You will find them located as a file (not a folder) directly under C just above the superman icon.

You can see that this is a valid file by entering KB936181 into Google (www.google.com) and seeing what descriptions come up from the search. This one is valid.

After you've completed the MGTools instructions, please attach the zipped set of logs which are automatically produced.
abri

 

Thanks again abri for the help.Heres the logs

 

Hi jimy1971,

I'm not yet sure what the toolbar is.


1) You have a lot of files in your temp storage with the following construction:

~50942~1.jpd 28 Feb 2008 21 "~50942b682ed4d1c75f59929f7400.jpd"
~50942~1.jpg 28 Feb 2008 2132 "~50942b682ed4d1c75f59929f7400.jpg"
~b4942~1.jpd 28 Feb 2008 21 "~b4942b682cd641c75f599c28dc00.jpd"
~b4942~1.jpg 28 Feb 2008 2189 "~b4942b682cd641c75f599c28dc00.jpg"

If these are pictures you put in the temp files and wish to keep, please move them to a folder somewhere which is NOT a temporary folder! You should have something like My Pictures where they would be safe.

If the above files were not put in the temp files by you, please delete them by running CCleaner in the default setting with the Windows tab as the one on top.

2) Then I would like for you to go to add/remove programs and uninstall the below:

Viewpoint Manager (Remove Only)
Viewpoint Media Player

3) Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WPT Casino - {AEA41B74-B7C9-42B7-A684-4CE687B6BA76} - http://online.worldpokertour.com (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...oint.com&6&&unknown&unknown&www.viewpoint.com
O21 - SSODL: bxlrvps - {8BA8945B-E722-48A7-A3CB-1E0306CB0784} - (no file)

After you click fix, just close hijackthis.

4) Next please download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: Now run CCleaner again.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Cant seem to find those pics in Temp folders.How do I get rid of them?

 

Hi jimy1971,
The files showed up in your MGlogs.zip in the file called newfiles.txt. They're at the bottom of this particular log just above the uninstalls list in this particular folder:

C:\Documents and Settings\jimmy taylor\Local Settings\TEMP

If you ran ATF Cleaner after you finished running Avenger, it will most likely have deleted all your temporary files. Please run GetLogs.bat as per the instructions in post 7 step 6 so I can check if it did delete them all.

Thanks.
abri

 

TYVM abri,toolbar is gone.Heres the log.Sorry its late/early here lol

 

Hi jimy,


1) Please disable your guest account if this hasn't been done already.


2) Then you can delete the following folder from Windows Explorer:

C:\Documents and Settings\jimmy taylor\Application Data\Viewpoint


3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

5) And now run CCleaner at the default setting with the Windows tab as the one on top.

I don't see any further signs of malware, however, you are still getting a lot of temp files. I would simply ask you to continue running CCleaner everytime you finish with your browsers. This will delete all your temporary files except for those from the current day.

I will post our final cleanup instructions for you now so you can get all the tools and logs back out of your computer.

abri

 

Hi Abri.Did everything you told me in your last post and everything is running smmothly except for 1 problem.I have a folder for all my anti-spyware programs and cleaners.But everytime I click 1 of them my screen shuts down for no apparent reason.Nothing I do will start it up again apart from swithching off the Hard drive and restarting it (with a disk check).Any ideas what is causing this??

 

Hi jimy,
Was your computer doing this all along, or is this a new problem? If it is new that your computer does this (since the last post), please go back one restore point. If you've never done this before, Go to Start / All Programs / Accessories / System Tools / System Restore and check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose the date just preceeding this problem and allow your system to return to that date. Let me know if this resolves the problem.
Thanks.
abri

 

Hi abri,

This problem only started when the toolbar was installed and happens now everytime I click a program in that folder,doesnt happen with any others.After the last time it happened I got the following error message

#2296:AOL Software.exe-Corrurt File
The file or directory\Documents and Settings\jimmytaylor\Local Settings\Application Data\AOL\User Profiles\1175204875\jimmytaylor\metrics\cmls_ms.tlv is corrurt and unreadable.Please run Chkdsk utility.

I did this and got the option Convert lost chains to files (Y/N)?
I clicked Y.But Im still getting the error message.


Cant figure out why this is happening.Could the HD be overheating as I havent cleaned the fans in a while.

 

Hi jimy,
What happens if you uninstall and reinstall any of those programs and locate them in their default location? If you uninstall and reinstall your antivirus, be sure to do it while disconnected from the internet. You can download the installation program and then disconnect from the internet, uninstall the old program and install it again. Tell me if this helps.
abri