Security Toolbar 7.1

[barrowhill]

Neighbour can't remove this toolbar. Is their any freeware utuilties he can
use to get rid of it. ???

 

[Malke]

barrowhill wrote:
> Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> use to get rid of it. ???


Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

All tools suggested are free.

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[barrowhill]

Malke,

What can I say....a very comphrehensive reply with a lot of extremely useful
information now bookmarked for future reference.

Managed to resolve using only Ad-Aware and Spybot S&D run in both safe and
normal mode. Hopefully it won't re-appear.

Thanks for your info and assistance

"Malke" wrote:

> barrowhill wrote:
> > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > use to get rid of it. ???
>
>
> Go through these general malware removal steps systematically -
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> All tools suggested are free.
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
> http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
> - download site
>
> The site is in German but David's tool is in English so don't let that
> worry you. Scroll all the way down to almost the bottom of the page and
> you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
> You'll see "Download von www pctipp.ch" and the live link to download
> Multi_AV.
>
> You can also check to see if there are targeted removal steps for your
> malware here:
> Bleeping Computer removal how-to's -
> http://www.bleepingcomputer.com/forums/forum55.html
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Not all tools used will work in Vista and you will need to run them
> elevated. Since Vista is so new, it will be a while before removal
> techniques and tools are developed. If you are unable to remove the
> infection by following the general steps, register at one of the
> HijackThis forums as suggested.
>
> Standard caveat: If the procedures look too complex - and there is no
> shame in admitting this isn't your cup of tea - take the machine to a
> professional computer repair shop (not your local version of
> BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may
> be so infested that Windows will need to be clean-installed. Have all
> your data backed up before you take the machine into a shop.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

 

[barrowhill]

Malke,

I spoke to soon.........

Neighbours daughter having finished with MSN Messenger ran Ad-Aware. During
pprocess "scumware" messages began appearing again. Security Toolbar 7.1
back! - I've disabled in IE7 via tools\manage add-ons. Be nice to remove it

Messages that appear regularly and cyclicly are:

System Alert: Malware Threats
Security Alert: Networm-iVirus@fp
System Performance Monitoring: Warning
Security Alert: Spyware found - PSW.x-Vir
SystemAlert: Trojan-Spy.W32@mx
Security Warning: New Variant of SpyBot@mxt

I also get 2 desktop icon appearing (delete them but keep coming back)

Live Safety Centre
On-Line Security Guide

Running SpyBot (regularly) brings up....

Win32.BHO.df
Virtumonde
Virtumonde.generic

Tried removing both in safe mode (OK) and nomal mode (OK) but these reappear.
Interesting to note, I see a number of blank "cmd" windows opening and
closing on desktop before it settles down.

Things appeared OK until whatever is deep rooted is triggered.

I've run Vundofix.exe which picked up 4 questionable .dll's. Yet to run
virtumondebegone.exe. Neighbour will bring round PC for me to work on.

If you have any further advice I'll be grateful to receive it

**************

"Malke" wrote:

> barrowhill wrote:
> > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > use to get rid of it. ???
>
>
> Go through these general malware removal steps systematically -
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> All tools suggested are free.
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
> http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
> - download site
>
> The site is in German but David's tool is in English so don't let that
> worry you. Scroll all the way down to almost the bottom of the page and
> you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
> You'll see "Download von www pctipp.ch" and the live link to download
> Multi_AV.
>
> You can also check to see if there are targeted removal steps for your
> malware here:
> Bleeping Computer removal how-to's -
> http://www.bleepingcomputer.com/forums/forum55.html
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Not all tools used will work in Vista and you will need to run them
> elevated. Since Vista is so new, it will be a while before removal
> techniques and tools are developed. If you are unable to remove the
> infection by following the general steps, register at one of the
> HijackThis forums as suggested.
>
> Standard caveat: If the procedures look too complex - and there is no
> shame in admitting this isn't your cup of tea - take the machine to a
> professional computer repair shop (not your local version of
> BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may
> be so infested that Windows will need to be clean-installed. Have all
> your data backed up before you take the machine into a shop.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

 

[Malke]

barrowhill wrote:
> Malke,
>
> I spoke to soon.........
>
> Neighbours daughter having finished with MSN Messenger ran Ad-Aware. During
> pprocess "scumware" messages began appearing again. Security Toolbar 7.1
> back! - I've disabled in IE7 via tools\manage add-ons. Be nice to remove it
>
> Messages that appear regularly and cyclicly are:
>
> System Alert: Malware Threats
> Security Alert: Networm-iVirus@fp
> System Performance Monitoring: Warning
> Security Alert: Spyware found - PSW.x-Vir
> SystemAlert: Trojan-Spy.W32@mx
> Security Warning: New Variant of SpyBot@mxt
>
> I also get 2 desktop icon appearing (delete them but keep coming back)
>
> Live Safety Centre
> On-Line Security Guide
>
> Running SpyBot (regularly) brings up....
>
> Win32.BHO.df
> Virtumonde
> Virtumonde.generic

(snippage)

You're going to need to post a HijackThis log at one of the specialty
forums listed below (not here, please). You have a combination of some
very nasty malware which is extremely difficult, if not impossible, to
remove. As a precaution, make sure all data is backed up now in case you
need to do a clean install (a distinct possibility). If you wind up
doing a clean install, make sure you scan the data with a current
version antivirus using updated definitions before you copy it back onto
your clean machine.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[barrowhill]

Malke,

Thanks again.

Just returned from neighbours. Ran Vundofix, VirtumodoBeGone and
Smitfraudfix on all PC accounts (PC has 2 accounts). Checked IE toolbars and
Security Toolbar 7.1 not shown either as running or as an option - looks like
removed (?). looked at ViryumodnoBegone text file (nothing found) but noted
Dll's - PopKill Class, ibxqjell, ZKBHO Class and gebyx also appear enabled in
the tools\manage add ons. I disabled these.

Text file contents reports as.......
.......
.......
BHO 2: {51fcb9c1-7b08-40b5-82f5-a8a5f54e4f7d} ()
WARNING: BHO has no default name. Checking for Winlogon reference.
Checking for HKLM\...\Winlogon\Notify\ibxqjell
Key not found: HKLM\...\Winlogon\Notify\ibxqjell, continuing.........or
similar
........
........

Left with him running Ad-aware (then SpyBot) and to bring PC round (within
the hour) if "scumware" messages re-appear. An hour and 15 has gone and
doorbell not rung.....Am I going to be lucky????!!!



"Malke" wrote:

> barrowhill wrote:
> > Malke,
> >
> > I spoke to soon.........
> >
> > Neighbours daughter having finished with MSN Messenger ran Ad-Aware. During
> > pprocess "scumware" messages began appearing again. Security Toolbar 7.1
> > back! - I've disabled in IE7 via tools\manage add-ons. Be nice to remove it
> >
> > Messages that appear regularly and cyclicly are:
> >
> > System Alert: Malware Threats
> > Security Alert: Networm-iVirus@fp
> > System Performance Monitoring: Warning
> > Security Alert: Spyware found - PSW.x-Vir
> > SystemAlert: Trojan-Spy.W32@mx
> > Security Warning: New Variant of SpyBot@mxt
> >
> > I also get 2 desktop icon appearing (delete them but keep coming back)
> >
> > Live Safety Centre
> > On-Line Security Guide
> >
> > Running SpyBot (regularly) brings up....
> >
> > Win32.BHO.df
> > Virtumonde
> > Virtumonde.generic
>
> (snippage)
>
> You're going to need to post a HijackThis log at one of the specialty
> forums listed below (not here, please). You have a combination of some
> very nasty malware which is extremely difficult, if not impossible, to
> remove. As a precaution, make sure all data is backed up now in case you
> need to do a clean install (a distinct possibility). If you wind up
> doing a clean install, make sure you scan the data with a current
> version antivirus using updated definitions before you copy it back onto
> your clean machine.
>
> http://aumha.org/downloads/hijackthis.zip
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
> another tutorial
> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
> and the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

 

[Malke]

barrowhill wrote:
> Malke,
>
> Thanks again.
>
> Just returned from neighbours. Ran Vundofix, VirtumodoBeGone and
> Smitfraudfix on all PC accounts (PC has 2 accounts). Checked IE toolbars and
> Security Toolbar 7.1 not shown either as running or as an option - looks like
> removed (?). looked at ViryumodnoBegone text file (nothing found) but noted
> Dll's - PopKill Class, ibxqjell, ZKBHO Class and gebyx also appear enabled in
> the tools\manage add ons. I disabled these.
>
> Text file contents reports as.......
> ......
> ......
> BHO 2: {51fcb9c1-7b08-40b5-82f5-a8a5f54e4f7d} ()
> WARNING: BHO has no default name. Checking for Winlogon reference.
> Checking for HKLM\...\Winlogon\Notify\ibxqjell
> Key not found: HKLM\...\Winlogon\Notify\ibxqjell, continuing.........or
> similar
> .......
> .......
>
> Left with him running Ad-aware (then SpyBot) and to bring PC round (within
> the hour) if "scumware" messages re-appear. An hour and 15 has gone and
> doorbell not rung.....Am I going to be lucky????!!!

I have no idea if you will be lucky. Based on what we're seeing in the
various forums and discussing in mailing lists - probably not. I think
it's going to respawn. I'll be happy for you if all is well of course,
but I am doubtful.

Good luck,


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[cbgerry]

On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
wrote:
> Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> use to get rid of it. ???

CastleCops - CLSID / BHO List / Toolbar Master List
http://castlecops.com/bhonew.html
(Identify Malware Toolbars) This is the Master BHO and Toolbar list
copyrighted by Tony Klein and CastleCops.

Good place (bookmark above) to help identify by name sometimes or even
a registry item like {123-456-78-9-000} for example as kind of
'reverse look up'.
Sometimes you find a name or file or registry item for these. The BHO
stands for Browser Help Object and the Active X item is located in the
Windows Registry.

HOWEVER in this case it is not a simple malware toolbar that was
installed but a full blown toolbar malware installation.... You may
want to check the following information for a full clean
uninstall....

How? For files you can use Start > Search and type in at Files search
and click C Local Disk (painstakingly long one by one)

Or Visual check > open Windows Explorer... Right Click > Start >
Explore > My Computer > C Local Disk .... and visually look in the
location areas (much faster)...

Also to get to Windows Registry .... Start > Run > type in regedit >
Ok... and of course do not delete anything unless you are comfortable
with CA makers of Pest Patrol and that you have indeed located and
identified the items below that are safe for deletion as an unwanted
installation and read this to become familiar with thios procedure:
http://www.bluecollarpc.net/registry.html ... that webpage should help
a great deal to understand this as a "Manual Removal" that is also the
same procedure for uninstalling valid software 'by hand'.

FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555

Security Toolbar 7.1 - CASecurity Toolbar 7.1. Date Published:
Thursday, October 25, 2007. Threat Assessment. Overall Risk: Low.
Privacy: Low. Productivity: Low. System Integrity: ...
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555

Date Published:
Thursday, October 25, 2007
Category: Toolbar

Also known as: Win32/Boarim.AK [CA AV], AdWare.Win32.Agent.nt
[Kaspersky], Downloader.MisleadApp [Symantec], Puper [McAfee],
TrojanDownloader:Win32/Zlob.gen!Z [MS OneCare], Troj/Zlobie-Gen
[Sophos]

See Also
Security Toolbar · Boarim ·

Category
Downloader: A program that downloads and may execute or install
software without user permission.

Toolbar: A group of buttons which perform common tasks. A toolbar for
Internet Explorer is nomally located below the menu bar at the top of
the form. Toolbars may be created by Browser Helper Objects.

Trojan: Any program with a hidden intent. Trojans are one of the
leading causes of breaking into machines. If you pull down a program
from a chat room, new group, or even from unsolicited e-mail, then the
program is likely trojaned with some subversive purpose. The word
Trojan can be used as a verb: To trojan a program is to add subversive
functionality to an existing program. For example, a trojaned login
program might be programmed to accept a certain password for any
user's account that the hacker can use to log back into the system at
any time. Rootkits often contain a suite of such trojaned programs.

Detections:
true

Executable Files:
true

DLL Files:
ictmdl.dll

Registry Items:
HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
bbcf-1c2466ac5ae3}\implemented categories
HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
bbcf-1c2466ac5ae3}\implemented categories\{00021493-0000-0000-
c000-000000000046}
HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
bbcf-1c2466ac5ae3}\inprocserver32
HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
bbcf-1c2466ac5ae3}\inprocserver32 threadingmodel
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar
\webbrowser {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
{23ed2206-856d-461a-bbcf-1c2466ac5ae3}

Files:
ictmdl.dll
ictmdl.dll

Copyright (c) 2007 CA

FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555

 

[PA Bear]

Post your HijackThis log to one of the forums, please. This is a really
nasty one and chances are that the machine's still infected.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.org/

barrowhill wrote:
> Malke,
>
> Thanks again.
>
> Just returned from neighbours. Ran Vundofix, VirtumodoBeGone and
> Smitfraudfix on all PC accounts (PC has 2 accounts). Checked IE toolbars
> and Security Toolbar 7.1 not shown either as running or as an option -
> looks like removed (?). looked at ViryumodnoBegone text file (nothing
> found) but noted Dll's - PopKill Class, ibxqjell, ZKBHO Class and gebyx
> also appear enabled in the tools\manage add ons. I disabled these.
>
> Text file contents reports as.......
> ......
> ......
> BHO 2: {51fcb9c1-7b08-40b5-82f5-a8a5f54e4f7d} ()
> WARNING: BHO has no default name. Checking for Winlogon reference.
> Checking for HKLM\...\Winlogon\Notify\ibxqjell
> Key not found: HKLM\...\Winlogon\Notify\ibxqjell, continuing.........or
> similar
> .......
> .......
>
> Left with him running Ad-aware (then SpyBot) and to bring PC round (within
> the hour) if "scumware" messages re-appear. An hour and 15 has gone and
> doorbell not rung.....Am I going to be lucky????!!!
>
>
>
> "Malke" wrote:
>
>> barrowhill wrote:
>>> Malke,
>>>
>>> I spoke to soon.........
>>>
>>> Neighbours daughter having finished with MSN Messenger ran Ad-Aware.
>>> During pprocess "scumware" messages began appearing again. Security
>>> Toolbar 7.1 back! - I've disabled in IE7 via tools\manage add-ons. Be
>>> nice to remove it
>>>
>>> Messages that appear regularly and cyclicly are:
>>>
>>> System Alert: Malware Threats
>>> Security Alert: Networm-iVirus@fp
>>> System Performance Monitoring: Warning
>>> Security Alert: Spyware found - PSW.x-Vir
>>> SystemAlert: Trojan-Spy.W32@mx
>>> Security Warning: New Variant of SpyBot@mxt
>>>
>>> I also get 2 desktop icon appearing (delete them but keep coming back)
>>>
>>> Live Safety Centre
>>> On-Line Security Guide
>>>
>>> Running SpyBot (regularly) brings up....
>>>
>>> Win32.BHO.df
>>> Virtumonde
>>> Virtumonde.generic
>>
>> (snippage)
>>
>> You're going to need to post a HijackThis log at one of the specialty
>> forums listed below (not here, please). You have a combination of some
>> very nasty malware which is extremely difficult, if not impossible, to
>> remove. As a precaution, make sure all data is backed up now in case you
>> need to do a clean install (a distinct possibility). If you wind up
>> doing a clean install, make sure you scan the data with a current
>> version antivirus using updated definitions before you copy it back onto
>> your clean machine.
>>
>> http://aumha.org/downloads/hijackthis.zip
>> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
>> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
>> another tutorial
>> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
>> and the stickies *first*.
>> http://www.atribune.org/forums/index.php?showforum=9
>> http://aumha.net/viewforum.php?f=30
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://castlecops.com/forum67.html
>> http://www.dslreports.com/forum/cleanup
>> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
>> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>>
>>
>> Malke
>> --
>> Elephant Boy Computers
>> www.elephantboycomputers.com
>> "Don't Panic!"
>> MS-MVP Windows - Shell/User

 

[barrowhill]

Malke,

You may well be right. I've not yet had a knock at the door but that's not
to say I won't get one. I've had helpful replies which I'm reading through
and which no doubt will be helpful when, as you say, it respawns. Thanks for
your input on this.

"Malke" wrote:

> barrowhill wrote:
> > Malke,
> >
> > Thanks again.
> >
> > Just returned from neighbours. Ran Vundofix, VirtumodoBeGone and
> > Smitfraudfix on all PC accounts (PC has 2 accounts). Checked IE toolbars and
> > Security Toolbar 7.1 not shown either as running or as an option - looks like
> > removed (?). looked at ViryumodnoBegone text file (nothing found) but noted
> > Dll's - PopKill Class, ibxqjell, ZKBHO Class and gebyx also appear enabled in
> > the tools\manage add ons. I disabled these.
> >
> > Text file contents reports as.......
> > ......
> > ......
> > BHO 2: {51fcb9c1-7b08-40b5-82f5-a8a5f54e4f7d} ()
> > WARNING: BHO has no default name. Checking for Winlogon reference.
> > Checking for HKLM\...\Winlogon\Notify\ibxqjell
> > Key not found: HKLM\...\Winlogon\Notify\ibxqjell, continuing.........or
> > similar
> > .......
> > .......
> >
> > Left with him running Ad-aware (then SpyBot) and to bring PC round (within
> > the hour) if "scumware" messages re-appear. An hour and 15 has gone and
> > doorbell not rung.....Am I going to be lucky????!!!
>
> I have no idea if you will be lucky. Based on what we're seeing in the
> various forums and discussing in mailing lists - probably not. I think
> it's going to respawn. I'll be happy for you if all is well of course,
> but I am doubtful.
>
> Good luck,
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

 

[barrowhill]

cgberry,

Many thanks for your reply and information provided. I'm waiting for knock
on door from neighbour saying problem has returned. Your info will be most
helpful if it has.

"cbgerry" wrote:

> On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> wrote:
> > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > use to get rid of it. ???
>
> CastleCops - CLSID / BHO List / Toolbar Master List
> http://castlecops.com/bhonew.html
> (Identify Malware Toolbars) This is the Master BHO and Toolbar list
> copyrighted by Tony Klein and CastleCops.
>
> Good place (bookmark above) to help identify by name sometimes or even
> a registry item like {123-456-78-9-000} for example as kind of
> 'reverse look up'.
> Sometimes you find a name or file or registry item for these. The BHO
> stands for Browser Help Object and the Active X item is located in the
> Windows Registry.
>
> HOWEVER in this case it is not a simple malware toolbar that was
> installed but a full blown toolbar malware installation.... You may
> want to check the following information for a full clean
> uninstall....
>
> How? For files you can use Start > Search and type in at Files search
> and click C Local Disk (painstakingly long one by one)
>
> Or Visual check > open Windows Explorer... Right Click > Start >
> Explore > My Computer > C Local Disk .... and visually look in the
> location areas (much faster)...
>
> Also to get to Windows Registry .... Start > Run > type in regedit >
> Ok... and of course do not delete anything unless you are comfortable
> with CA makers of Pest Patrol and that you have indeed located and
> identified the items below that are safe for deletion as an unwanted
> installation and read this to become familiar with thios procedure:
> http://www.bluecollarpc.net/registry.html ... that webpage should help
> a great deal to understand this as a "Manual Removal" that is also the
> same procedure for uninstalling valid software 'by hand'.
>
> FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
>
> Security Toolbar 7.1 - CASecurity Toolbar 7.1. Date Published:
> Thursday, October 25, 2007. Threat Assessment. Overall Risk: Low.
> Privacy: Low. Productivity: Low. System Integrity: ...
> http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
>
> Date Published:
> Thursday, October 25, 2007
> Category: Toolbar
>
> Also known as: Win32/Boarim.AK [CA AV], AdWare.Win32.Agent.nt
> [Kaspersky], Downloader.MisleadApp [Symantec], Puper [McAfee],
> TrojanDownloader:Win32/Zlob.gen!Z [MS OneCare], Troj/Zlobie-Gen
> [Sophos]
>
> See Also
> Security Toolbar · Boarim ·
>
> Category
> Downloader: A program that downloads and may execute or install
> software without user permission.
>
> Toolbar: A group of buttons which perform common tasks. A toolbar for
> Internet Explorer is nomally located below the menu bar at the top of
> the form. Toolbars may be created by Browser Helper Objects.
>
> Trojan: Any program with a hidden intent. Trojans are one of the
> leading causes of breaking into machines. If you pull down a program
> from a chat room, new group, or even from unsolicited e-mail, then the
> program is likely trojaned with some subversive purpose. The word
> Trojan can be used as a verb: To trojan a program is to add subversive
> functionality to an existing program. For example, a trojaned login
> program might be programmed to accept a certain password for any
> user's account that the hacker can use to log back into the system at
> any time. Rootkits often contain a suite of such trojaned programs.
>
> Detections:
> true
>
> Executable Files:
> true
>
> DLL Files:
> ictmdl.dll
>
> Registry Items:
> HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> bbcf-1c2466ac5ae3}\implemented categories
> HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> bbcf-1c2466ac5ae3}\implemented categories\{00021493-0000-0000-
> c000-000000000046}
> HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> bbcf-1c2466ac5ae3}\inprocserver32
> HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> bbcf-1c2466ac5ae3}\inprocserver32 threadingmodel
> HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar
> \webbrowser {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
> {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
>
> Files:
> ictmdl.dll
> ictmdl.dll
>
> Copyright (c) 2007 CA
>
> FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
>

 

[John]

Barrowhill,

You are so lucky to get rid of them for your neighbour. I have exactly
messages shown at my XP Sp2 laptop. I tried using norton, microsoft
defender, adware, spybot and smithfraudfix without any luck.

Can anyone please help me to remove them? Which program helps you to remove
them?

Thanks.

"barrowhill" wrote:

> cgberry,
>
> Many thanks for your reply and information provided. I'm waiting for knock
> on door from neighbour saying problem has returned. Your info will be most
> helpful if it has.
>
> "cbgerry" wrote:
>
> > On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> > wrote:
> > > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > > use to get rid of it. ???
> >
> > CastleCops - CLSID / BHO List / Toolbar Master List
> > http://castlecops.com/bhonew.html
> > (Identify Malware Toolbars) This is the Master BHO and Toolbar list
> > copyrighted by Tony Klein and CastleCops.
> >
> > Good place (bookmark above) to help identify by name sometimes or even
> > a registry item like {123-456-78-9-000} for example as kind of
> > 'reverse look up'.
> > Sometimes you find a name or file or registry item for these. The BHO
> > stands for Browser Help Object and the Active X item is located in the
> > Windows Registry.
> >
> > HOWEVER in this case it is not a simple malware toolbar that was
> > installed but a full blown toolbar malware installation.... You may
> > want to check the following information for a full clean
> > uninstall....
> >
> > How? For files you can use Start > Search and type in at Files search
> > and click C Local Disk (painstakingly long one by one)
> >
> > Or Visual check > open Windows Explorer... Right Click > Start >
> > Explore > My Computer > C Local Disk .... and visually look in the
> > location areas (much faster)...
> >
> > Also to get to Windows Registry .... Start > Run > type in regedit >
> > Ok... and of course do not delete anything unless you are comfortable
> > with CA makers of Pest Patrol and that you have indeed located and
> > identified the items below that are safe for deletion as an unwanted
> > installation and read this to become familiar with thios procedure:
> > http://www.bluecollarpc.net/registry.html ... that webpage should help
> > a great deal to understand this as a "Manual Removal" that is also the
> > same procedure for uninstalling valid software 'by hand'.
> >
> > FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> >
> > Security Toolbar 7.1 - CASecurity Toolbar 7.1. Date Published:
> > Thursday, October 25, 2007. Threat Assessment. Overall Risk: Low.
> > Privacy: Low. Productivity: Low. System Integrity: ...
> > http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> >
> > Date Published:
> > Thursday, October 25, 2007
> > Category: Toolbar
> >
> > Also known as: Win32/Boarim.AK [CA AV], AdWare.Win32.Agent.nt
> > [Kaspersky], Downloader.MisleadApp [Symantec], Puper [McAfee],
> > TrojanDownloader:Win32/Zlob.gen!Z [MS OneCare], Troj/Zlobie-Gen
> > [Sophos]
> >
> > See Also
> > Security Toolbar · Boarim ·
> >
> > Category
> > Downloader: A program that downloads and may execute or install
> > software without user permission.
> >
> > Toolbar: A group of buttons which perform common tasks. A toolbar for
> > Internet Explorer is nomally located below the menu bar at the top of
> > the form. Toolbars may be created by Browser Helper Objects.
> >
> > Trojan: Any program with a hidden intent. Trojans are one of the
> > leading causes of breaking into machines. If you pull down a program
> > from a chat room, new group, or even from unsolicited e-mail, then the
> > program is likely trojaned with some subversive purpose. The word
> > Trojan can be used as a verb: To trojan a program is to add subversive
> > functionality to an existing program. For example, a trojaned login
> > program might be programmed to accept a certain password for any
> > user's account that the hacker can use to log back into the system at
> > any time. Rootkits often contain a suite of such trojaned programs.
> >
> > Detections:
> > true
> >
> > Executable Files:
> > true
> >
> > DLL Files:
> > ictmdl.dll
> >
> > Registry Items:
> > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > bbcf-1c2466ac5ae3}\implemented categories
> > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > bbcf-1c2466ac5ae3}\implemented categories\{00021493-0000-0000-
> > c000-000000000046}
> > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > bbcf-1c2466ac5ae3}\inprocserver32
> > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > bbcf-1c2466ac5ae3}\inprocserver32 threadingmodel
> > HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar
> > \webbrowser {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> > HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
> > {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> >
> > Files:
> > ictmdl.dll
> > ictmdl.dll
> >
> > Copyright (c) 2007 CA
> >
> > FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> >

 

[Malke]

John wrote:
> Barrowhill,
>
> You are so lucky to get rid of them for your neighbour. I have exactly
> messages shown at my XP Sp2 laptop. I tried using norton, microsoft
> defender, adware, spybot and smithfraudfix without any luck.
>
> Can anyone please help me to remove them? Which program helps you to remove
> them?

If you have Security Toolbar, you should follow the advice given to the
original poster: go to one of the specialty forums listed below,
register, read the posting FAQ, and post a HijackThis log there (not
here). You are not going to be able to remove this by yourself.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[cbgerry]

On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
wrote:
> Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> use to get rid of it. ???

If you have run some of the free home verions of antispyware the
installation if presented as malware and you clicked either Quarantine
or Delete.... it should be gone, period. It would be doubtful they
missed those items enabling the installation to re-install itself
after restarting the computer - very, very, very doubtful as this
would be a major malware feature of this exact installtion. These
programs mentioned would be Superantispyware, Google Pack Spyware
Doctor, Lavasoft Ad-Aware, Microsoft Windows Defender, and so on.

Generally it is a registry item that is causing a re-installation of
the badware. This generally only occurs if someone found a folder in C:
\ProgramFiles and deleted that - or more commonly went to Start >
Control Panel > Add/Remove Programs and clicked Uninstall. These
procedures may indeed leave the partial part of it enabling re-
installing it.

The other possibility is that it was installed by a rootkit in the
first place - and rootkits are generally undetectable by anything
except a rootkit scanner. A rootkit is able to install many malwares -
like several trojans and several spyware installations and more. This
is why they are dreaded. You may want to re-group and begin with doing
rootkit scans. It should be first in a problematic uninstall many
times. This will protect your security software from firewall
disabling, antivirus disabling, and antispyware disabling. If the
rootkit scans reveal nothing then you go ahead with the full scans of
antispyware and antivirus. A rootkit may install the malware that
disables security software such as a " Security Software Disabler
Trojan " --- definition link: http://www.webopedia.com/TERM/S/security_software_disabler_Trojan.html

Try running both of these first and then install Microsoft Windows
Defender Microsoft AntiSpyware is now Windows Defender
[working-freeware from Microsoft]
http://www.microsoft.com/athome/security/spyware/software/default.mspx

This is free from Microsoft and is the only free product with real
time protection that will block communications by this installation
and possibly by other installations of a rootkit - which may be what
you need to do. To see what real time protection is blocking take a
look at paid antispyware Webroot Spysweeper screenshot showing what
real time protection is protecting - very similar to Windows Defender.
These aer generally called antispyware "Shields" Sreenshot:
http://bluecollarpc.net/coppermine-photos/albums/userpics/10001/WebrootShields_SnapshotCopy.jpg


Trend Micro RootkitBuster (popular) [working-freeware]
http://www.softpedia.com/get/Antivirus/Trend-Micro-Rootkit-Buster.shtml

AVG Anti-Rootkit Free [working-freeware]
http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0

Recap) Install Windows Defender with real time protection to block
malware communications. Do a full scan and it will probably detect it
and remove it. If not run the rootkits below and then install this and
run it (very agressive and with over 300,000 defintions):

a-squared trojan remover (Free Working Version for life and Proactive
Premium Version)
http://www.emsisoft.com/en/software/free/
a-squared (a-squared) is a complementary product to antivirus software
and desktop firewalls on MS Windows computers. Antivirus software
specializes in detecting classic viruses. Many available products have
weaknesses in detecting other malicious software (Malware) like
Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
that malware writers exploit. Automatic updates: In a-squared Free the
updater must be run manually. The auto-update feature of a-squared
Personal checks hourly for new available updates and installs them
automatically. a-squared Free is freeware! You can download and use it
completely for free. You are also allowed to distribute it to third
parties. To be able to use it, you only must set up a free a-squared
Account, to get access to the update server. (Note you register by
simple sign up to activate definitions downloads free).

This should have definately ended the problems. Let us know.

webmaster bluecollarpc.net /.org

 

[PA Bear]

"cbgerry" <cbgerry@bluecollarpc.net> wrote in message
news:b190b236-e9d8-43e8-970d-65404b2868b5@c29g2000hsa.googlegroups.com...
> On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> wrote:
>> Neighbour can't remove this toolbar. Is their any freeware utuilties he
>> can
>> use to get rid of it. ???
>
> If you have run some of the free home verions of antispyware the
> installation if presented as malware and you clicked either Quarantine
> or Delete.... it should be gone, period. It would be doubtful they
> missed those items enabling the installation to re-install itself
> after restarting the computer - very, very, very doubtful as this
> would be a major malware feature of this exact installtion. These
> programs mentioned would be Superantispyware, Google Pack Spyware
> Doctor, Lavasoft Ad-Aware, Microsoft Windows Defender, and so on.
>
> Generally it is a registry item that is causing a re-installation of
> the badware. This generally only occurs if someone found a folder in C:
> \ProgramFiles and deleted that - or more commonly went to Start >
> Control Panel > Add/Remove Programs and clicked Uninstall. These
> procedures may indeed leave the partial part of it enabling re-
> installing it.
>
> The other possibility is that it was installed by a rootkit in the
> first place - and rootkits are generally undetectable by anything
> except a rootkit scanner. A rootkit is able to install many malwares -
> like several trojans and several spyware installations and more. This
> is why they are dreaded. You may want to re-group and begin with doing
> rootkit scans. It should be first in a problematic uninstall many
> times. This will protect your security software from firewall
> disabling, antivirus disabling, and antispyware disabling. If the
> rootkit scans reveal nothing then you go ahead with the full scans of
> antispyware and antivirus. A rootkit may install the malware that
> disables security software such as a " Security Software Disabler
> Trojan " --- definition link:
> http://www.webopedia.com/TERM/S/security_software_disabler_Trojan.html
>
> Try running both of these first and then install Microsoft Windows
> Defender Microsoft AntiSpyware is now Windows Defender
> [working-freeware from Microsoft]
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
>
> This is free from Microsoft and is the only free product with real
> time protection that will block communications by this installation
> and possibly by other installations of a rootkit - which may be what
> you need to do. To see what real time protection is blocking take a
> look at paid antispyware Webroot Spysweeper screenshot showing what
> real time protection is protecting - very similar to Windows Defender.
> These aer generally called antispyware "Shields" Sreenshot:
> http://bluecollarpc.net/coppermine-photos/albums/userpics/10001/WebrootShields_SnapshotCopy.jpg
>
>
> Trend Micro RootkitBuster (popular) [working-freeware]
> http://www.softpedia.com/get/Antivirus/Trend-Micro-Rootkit-Buster.shtml
>
> AVG Anti-Rootkit Free [working-freeware]
> http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0
>
> Recap) Install Windows Defender with real time protection to block
> malware communications. Do a full scan and it will probably detect it
> and remove it. If not run the rootkits below and then install this and
> run it (very agressive and with over 300,000 defintions):
>
> a-squared trojan remover (Free Working Version for life and Proactive
> Premium Version)
> http://www.emsisoft.com/en/software/free/
> a-squared (a-squared) is a complementary product to antivirus software
> and desktop firewalls on MS Windows computers. Antivirus software
> specializes in detecting classic viruses. Many available products have
> weaknesses in detecting other malicious software (Malware) like
> Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
> that malware writers exploit. Automatic updates: In a-squared Free the
> updater must be run manually. The auto-update feature of a-squared
> Personal checks hourly for new available updates and installs them
> automatically. a-squared Free is freeware! You can download and use it
> completely for free. You are also allowed to distribute it to third
> parties. To be able to use it, you only must set up a free a-squared
> Account, to get access to the update server. (Note you register by
> simple sign up to activate definitions downloads free).
>
> This should have definately ended the problems. Let us know.
>
> webmaster bluecollarpc.net /.org

No anti-spyware application I know of will fully clean a machine with such
an infection.

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.org/

 

[barrowhill]

John,

Suggest you go to castlecops forums and post your specific issue as yours
may be be different to mine.

I used used them to resolve issue and they were extremely helpful. I used
following utilitity programs - VonduFix.exe, VirtumondeBegone.exe,
SmitfraidFix.exe and ComboFix.exe. Also downloaded and posted reports from
HijackThis.exe

"John" wrote:

> Barrowhill,
>
> You are so lucky to get rid of them for your neighbour. I have exactly
> messages shown at my XP Sp2 laptop. I tried using norton, microsoft
> defender, adware, spybot and smithfraudfix without any luck.
>
> Can anyone please help me to remove them? Which program helps you to remove
> them?
>
> Thanks.
>
> "barrowhill" wrote:
>
> > cgberry,
> >
> > Many thanks for your reply and information provided. I'm waiting for knock
> > on door from neighbour saying problem has returned. Your info will be most
> > helpful if it has.
> >
> > "cbgerry" wrote:
> >
> > > On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> > > wrote:
> > > > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > > > use to get rid of it. ???
> > >
> > > CastleCops - CLSID / BHO List / Toolbar Master List
> > > http://castlecops.com/bhonew.html
> > > (Identify Malware Toolbars) This is the Master BHO and Toolbar list
> > > copyrighted by Tony Klein and CastleCops.
> > >
> > > Good place (bookmark above) to help identify by name sometimes or even
> > > a registry item like {123-456-78-9-000} for example as kind of
> > > 'reverse look up'.
> > > Sometimes you find a name or file or registry item for these. The BHO
> > > stands for Browser Help Object and the Active X item is located in the
> > > Windows Registry.
> > >
> > > HOWEVER in this case it is not a simple malware toolbar that was
> > > installed but a full blown toolbar malware installation.... You may
> > > want to check the following information for a full clean
> > > uninstall....
> > >
> > > How? For files you can use Start > Search and type in at Files search
> > > and click C Local Disk (painstakingly long one by one)
> > >
> > > Or Visual check > open Windows Explorer... Right Click > Start >
> > > Explore > My Computer > C Local Disk .... and visually look in the
> > > location areas (much faster)...
> > >
> > > Also to get to Windows Registry .... Start > Run > type in regedit >
> > > Ok... and of course do not delete anything unless you are comfortable
> > > with CA makers of Pest Patrol and that you have indeed located and
> > > identified the items below that are safe for deletion as an unwanted
> > > installation and read this to become familiar with thios procedure:
> > > http://www.bluecollarpc.net/registry.html ... that webpage should help
> > > a great deal to understand this as a "Manual Removal" that is also the
> > > same procedure for uninstalling valid software 'by hand'.
> > >
> > > FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> > >
> > > Security Toolbar 7.1 - CASecurity Toolbar 7.1. Date Published:
> > > Thursday, October 25, 2007. Threat Assessment. Overall Risk: Low.
> > > Privacy: Low. Productivity: Low. System Integrity: ...
> > > http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> > >
> > > Date Published:
> > > Thursday, October 25, 2007
> > > Category: Toolbar
> > >
> > > Also known as: Win32/Boarim.AK [CA AV], AdWare.Win32.Agent.nt
> > > [Kaspersky], Downloader.MisleadApp [Symantec], Puper [McAfee],
> > > TrojanDownloader:Win32/Zlob.gen!Z [MS OneCare], Troj/Zlobie-Gen
> > > [Sophos]
> > >
> > > See Also
> > > Security Toolbar · Boarim ·
> > >
> > > Category
> > > Downloader: A program that downloads and may execute or install
> > > software without user permission.
> > >
> > > Toolbar: A group of buttons which perform common tasks. A toolbar for
> > > Internet Explorer is nomally located below the menu bar at the top of
> > > the form. Toolbars may be created by Browser Helper Objects.
> > >
> > > Trojan: Any program with a hidden intent. Trojans are one of the
> > > leading causes of breaking into machines. If you pull down a program
> > > from a chat room, new group, or even from unsolicited e-mail, then the
> > > program is likely trojaned with some subversive purpose. The word
> > > Trojan can be used as a verb: To trojan a program is to add subversive
> > > functionality to an existing program. For example, a trojaned login
> > > program might be programmed to accept a certain password for any
> > > user's account that the hacker can use to log back into the system at
> > > any time. Rootkits often contain a suite of such trojaned programs.
> > >
> > > Detections:
> > > true
> > >
> > > Executable Files:
> > > true
> > >
> > > DLL Files:
> > > ictmdl.dll
> > >
> > > Registry Items:
> > > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> > > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > > bbcf-1c2466ac5ae3}\implemented categories
> > > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > > bbcf-1c2466ac5ae3}\implemented categories\{00021493-0000-0000-
> > > c000-000000000046}
> > > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > > bbcf-1c2466ac5ae3}\inprocserver32
> > > HKEY_CLASSES_ROOT\clsid\{23ed2206-856d-461a-
> > > bbcf-1c2466ac5ae3}\inprocserver32 threadingmodel
> > > HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar
> > > \webbrowser {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> > > HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
> > > {23ed2206-856d-461a-bbcf-1c2466ac5ae3}
> > >
> > > Files:
> > > ictmdl.dll
> > > ictmdl.dll
> > >
> > > Copyright (c) 2007 CA
> > >
> > > FULL INFO http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119555
> > >

 

[barrowhill]

Malke,

Done (CastleCops) and fixed ! Thanks

"Malke" wrote:

> John wrote:
> > Barrowhill,
> >
> > You are so lucky to get rid of them for your neighbour. I have exactly
> > messages shown at my XP Sp2 laptop. I tried using norton, microsoft
> > defender, adware, spybot and smithfraudfix without any luck.
> >
> > Can anyone please help me to remove them? Which program helps you to remove
> > them?
>
> If you have Security Toolbar, you should follow the advice given to the
> original poster: go to one of the specialty forums listed below,
> register, read the posting FAQ, and post a HijackThis log there (not
> here). You are not going to be able to remove this by yourself.
>
> http://aumha.org/downloads/hijackthis.zip
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
> another tutorial
> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
> and the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

 

[barrowhill]

cbgerry,

Many thanks for information. I've downloaded rootkit scanners for future ref.

"cbgerry" wrote:

> On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> wrote:
> > Neighbour can't remove this toolbar. Is their any freeware utuilties he can
> > use to get rid of it. ???
>
> If you have run some of the free home verions of antispyware the
> installation if presented as malware and you clicked either Quarantine
> or Delete.... it should be gone, period. It would be doubtful they
> missed those items enabling the installation to re-install itself
> after restarting the computer - very, very, very doubtful as this
> would be a major malware feature of this exact installtion. These
> programs mentioned would be Superantispyware, Google Pack Spyware
> Doctor, Lavasoft Ad-Aware, Microsoft Windows Defender, and so on.
>
> Generally it is a registry item that is causing a re-installation of
> the badware. This generally only occurs if someone found a folder in C:
> \ProgramFiles and deleted that - or more commonly went to Start >
> Control Panel > Add/Remove Programs and clicked Uninstall. These
> procedures may indeed leave the partial part of it enabling re-
> installing it.
>
> The other possibility is that it was installed by a rootkit in the
> first place - and rootkits are generally undetectable by anything
> except a rootkit scanner. A rootkit is able to install many malwares -
> like several trojans and several spyware installations and more. This
> is why they are dreaded. You may want to re-group and begin with doing
> rootkit scans. It should be first in a problematic uninstall many
> times. This will protect your security software from firewall
> disabling, antivirus disabling, and antispyware disabling. If the
> rootkit scans reveal nothing then you go ahead with the full scans of
> antispyware and antivirus. A rootkit may install the malware that
> disables security software such as a " Security Software Disabler
> Trojan " --- definition link: http://www.webopedia.com/TERM/S/security_software_disabler_Trojan.html
>
> Try running both of these first and then install Microsoft Windows
> Defender Microsoft AntiSpyware is now Windows Defender
> [working-freeware from Microsoft]
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
>
> This is free from Microsoft and is the only free product with real
> time protection that will block communications by this installation
> and possibly by other installations of a rootkit - which may be what
> you need to do. To see what real time protection is blocking take a
> look at paid antispyware Webroot Spysweeper screenshot showing what
> real time protection is protecting - very similar to Windows Defender.
> These aer generally called antispyware "Shields" Sreenshot:
> http://bluecollarpc.net/coppermine-photos/albums/userpics/10001/WebrootShields_SnapshotCopy.jpg
>
>
> Trend Micro RootkitBuster (popular) [working-freeware]
> http://www.softpedia.com/get/Antivirus/Trend-Micro-Rootkit-Buster.shtml
>
> AVG Anti-Rootkit Free [working-freeware]
> http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0
>
> Recap) Install Windows Defender with real time protection to block
> malware communications. Do a full scan and it will probably detect it
> and remove it. If not run the rootkits below and then install this and
> run it (very agressive and with over 300,000 defintions):
>
> a-squared trojan remover (Free Working Version for life and Proactive
> Premium Version)
> http://www.emsisoft.com/en/software/free/
> a-squared (a-squared) is a complementary product to antivirus software
> and desktop firewalls on MS Windows computers. Antivirus software
> specializes in detecting classic viruses. Many available products have
> weaknesses in detecting other malicious software (Malware) like
> Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
> that malware writers exploit. Automatic updates: In a-squared Free the
> updater must be run manually. The auto-update feature of a-squared
> Personal checks hourly for new available updates and installs them
> automatically. a-squared Free is freeware! You can download and use it
> completely for free. You are also allowed to distribute it to third
> parties. To be able to use it, you only must set up a free a-squared
> Account, to get access to the update server. (Note you register by
> simple sign up to activate definitions downloads free).
>
> This should have definately ended the problems. Let us know.
>
> webmaster bluecollarpc.net /.org
>

 

[barrowhill]

PA,

Thanks for info. Problem resolved using (CastleCops) forums as advised by
all on this thread.

Thanks to eveyone for advice and information which will be useful in the
future should I be unfortunate to get caught again (hopefully not)

"PA Bear" wrote:

> "cbgerry" <cbgerry@bluecollarpc.net> wrote in message
> news:b190b236-e9d8-43e8-970d-65404b2868b5@c29g2000hsa.googlegroups.com...
> > On Nov 13, 5:37 am, barrowhill <barrowh...@discussions.microsoft.com>
> > wrote:
> >> Neighbour can't remove this toolbar. Is their any freeware utuilties he
> >> can
> >> use to get rid of it. ???
> >
> > If you have run some of the free home verions of antispyware the
> > installation if presented as malware and you clicked either Quarantine
> > or Delete.... it should be gone, period. It would be doubtful they
> > missed those items enabling the installation to re-install itself
> > after restarting the computer - very, very, very doubtful as this
> > would be a major malware feature of this exact installtion. These
> > programs mentioned would be Superantispyware, Google Pack Spyware
> > Doctor, Lavasoft Ad-Aware, Microsoft Windows Defender, and so on.
> >
> > Generally it is a registry item that is causing a re-installation of
> > the badware. This generally only occurs if someone found a folder in C:
> > \ProgramFiles and deleted that - or more commonly went to Start >
> > Control Panel > Add/Remove Programs and clicked Uninstall. These
> > procedures may indeed leave the partial part of it enabling re-
> > installing it.
> >
> > The other possibility is that it was installed by a rootkit in the
> > first place - and rootkits are generally undetectable by anything
> > except a rootkit scanner. A rootkit is able to install many malwares -
> > like several trojans and several spyware installations and more. This
> > is why they are dreaded. You may want to re-group and begin with doing
> > rootkit scans. It should be first in a problematic uninstall many
> > times. This will protect your security software from firewall
> > disabling, antivirus disabling, and antispyware disabling. If the
> > rootkit scans reveal nothing then you go ahead with the full scans of
> > antispyware and antivirus. A rootkit may install the malware that
> > disables security software such as a " Security Software Disabler
> > Trojan " --- definition link:
> > http://www.webopedia.com/TERM/S/security_software_disabler_Trojan.html
> >
> > Try running both of these first and then install Microsoft Windows
> > Defender Microsoft AntiSpyware is now Windows Defender
> > [working-freeware from Microsoft]
> > http://www.microsoft.com/athome/security/spyware/software/default.mspx
> >
> > This is free from Microsoft and is the only free product with real
> > time protection that will block communications by this installation
> > and possibly by other installations of a rootkit - which may be what
> > you need to do. To see what real time protection is blocking take a
> > look at paid antispyware Webroot Spysweeper screenshot showing what
> > real time protection is protecting - very similar to Windows Defender.
> > These aer generally called antispyware "Shields" Sreenshot:
> > http://bluecollarpc.net/coppermine-photos/albums/userpics/10001/WebrootShields_SnapshotCopy.jpg
> >
> >
> > Trend Micro RootkitBuster (popular) [working-freeware]
> > http://www.softpedia.com/get/Antivirus/Trend-Micro-Rootkit-Buster.shtml
> >
> > AVG Anti-Rootkit Free [working-freeware]
> > http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0
> >
> > Recap) Install Windows Defender with real time protection to block
> > malware communications. Do a full scan and it will probably detect it
> > and remove it. If not run the rootkits below and then install this and
> > run it (very agressive and with over 300,000 defintions):
> >
> > a-squared trojan remover (Free Working Version for life and Proactive
> > Premium Version)
> > http://www.emsisoft.com/en/software/free/
> > a-squared (a-squared) is a complementary product to antivirus software
> > and desktop firewalls on MS Windows computers. Antivirus software
> > specializes in detecting classic viruses. Many available products have
> > weaknesses in detecting other malicious software (Malware) like
> > Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
> > that malware writers exploit. Automatic updates: In a-squared Free the
> > updater must be run manually. The auto-update feature of a-squared
> > Personal checks hourly for new available updates and installs them
> > automatically. a-squared Free is freeware! You can download and use it
> > completely for free. You are also allowed to distribute it to third
> > parties. To be able to use it, you only must set up a free a-squared
> > Account, to get access to the update server. (Note you register by
> > simple sign up to activate definitions downloads free).
> >
> > This should have definately ended the problems. Let us know.
> >
> > webmaster bluecollarpc.net /.org
>
> No anti-spyware application I know of will fully clean a machine with such
> an infection.
>
> Run a /thorough/ check for hijackware, including posting your hijackthis log
> to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine2.blogspot.com/
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware with
> assistance from an expert. **Post your log to
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7,
> http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
> analysis, not here.**
>
> If the procedures look too complex - and there is no shame in admitting this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.org/
>
>

 

[Malke]

barrowhill wrote:
> PA,
>
> Thanks for info. Problem resolved using (CastleCops) forums as advised by
> all on this thread.
>
> Thanks to eveyone for advice and information which will be useful in the
> future should I be unfortunate to get caught again (hopefully not)

Thanks very much for updating the thread. Stay safe now! -)

Safe Hex:
http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://www.getsafeonline.org/
https://www.mysecurecyberspace.com/
http://www.getnetwise.org/
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User