• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
robbern123

wintools, IBIS toolbar, 1TheMeal folder

9 posts in this topic

Hello and thank you for this wonderful resource. This is my first post here.

 

I'm dealing with a computer that is frustrating me. Upon rebooting, Norton Internet Security is telling me that a file called name_dupe_dog.exe in a folder called 1TheMeal is trying to access the internet. I have blocked it's internet access permanently with Norton, but I can't remove the folder. When I try to delete it from the C drive I am denied access.

 

Ad-aware keeps detecting the IBIS toolbar, but is unable to remove it, along with 8 other items. I'm under the impression that these are related to the WinTools program that is installed on the machine and is not allowing itself to be removed.

 

I am running all up to date versions of Ad-aware 6.0, and Spybot Search & Destroy 1.3, as well as Spywareblaster, and I just discovered and ran for the first time last night Hijack This.

 

Any help would be greatly appreciated. May I post my Hijack This log for someone to have a look at?

Share this post


Link to post
Share on other sites

Go ahead and post your log. Someone will be along to have a look and advise.

Share this post


Link to post
Share on other sites

Thanks...here's the log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:47:29 PM, on 6/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\CTHELPER.EXE

C:\Program Files\Gateway Utilities\GWInkMonitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\SM1BG.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\WINNT\System32\RUNDLL32.EXE

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\AOL Companion\companion.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1

for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.websearch.com/ie.aspx?tb_id=50032

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.gateway.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway

Utilities\GWInkMonitor.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [EPSON Stylus CX5200]

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus

CX5200" /O6 "USB001" /M "Stylus CX5200"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime

O4 - HKLM\..\Run: [sM1BG] C:\WINNT\SM1BG.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common

files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL

Companion\companion.exe

O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .fpx: C:\\Program Files\\Internet

Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet

Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) -

file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}

(TechToolsActivex.TechTools) - file://C:\Program

Files\gateway\helpspot\TechTools.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/14c5b452aec495cc1c23/netzip/RdxIE2.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/...8090.7252199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.websearch.com/ie.aspx?tb_id=50032

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common

files\WinTools\WToolsA.exe

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/14c5b452aec495cc1c23/netzip/RdxIE2.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) - http://www.napster.com/client/isetup.cab

 

Reboot, and delete

 

folders

C:\Program Files\Viewpoint

C:\Program Files\Common files\WinTools

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

I followed the instructions. After reboot, I was able to delete C:\Program Files\Viewpoint. I attempted to delete C:\Program Files\Common files\WinTools, but was denied access. I started up in safe mode and was then able to successfully delete C:\Program Files\Common files\WinTools. I then deleted both those folders from the recycle bin permanently and rebooted.

 

I ran Ad-aware after checking and installing a new update as well as tweaking the settings as I found in this forum, and it found seven objects, six of which it was able to rid the system of. One .dll file is doing something or another and I'm sure it's up to no good. I'll post my latest HijackThis log.

 

Thanks very much for your help.

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\CTHELPER.EXE

C:\Program Files\Gateway Utilities\GWInkMonitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\WINNT\SM1BG.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\System32\RUNDLL32.EXE

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1

for hijackthis.zip\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.gateway.net

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway

Utilities\GWInkMonitor.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [EPSON Stylus CX5200]

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus

CX5200" /O6 "USB001" /M "Stylus CX5200"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime

O4 - HKLM\..\Run: [sM1BG] C:\WINNT\SM1BG.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware

6\Ad-aware.exe" +c

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL

Companion\companion.exe

O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .fpx: C:\\Program Files\\Internet

Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet

Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) -

file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}

(TechToolsActivex.TechTools) - file://C:\Program

Files\gateway\helpspot\TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/...8090.7252199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0