Pc Dialemma!!!!!!!!!!!!

Pc Dialemma!!!!!!!!!!!!

how do i remove a FRESHBAR toolbar. i cant find it in add and remove programs and there is no folder with it in my HD, there is a link on my explorer window to remove toolbar but as always it jumps to a page to download more adware,lol.
it is also dropping addys in my favourites, VIAGRA MAKE MONEY FROM HOME etc etc. not malacious but damn is it annoying, any help would be greatly appreciated
how do i rid the comp of all this shite????????

Re: Pc Dialemma!!!!!!!!!!!!

1, Is adaware, spybot, webroot etc not getting rid of them? Have you got anti-spyware software? If not, install and use it now.

2, Stop using IE - it's pants. Use another browser like Firefox as it rarely gets problems like this.

3, If you're really fucked, search for a prog called HijackThis, download it, run it and create a log file (don't do owt else - just create the log file and don't delete anything), copy and paste the log file on this board and I'll tell you what to do.

here it is m8

Logfile of HijackThis v1.98.2
Scan saved at 19:54:35, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\pxhping.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_05\bin\javaw.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\JASONP~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: (no name) - {10808535-A45F-254F-7ECA-7DF7A813E45F} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AEE41FD9-A707-4E84-8A0D-F6D3B15353C5} - C:\WINDOWS\System32\jceodba.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/incredimail_install.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/361.chm::/file.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_398/webolr/OCX/FlashAX.cab
O16 - DPF: {EF3C5077-2040-400D-91F7-86603AF00F80} (Cbs32Ctl Object) - http://www.fhm.com/skinker/FHMDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{45E26E8A-317D-4618-BFE5-2AEB1133F4FE}: NameServer = 195.92.195.94 195.92.195.95

Giz about 15 mins - there's a lot there

thanx a lot mate

You've got a bit of an evil bastard there... hardly any info around on removal of freshbar - it's fairly uncommon. You've also been done over by incredimail too. And a couple of other coolwebsearch-type fuckers. And it looks like you may (just may, not def) have a trojan as well. After getting rid of these - switch to firefox. You've been seriously fucked over.

First off - copy and paste all this text to a new text file on your desktop and save it so that you can read it whilst you're doing the following.

Close all browser windows (including windows explorer windows) before running any of the following programs.

Do a virus-scan with AVG, also use housecall (I take it you've used it before).

Click on My Computer, click control panel, click add/remove programs, un-install incredi-mail if you can.

Did you run adaware and spybot? Make sure they're the latest versions, and run both again.

Download, install and run cwshredder.

Then try the following:

Unzip HijackThis fully - you're running it from a temp folder. Create a new folder eg. C:\hijack or similar and unzip the exe file to there. It's necessary so that you have a back-up.

Close all browser windows (including windows explorer windows), run HijackThis again and place checks against the following (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R3 - URLSearchHook: (no name) - {10808535-A45F-254F-7ECA-7DF7A813E45F} - (no file)
O2 - BHO: (no name) - {AEE41FD9-A707-4E84-8A0D-F6D3B15353C5} - C:\WINDOWS\System32\jceodba.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) - http://www2.incredimail.com/content...ail_install.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/361.chm::/file.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/m...OCX/FlashAX.cab
O16 - DPF: {EF3C5077-2040-400D-91F7-86603AF00F80} (Cbs32Ctl Object) - http://www.fhm.com/skinker/FHMDownloader.ocx

Then hit 'fix checked'.

Open up your 'My Documents' folder, click Tools --> Folder Options, click on the view tab, click 'show hidden files and folders', click apply, click ok, close the window.

Next you'll need to restart into safe mode: Click start --> run, type msconfig, hit enter, click the boot.ini tab, check the box next to /safeboot, click ok and restart.

Now, find and delete the following files (if they're still there):

C:\WINDOWS\wanmpsvc.exe
C:\PROGRAM FILES\INCRED(something - not sure of rest of folder name but it's part of incredimail)\bin\IMApp.exe
C:\WINDOWS\System32\pxhping.exe
Also look through the C:\WINDOWS\System32\ folder and delete the following if found:
service.exe
msacmx.dll
d3dxov.dll
winsrv32.dll
ieûnit.exe
ipxroutex.exe
rdshost32.exe
rshe.exe
net2.exe
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe
pxhping.exe
rdpnr.exe
slservc.exe
clfmon.exe
hdr.dll

Click start --> run, type msconfig, hit enter, click the boot.ini tab, un-check the box next to /safeboot, click ok and restart.

If it's all still there, I am stumped. But def switch to firefox.

That's kept me busy!! Good luck!

Oops, forgot to add: when you're deleting the files in safe mode, also look for and delete the following (if they're there):

C:\WINDOWS\System32\bar11.dll
C:\WINDOWS\System32\system.css
C:\WINDOWS\system.css
C:\WINDOWS\system\explorer.exe NOTE: Remove only this explorer file located in the "system"-folder.

you're an absolute fucking diamond mate!!!
we gona try all that tomoro, too fucked now heehee
greatly appreciated, thanx a bundle

heres a link to a canny site if u interested


denise richards

No worries I'm sober, bored and freezing cold, so was needing summinck to keep me occupied

That site will keep me busy for the next ten minutes or so...

i got fucked by the incredimail one at work... could i fuck get rid of it....

flatten and re-image sorted. been more careful since - but there's always a chance of anyone getting one...

fuck!! dont click on that thing i just pulled, its another dodgy thing that stops in your hard drive. the denise richards things okay tho

What thing you just pulled? Didn't see any other links

btw - anyone reading this: do not click on any of the links in the above posted HijackThis logs, or you may do something you don't wanna.

it was a lesbian wall to wall thing, its canny to look at, but it mite drop a couple of adware thingies

and u wonder why ur pc is riddled!!! :laugh:

whats spyware btw? and viruses? and trojans??

this little fella wants to know...



:laugh:

As Sleepy sez... stay away from stuff like that - there's plenty of porn .avi's to be found on bittorrent etc

@ Sleepy -