Member Panel

TheDwardler

I'm looking for what is causing this toolbar to show up in IE, with a red x that says "remove toolbar", a search option, and a few drop down menus.

joe5

Hya Dwardler , welcome to PCHF.

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Then boot in safemode (hit f8 when booting up) and fix these with hjt:
(if still present)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\opssw.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\opssw.dll
O4 - HKLM\..\Run: [Testimonials] ATLIEHELPER.exe
O4 - HKLM\..\Run: [MONITER] clamav.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C8A39DA-4875-48E3-A846-5F1CA3EE7E99}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA4426F-1528-4007-BFA4-5A89C07B1AFD}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F26BE47-E50C-40B1-9807-B36B8433F21B}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A914708-184F-48E6-81AE-17B6425EA1B8}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4C1B459-0043-420B-B191-B320E3B13266}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC560ED3-43FC-4909-B64F-F0F39AF5EE83}: NameServer = 85.255.113.147,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C8A39DA-4875-48E3-A846-5F1CA3EE7E99}: NameServer = 85.255.113.147,85.255.112.23

Delete the file in bold , and run Ccleaner.

Finally, reboot and please post the contents of the logfile C:\fixwareout\report.txt and a new hjt log.

Also i see that you have the windows messenger service enebled , it is recommended to disable that:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

And there is also a legit toolbar from comcast , if you dont want that one either then uninstall the Comcast Toolbar/support software in add/remove programs.