Another frustrated Smitfraud-C.Toolbar888 Sufferer!!

By TheWildInside
Jan 8, 2007
  1. Greetings,

    I hate to say "Hello, glad to meet cha!" and then launch right in to a problem, but I've already wasted two days surfing around trying to find a fix for this nasty invader and I'm at my wit's end. Tech Spot seems to be one of the few sites that offers experienced support without trying to sell me something, so here I am. Hi, ya'll. HELP!!

    I first came across this site last night after trying AdAware, SpyBot and McAfee. I got very excited at the prospect of the online link provided to Trend Micro for scanning online; however, I'm on dial-up (not by choice, I assure you) and after two hours of its trying to do its thing I went to bed and left it - only to discover all kinds of pop-up error messages awaiting me in the morning. The problem seems to be circular, as my primary mode of online access is AOL, and as Trend Micro was having a problem working through AOL's browser, I opened IE and pasted the URL into that browser .. and that's when the problems began in earnest.

    Please keep in mind that I know enough to keep my computer in good working order. I run the three versions of software regularly - but this is the first time I've run into something so pervasive that no combination of the three will clean or quarantine it. I do back up my business files onto zip and CD's regularly, but all my business related software is on this laptop and I fear a catastrophic episode that I'll be clueless to fix.

    Please, please, please ... help me wash this nasty piece of work off my lifeline so I can get back to work :eek:

    Awash in anxiety,
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of TheWildInside only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. TheWildInside

    TheWildInside TS Rookie Topic Starter Posts: 24

    Stuck at the fork in the road ..

    Thank you so much for your reply. I apologize for not scouring the site more thoroughly before my initial post; but knowing that any response was probably going to take awhile, I DID print the "Viruses/Spyware/Malware, preliminary removal instructions" post, downloaded all the software included in it (except an AntiVirus, as I already have McAfee - though it neglected to catch much of anything), and followed it to the letter shortly after posting and signing off. But Egads, I hope it all worked 'cuz the thought of having to go through all that again makes me cringe. Just one additional note - I did find another forum that had a list of free downloads to use (Superantispyware, ATF Cleaner and drweb-cureit.exe), all of which I did indeed download. ATF Cleaner was just another version of Ccleaner and I used AVG and Spybot over the Superantispyware; but I did execute drweb with significant results. Though after ALL of that, rebooting back into normal mode, rehiding my protected files, enabling my firewall again and running SpyBot just in case, I found that it's still picking up Smitfraud.cToolbar888. I vaguely remember a few threads mentioning "false positives", so I'm not sure whether to fret about this or not.

    I read your post "If your system is infected. Read this .." with dismay. I do indeed use my laptop for all the sensitive things you mention, but don't feel I have the technical knowledge required to do a complete format and reinstall. I'm not even sure I could find the discs for all of my resident programs .. we relocated in late 2005 and I'm still searching for things in boxes that were stashed.

    But I babble .. sorry. Let me just say that I think I have correctly attached the HijackThis and AVG Antispyware logs and I will await your experienced and patient response as to the result.

    Grateful for your time and attention,

    Oh .. one other thing. When I ran Ccleaner, there was an entire set of "Advanced" files I did not check. I have no idea what these files are .. and fear runs high in me for deleting something I shouldn't. When I opened the application all other boxes were checked except for these, so that's the way I ran it. If there's nothing I should fear in deleting these files (old prefetch data (??) IIS Log Files, Hotfix Uninstallers and especially Custom Files and Folders concern me), I'll run through the whole darn process again. Having done it all once, at least it should go a little more quickly a second time.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Obviously, you`re aware of the risks in cleaning your system, seeing as how you use the system for storing sensitive information. So, we will attempt the clean up.

    Delete all files in AVG Antispyware quarantine.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint Manager
    Viewpoint Toolbar

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0<Fix this if you didn`t set this proxy yourself, or don`t know what it is.

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe

    O4 - Startup: PowerReg Scheduler V3.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Common Files\Viewpoint<Delete the entire folder.
    C:\Program Files\Viewpoint<Delete the entire folder.
    PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of TheWildInside only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. TheWildInside

    TheWildInside TS Rookie Topic Starter Posts: 24

    Round Two


    New HJT log attached.

    Ran through your directions - a few times the files were not there to delete, but I deleted all that were. One thing though - when locating/deleting files/directories I did find "C:\Program Files\Viewpoint" and deleted the folder (which in turn made several additional Viewpoint files disappear from the search response window) .. however, after deleting, two add'l files remained that were identified as Netscape Plugins: npviewpoint.dll and npviewpoint.xpt. Since I occasionally browse with Netscape, I didn't delete these. Please advise if I need to go back and snag them. Also, the only item that came up when I searched for "PowerReg Scheduler V3.exe" was in an HJT backup file. Your directions were to "delete all instances ..", so I did.

    After rebooting into normal mode and hiding all my protected files again, I ran SpyBot, and Smitfraud-C.Toolbar888 remains and cannot be cleaned. Also, upon closing SpyBot, it alerted me to a registry change, which I allowed.

    I SO appreciate your time. Please let me know if we need to go to Round Three.

    Thank you, thank you, thank you ... may Lady Fortune lay a Lottery Win upon you!!

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Download, install and run the trial version of SpySweeper.

    Let me know if that helps.

    Regards Howard :)

    This thread is for the use of TheWildInside only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. TheWildInside

    TheWildInside TS Rookie Topic Starter Posts: 24

    Need a sledgehammer!

    Hi ya,

    Downloaded and ran SpySweeper, it found only low threat cookies and it wouldn't let me quarantine or delete those without buying the full program. Caught the same cookies on SpyBot ... as well as SmitFraud-c.toolbar888 again. So I uninstalled SpySweeper and went back to your original Viruses/Spyware/Malware/, and subsequent instructions, and ran through it ALL again. Discovered ViewPoint had popped back into my programs, though other than the SmitFraud thing that won't go away, that was the only thing that came back.

    What IS it with SmitFraud?!?! I did run the SmitFraud Fix (Tool 1) several times (as directed .. search in normal mode, clean in safe mode). There's gotta be a way to clean this thing. Is SpyBot picking up a false positive (how can you tell)?? Has anyone else been able to beat this thing?

    I'm out of town and away from my laptop, so cannot attach a HJT log with this post, but will do it Friday morning when I return. If there's anything else you think I should try before running HJT again, please let me know.


    Pulling my hair out in Northern New York,
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It does look like your getting a false positive from SS&D. See HERE.

    Regards Howard :)

    This thread is for the use of TheWildInside only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. TheWildInside

    TheWildInside TS Rookie Topic Starter Posts: 24

    Feelin' a bit better ..

    Hi Howard,

    Thanks - I actually found that link, too, after my last post .. and surfed a little more around that forum. Someone posted a fix to SpyBot's SmitFraud false positive .. which in turn caused other problems, so a fix for the fix was needed. Sigh. So, I've left a post and SpyBot log over there hoping someone might illuminate the situation for me. Hoping for a reply in the morning. Am also looking at updating my SpyBot from v1.3 to v1.4

    I've attached another HJT log, and comparing it with your previous post listing the things I should "fix", it seems OK. However, two items closely resemble the two items SpyBot picked up as SmitFraud, so I attached the SpyBot log as well. The items in HJT to which I refer are:

    020 - Winlogon Notify: Sebring - C\WINDOWS\System32\LgNotify.dll
    020 - Winlogon Notify: TabBtnWL - TabBtnWL.dll(file missing)

    Also, ViewPoint keeps repopulating the Processes tab in Windows Task Manager .. nowhere else (what IS that??)

    Now .. as it seems my system is OK (I'll reserve judgement until you look more closely at my HJT log), I need to decide how to better protect my system. I now have about 10 or 11 new icons on my desktop - things I downloaded when following instructions. I used only McAfee (and PAID for automatic updates), which didn't catch ANY of the stuff you did; SpyBot and Ad-Aware SE Personal. I'd be fine with uninstalling McAfee .. is AVG's antivirus better? I also put the shield up on AVG AntiSpyware and look forward to seeing how it performs during the 26 days I have left of free access. Should I create a new thread with these questions??

    OK .. I'll shut up now.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Have HJT fix these inactive entries.

    O20 - Winlogon Notify: TabBtnWL - TabBtnWL.dll (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    The 020 - Winlogon Notify: Sebring - C\WINDOWS\System32\LgNotify.dll entry is part of Intel`s wireless and is perfectly safe.

    As for the Viewpoint entry in your task manager, search your system for the file and delete it. You may need to do this from safe mode.

    This is only my personal opinion, but I think you`d be better off without McAfee as it is somewhat of a resource hogger. The free AVG Antivirus is an excellent programme and one that I`ve had on my system for a long time. I also recommend either the free Zonealarm or Kerio firewall programmes. You can find links to these in this thread HERE.

    You can get rid of the stuff you downloaded in the instructions as they are no longer required. I recommend you keep SS&D/Ad-Aware personal se/AVG Antispyware. You should always make sure you have the latest versions of these programmes and that they are fully updated with the latest definition files.

    You should update Spybot immediately to the latest version.

    For some useful info on keeping your computer safe, see this thread HERE.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of TheWildInside only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. TheWildInside

    TheWildInside TS Rookie Topic Starter Posts: 24

    'K .. back to work!

    Thank you, Howard .. you're the best!

    I have no problem uninstalling McAfee, considering it's done little for me through all this. And I was familiar with AVG Antivirus through two other incidences, one with my husband's laptop, another with my parent's PC .. both time local "computer doctors" installed AVG Antivirus. I'm downloading as I type. I had Zonealarm installed once when I was working in an office with broadband, but was constantly having to attend to its alerts, with no idea of what was OK and what wasn't. So I never used it again. After all this, I may have to reconsider.

    I have to tell you that immediately after reading the post "If your system is infected ..." I immediately sent letters to all three credit reporting agencies requesting a credit freeze on all our credit reports; and I set up email alerts on all our credit and debit card accounts that had this service available (all but one local savings bank). The credit freeze was something we'd intended to do anyway once it became available in NYS .. the scare just lit a fire under me sooner rather than later.

    I plan to donate to SpyBot once I get all this extraneous stuff cleaned off and get my desktop organized again; if there's a way to donate within in this forum as well, I'd be happy to do so. I couldn't have done without my laptop for the period of time I would have had to leave it with someone to do all that you walked me through. Not only did we clean off a bunch of stuff I had no idea was even there, I learned a few things and feel a little more comfortable with the whole maintenance routine.

    I'll hang on to HJT .. just in case.

    Thanks again .. I am so grateful for all your time and attention. If you ever come across someone responsible for any of these nasties, tie 'em down and make 'em eat nails .. for all of us. : )

    Headin' back to my jewelry studio with a lighter heart,

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...