I’ve got adware that’s located in my programs menu, and it cannot be uninstalled. It’s called PowerSearch Toolbar for IE and both Avast and Spyware doctor have found it but neither has been able to delete it. What do I need to do to get rid of things like this? There is another one that in there that can’t be removed under the name Stardock central. I suppose I got it when I downloaded stardock a while back, and now it cannot be erased. Avast found this too but can’t delete it. ???
I assume there is no uninstall in the add remove programs.
Visit HiJackThis - Eddy’s Website and click the “HiJackThis Section”
Download the Hijackthis program, follow the instructions available in the “HiJackThis Section” run the analyser to identify problems.
If you want to try an on-line scan of your Hijackthis file try here [b]http://hijackthis.de/index.php[/b] or post the hijackthis log here.
the Remove/change button is there, but with PowerSearch it just directs you to a webpage where you check a box explaining why you are uninstalling and then click a bar that supposedly uninstalls it, but never does. With the stardock program, when I click the remove button, it says “could not locate install.log file”. I hope that’s a better explanation. I’ll try the above solution as well.
If you haven’t got these give them a try.
They might not work because these programs have been downloaded and installed, they have supposedly got add remove routines, so they may be difficult to remove, but hijackthis is a great program.
I don’t use pestpatrol, but there are manual removal instructions on their page below
http://www.pestpatrol.com/PestInfo/p/powersearch.asp
Edit, modify my spelling!
hijackthis found the powersearch program, and attempted to delete. When I rescanned it did not show up again, so that’s a good sign. When using the hijackthis program, how do you tell which programs brought up are bad and which are supposed to be on the computer? With many of them it’s obvious, but with others, it’s hard to tell.
edit: thanks for the above link. I noticed that site mentions BHO’s. Hijackthis brought up several of those, but I wasn’t sure what they were. Should I delete them all?
Copy and paste your hijackthis log file into the link provided by DavidR (in this thread) for an online check 
OK, I see what that’s for now. Looks like some BHO’s are bad and others OK. 
Depends on your consideration of security and your own browsing habits, some bho’s have their place if they are helpful.
Have you managed to get rid of powersearch now?
I haven’t been able to get rid of it yet. I’m trying to follow the instructions for manual removal at pestpatrol, but I haven’t quite figured out the part about removing DLL’s.
If it’s safe to remove all BHO’s, I’d just assume do it. I just don’t want to erase anything I shouldn’t.
BTW: it seems like alot of the things coming up, like this powersearch program, are related to IE. I only use FireFox if that makes any difference.
I only use Firefox (ver 1.0) and wasn’t aware of a bho from powersearch for it. Did you actively install a plug-in for it and if so, where from?
You could post your hijackthis log file here btw.
I’m not sure where the powersearch is from. The name of it says for IE, so maybe I got it when I used IE in the first week or so that I used this computer. ???
This is the log from Hijackthis:
Logfile of HijackThis v1.98.2
Scan saved at 8:12:59 PM, on 11/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HJTanalyzer\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [OdTray.exe] “C:\Program Files\Funk Software\Odyssey Client\OdTray.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SAClient] “C:\Program Files\Insight\BBClient\Programs\RegCon.exe” /admincheck
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [areslite] “C:\Program Files\Ares Lite Edition\AresLite.exe” -h
O4 - HKCU..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0258a4477aa22b9e4602/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
Try a forum search for malware removal and follow all the steps just to make sure you have completely cleaned your system.
I just downloaded ad-aware se and did a scan. It came up with 30 more infected files. I’ve already used spybot, spy doctor, and avast. Why did this scan with ad-aware find 30 more after doing so many scans pior to it?
the thirty files consisted mainly of euniverse and whenu files
The infection is being replicated…
Can you run SpyBot at boot time?
It will be good if you clean your temporary files too…
How do I run spybot at boot time? avast has the options in the menu, but I cannot find it in spybot
Further to Technical,
if you are using M.E. or XP disable system restore, delete your (I.E) browser cache and any “tmp” files reboot into safe mode and do a full scan including archives. Reboot again and follow the malware removal links.
Yes it will take some time, better to be safe than sorry!
Into its settings, the configuration of automation on ‘startup’, it’s in the middle of the others settings.
Swindmill
Also if this entry is still there it can be removed (below)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
But i am mostly worried about ‘C:\WINDOWS\system32\ssisvr32.exe’ , see why below (quoted from a website).
Process File: service.exe
'Process File: service.exe
Process Name: Worm.Win32.Raleka virus.
Description: service.exe is a process which is registered as the Worm.Win32.Raleka virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process
Author: na
Part of: Worm.Win32.Raleka virus
System Process: No
Application: No
Background Process: Yes
Uses Network: Yes
Uses Internet: No
Hardware Related: No
Virus: Yes
Trojan: No
Spyware: No
Security Risk (0-5): 4 ’
Mabey a thorough scan with scan inside archives with avast will detect this, also make sure avast it up-to-date before you start the scan.
If avast does not detect it please send the file in a passworded file to virus@avast.com, includ the password to open the file and a short description in the email.
–lee
I did a thorough scan including archived files and it didn’t come up with anything. I can send the file mentioned in the above post, but I’m not sure what a password protected file is, or how to make one. If someone can give me a short how-to, I’ll send it.