toolbar888, install.exe ayb.dns-look-up

[canquest]

Hi. I am a newbie. (Please be gentle). My account (and my son's account) seems to be infected with "bad" stuff. Regardless of the virus scan's that i have done (trend micro - up-to-date), adware elimination programs (ad-aware se), microsoft defender, spyhunter (registered owner), every time i log on, I get messages saying that a dangerous site (ayb.dns-look-up) is being accessed, a toolbar888 message appears (in defender) and an install.exe program magically reappears on my desktop. Also, on my son's account, he can't even run hijack this - the dialog box appears briefly and then disappears. (On my account, I can run hijackthis seemingly without problems).

Any help that you can provide is greatly appreciated. Please forgive me if i have posted this to the wrong forum.
thanks
canquest

 

[raybay]

What gives you the belief that you have "bad stuff"? Have you looked at the standard messages here on infestations. They are very helpful. Then get back to us.

 

[howard_hopkinso]

Hello and welcome to Techspot.

You`ve definitely posted in right spot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

What gives you the belief that you have "bad stuff"?

Process File: install.exe or install
Process Name: Adware.W32.EasySearch

ToolBar888.dll - Dangerous

ToolBar888.dll is Spyware/Adware Toolbar888.

There`s a couple of clues mate lol.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Thanks for the very quick reply. I am going through the steps you mentioned and will reply once i have completed them. Thanks again!

 

[canquest]

Hi again!

Ok. I ran all the steps as instructed in 'Viruses/Spyware/Malware, preliminary removal instructions' and in 'Malware Removal: Temporarily Disable Real Time Monitoring Programs'.

A few notes:

1. My regular virus protection software is 'TrendMicro PC-Cillin Security'. I was unable to run it in Safe Mode when instructed to, so I ran the 'online virus scanner' again (which by coincidence is also from Trendmicro).

2. I ran the AVG Antispyware program when instructed. It did find 3 or 4 items which I quarantined. However, I forgot to save the report before I exited. So I ran it a second time and this time it found nothing. Therefore the report that I am attaching shows 'nothing to report'.

3. Most (but not all) of the problems that were experienced were from my son's account. I ran all the steps from my account (which has administrator privledges). My son's account also has administrator privledges. I hope it didn't matter which account I ran the steps from.

4. After doing all the above, I signed-on to my son's account and sure enough all the 'bad-stuff' is still there (including 'install.exe' on his desktop and all the popups. I tried to run hijackthis from his account (renamed to 'analyze' and it immediately disappears. (I even renamed it to something else and same thing happens). Same with trying to download a new version of hijackthis from the internet. Toolbar888 is still there and causing all sorts of popups. At this point, it seems that my account is still clean.

Any help you can provide me is very appreciated. Thanks in advance.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Client IP-IPX

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svchosts.exe<Not to be confused with svchost.exe
metainternet.exe
ALCMTR.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Bold Shim Inter Drv] C:\Documents and Settings\All Users\Application Data\eq body bold shim\metainternet.exe

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://secure.learning.gov.ab.ca/edarts.internet/includes/smsx.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab

O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/snailmail/sis/slgwebinstall.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe
C:\Documents and Settings\All Users\Application Data\eq body bold shim<Delete the entire folder.
C:\windows\ALCMTR.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Hi again. Thanks for all your help so far.

Ok. I followed the instructions and am attaching the latest hjt file.

Please note:

1. I checked my son's account and the 'install.exe' still appears on the desktop even though i delete it.

2. I deleted the c:\windows\system32\svchosts.exe file as instructed, but it keeps reappearing when i verify that it is gone.

3. As in the past, when I try to run hijackthis.exe (renamed to anything else) from my son's account, it vanishes almost immediately. I needed to run it from my own account. (Both accounts have administrator privledges).

Thanks again. i really appreciate it.

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

Fix all 01 Hosts: entries.

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Hi again! Thanks for your continuing help.

Ok. I followed the instructions as indicated.

Please note:

1a. I originally followed all the instructions from my son's account (has admin privledges) in safe mode and ran hjt from there. It seemed to have 'fixed' (i.e. deleted) all the entries that it was supposed to (all 01 were gone and bar888 entries were gone). I also ran the killbox as instructed.

1b. When I rebooted (I assumed I was to boot not in safe mode this time), I used my son's account again. 'install.exe' was still on the desktop. When I attempted to run hjt (renamed), as in the past, it vanished after a second.

1c. So, I rebooted again, this time in safe mode, using my son's account again, and re-ran hjt. All the 01 (and bar888 entries) re-appeared again.

1d. I rebooted again (in safe mode), using my own account (has admin privledges) and re-ran hjt and repeated the fix (and killbox) instructions again. By the way, although I entered the bar888.dll in killbox, I don't think the file exists, as I searched for it. In any case, I entered the name and pressed delete as instructed. Also, since there was only one file to delete in killbox, I pressed 'reboot now' when prompted by killbox, and i received a message saying 'Pending file rename operation registry data has been removed by external process'. The reboot didn't automatically happen, so i rebooted manually.

1e. Rebooted again (not in safe mode), using my own account and re-ran hjt and created the attached file. As you can see the 01 (and bar888) entries are gone, but only because i produced this from my account and not my son's account.

2. I didn't repeat any of the previous steps in previous instructions (such as running 'services.msc'), as I assumed i was only to follow the most recent instructions.

Thanks so much for all your help.

 

[howard_hopkinso]

That HJT log is now clean.

As for the install.exe file, try THIS ultility to delete it.

If at all possible I`d like to see a HJT and AVG Antispyware log from your sons account.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Thanks for the speedy reply!

Here is what i have done:

1. I booted in safe mode (son's account) and ran the utility you mentioned to delete 'install.exe'. (By the way, I was able to 'delete' it before, it just keeps showing up the next time i reboot in non-safe mode). I created the first hjt log (see below).

2. I rebooted in not-safe mode (son's account). I get the following message: "UPDATE.EXE This application has failed to start because system.dll was not found. Re-installing the application may fix this problem." I click ok (no other choice).

3. I allow system to finish booting. I see the desktop. I do nothing/press nothing. After a moment, 'install.exe' reappears on the desktop. A moment later, I get a message from PC-CILLIN Security (my virus scanning software) saying, "You have attempted to open a dangerous web-site 'http://ayb.dns-lookup.com/al' close your web browser and do not open this web site again". Please note, I haven't explicitely opened my web-browser or run/opened/done anything at this point. I have simply allowed the boot to finish and windows xp to start.

4. With very quick fingers, I was able to run hjt and press control-a, control-c before it disappears. I save the result in a txt file (see below).

5. I am enclosing 2 hjt log files - both from my son's account. (Please note that I renamed the hijackthis.exe to science.exe; i initially tried analyze.exe, as instructed, but it vanished immediately, so i thought that I would try to rename it to something else)

5a. The first hjt file was done in safe mode (so named). It shows a 'clean' hjt log - no o1 (or bar888 entries).

5b. The second hjt file was done not-in-safe-mode (so named). It shows all the o1 (and bar888 entries) are back again.

thanks as always for your continuing help!

 

[howard_hopkinso]

From your sons account, do the following.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your(sons) normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Uniblue
SpyEraser

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Client IP-IPX

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svchosts.exe<Not to be confused with svchost.exe
SpyEraser.exe
Byte Ping Win.exe
Science.exe
Ares.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

F3 - REG:win.ini: load=C:\WINDOWS\system32\rsrzkiyofc\services.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rsrzkiyofc\services.exe

Fix all 01 Hosts: entries.

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [error cake] C:\DOCUME~1\Daniel\APPLIC~1\FREECA~1\Byte Ping Win.exe

O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe
C:\Program Files\Uniblue\SpyEraser<Delete the entire folder.
C:\DOCUME~1\Daniel\APPLIC~1\FREECA~1<Delete the entire folder.
C:\WINDOWS\system32\rsrzkiyofc<Delete the entire folder.
C:\Documents and Settings\All Users\Documents\Science.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\PROGRA~1\COMMON~1\{3C2F6~1\Bar888.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log, if you can, both from your sons account.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Howard, I think you did it!!!

I have attached the hjt log as requested - created from my son's account in normal (not-safe) mode WITHOUT the HJT program vanishing! AND, 'install.exe' did not re-appear on his desktop!

A quick review of what I have done:

In safe mode (son's account):
1. found uniblue spyeraser in add/remove programs - deleted it.
2. in services.msc, Client-IPX found, but already disabled.
3. in task manager, none of the tasks you mentioned were found, so nothing to delete.
4. Ran HJT, found all that you mentioned (except the Bar888 and Spyeraser ones); fixed the rest.
5. Deleted all files you mentioned (except SpyEraser, which wasn't found).
6. Ran killbox on specified file. Not sure if this is what was supposed to happen, but as in the past, when I selected reboot now, I get the message, "Pending File Rename Operation Registry data has been removed by external process".
7. Rebooted in normal mode, son's account, and produced the attached hjt log file. Hope it is clean.

Thank you so much for all your help.

 

[howard_hopkinso]

Well done, that HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Howard: You are amazing! I can't thank you enough. As you can imagine, I have been tearing my hair out for days over this. I am forever grateful!

Two last questions before i sign-off:

1. Should I be concerned about the message (that i still get on my son's account): "UPDATE.EXE This application has failed to start because system.dll was not found? Re-installing the application may fix this problem." I click ok (no other choice).

2. Does TechSpot also answer non-Spyware/malware/virus questions? If so, where should I post the following: My son has two persistent problems: (a) windows media player doesn't start up on his account (but does on mine) even though there is an icon for it and i have reinstalled it several times and (b) His search option is 'dead'. Whenever he selects the 'Search' option (for example from the start menu) all he sees is the dog at the bottom of the screen - nothing else, no ability to select anything or enter something to search for.

Again, Howard, you are terrific. Before posting my own problem, I reviewed several others that you had helped. I am sure I stand in a very long line of people who are very appreciative of your generous and knowledgeable help.

All the best.

 

[howard_hopkinso]

From your sons account, locate and delete the following bold file.

C:\Program Files\Common Files\{AC2F6B54-0A6A-1033-0602-050503100001}\Update.exe See if that solves the error message. Please let me know.

Does TechSpot also answer non-Spyware/malware/virus questions?

Yes, Techspot answers all questions pertaining to computers.

I suggest you start a new thread in our Windows OS forum, for your media player problem. You can find a list of our forums HERE, or by clicking Forums at the top of any page.

Regards Howard

This thread is for the use of canquest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[canquest]

Thanks Howard - I deleted the update file as instructed, and now the message is gone. (By the way, there was also a system.dll file in the directory, which I also got rid of - but i can recover it if need be. hope I didn't get too over-confident).

also, i will repost my other questions as suggested. Maybe I'll speak to you there?!

again, thank you for all your help and patience.

All the best.