Hey guys im on my dads computer and encountered something ive never ran into before on his firefox he has a new toolbar called “mediabar” when hovered over but if clicked anywhere its called imesh after a google search im pretty sure its some sort of spyware not for sure though. Then after going through his c:/ drive looking for mywebsearch which the google search said imesh bar could be linked with nothing from mywebsearch showed up but I ran into a WildTangent file I have done a hijack this log and am about to do a superantispyware scan, help please?

thanks

Justin, did you follow the general cleaning procedure?

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

I have done as you have advised avast found 3 infections during the boot scan 1 of which after researching on here is a false positive the infection is win32:Neptunia-KH [trj} found in musicnow and the other 2 are win32:adware-gen [adw] all of wich have been quarentines but the imesh infection? is still present along with the wild tangent folder on the c drive

Hi Justin_xp,

Removal instructions for imesh:
General instructions:

Click Start > Settings > Control Panel, and double-click Add/Remove Programs.

Scroll down the list till you find the iMesh entry. Then click Remove or Change/Remove. Follow the on screen instruction to finish the uninstallation automatically.

Open the Program Files directory and delete the iMesh folder along with all the files within it.

Return to Add/Remove Programs in the Control Panel and locate iMesh ads support.

Select iMesh ads support and click Change/Remove .

Since iMesh may be bundled with other adware, you may have to remove these adwares as well:

More specific cleansing instructions:
Step 1 : Use Windows File Search Tool to Find iMesh Path

1. Go to Start > Search > All Files or Folders.
2. In the “All or part of the the file name” section, type in “iMesh” file name(s).
3. To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
4. When Windows finishes your search, hover over the “In Folder” of “iMesh”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete iMesh in the following manual removal steps.

Step 2 : Use Windows Task Manager to Remove iMesh Processes

1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.

2. Click on the “Image Name” button to search for “iMesh” process by name.

3. Select the “iMesh” process and click on the “End Process” button to kill it.

4. Remove the “iMesh” processes files:
   driverpg.exe
   attnvg.exe
   bm_insta.exe
   istabm.exe
   , bm_insta.exe
   , attnvg.exe
   , driverpg.exe
   istabm.exe

5. driverpg.exe attnvg.exe bm_insta.exe istabm.exe , bm_insta.exe , attnvg.exe , driverpg.exe istabm.exe

Step 3 : Detect and Delete Other iMesh Files

1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.

2. Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.

3. To change directory, type in “cd name_of_the_folder”.

4. Once you have the file you’re looking for type in “del name_of_the_file”.

5. To delete a file in folder, type in “del name_of_the_file”.

6. To delete the entire folder, type in “rmdir /S name_of_the_folder”.

7. Select the “iMesh” process and click on the “End Process” button to kill it.

8. Remove the “iMesh” processes files:
   driverpg.exe
   attnvg.exe
   bm_insta.exe
   istabm.exe

9. driverpg.exe attnvg.exe bm_insta.exe istabm.exe

polonus

Thank you polonous and tech but polonous I have 1 problem and that is that imesh or the other one isnt on add of remove programs ???

Is there any uninstall tool (executable) into its installation folder?

Ill have to look, thanks I didnt think of that

alright I have looked and there is no uninstaller present

Hi Justin_xp,

Download the uninstaller from here: http://www.spywaresignatures.com/tools/RemoveiMeshMediaBar.exe

pol

alright, thank you polonus I found another way but it would involve unregistering .dll’s and thats the long way. thanks for the tool

alright well I ran the cleaner on my dads computer and rebooted and the iMesh/mediabar is still there any clues as to why?

Hi Justin_xp:

Read this: http://www.file.net/process/mediabar.dll.html
Then download this tool, BHO demon, and try to remove it:
http://www.majorgeeks.com/downloadget.php?id=3550&file=15&evp=245a87539eea8ed6904332b4b8b8442d

polonus

once again thank you polonous I do hate this imesh bar it seems like its insulting me ;D

this is getting quit annoying acctualy

I have downloaded the tool and installed it but after trying to start I continuously get a error reding that a file could not be downloaded and from there I can exit but after the main menu pops up then I get the window that it must be closed asking if I wish to send a error report or not

any clue as to whats happining?

Well if it is a toolbar then it would be detected in hijackthis, so it would point to the file name and location and it would also allow you to ‘fix,’ e.g. remove the entry from HJT.

There is also ToolbarCop http://www.snapfiles.com/get/toolbarcop.html which might help.

Here is a Hijackthis log I looked through it and didnt see anything out of the ordinary but then again im no expert at reviewing logs

Hi Justin_xp,

There is not much here either:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
Can be found there for the next three consequent days & is the analysis of your hjt logfile,

polonus

P.S. What did bho demon or the program DavidR proposed deliver?

Well let us try the following:
part 1 of a malware routine using RemoveVideoActiveXObject. exe

Download: http://home.hetnet.nl/~stefsmeenk/RVAXO.exe

Save the file unto your Desktop, then you may doubleclick it.
You can unpack the program to your Desktop.
Now open the folder RVAXO on your Desktop and doubleclick RVAXO.cmd
A window will open, quickly some lines will roll over the screen, this is normal procedure.
Possibly an uninstaller of a rogue scanner will start, do not close and follow instructions that pop up,
and let it run.

Then your PC will restart, after restart a window will open RVAXO again.
Let it run and wait until a logfile is being opened.
This can be found up as: C:\RVAXO-results.log
Post the contents in your next posting together with a fresh HijackThis log
. ( after using the next tool )

If your PC does not restart?

Let RVAXO run once more and then attach a new logfile: C:\rvaxo-results.log to your next posting,

Also run this tool: http://home.hetnet.nl/~stefsmeenk/tools/Rogue-uninstaller.exe

polonus

What I do see on your log is a whole bunch of Norton stuff, which may be related to Norton Internet Security (NIS) which includes an AV.

Are you using NIS now and more importantly does it still have the AV module ?

Your JAVA is one update short of being up to date.

Adobe Reader is also out of date there has been a recent security update.

Other than that I don’t see any O3 or O9 entries which relate to imesh.

Hey guys sorry I know this must be getting annoying for you because it is for me to ive thrown quite a few things at this all to no avail the only thing I havent tried yet is spybot and a few online scanners so yeah im getting angry at at it but ill keep me calm I ran the RVAXO tool and I have the log ill paste along with the freash hijackthis log I couldnt run the Rogue-uninstaller I think? because all it did was open a cmd prompt and sat there for 5 minutes going “File not found” repeatedly in pairs but heres the logs

Hi Justin_XP,

Good we have found a nasty spy virus:
Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
Save it to your desktop.
DO NOT run it yet.

Best to boot into Safe Mode.

• Double click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the “Full Path of File to Delete” box, copy and paste each of the following lines one at a time:

C:\WINDOWS\system32_000006_.tmp.dll
C:\WINDOWS\system32_000007_.tmp.dll
C:\WINDOWS\system32_000010_.tmp.dll
C:\WINDOWS\system32_000011_.tmp.dll
C:\WINDOWS\system32_000012_.tmp.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\actskn45.ocx

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the “Paste Full Path of File to Delete” box.
Killbox may tell you that the file does not exist.
If that happens, just continue on.
Exit the Killbox.

Now download ATF cleaner (made by Atribune) from here: http://www.atribune.org/ccount/click.php?id=1

Doubleclick ATF cleaner to start the program.
In “Main”, you tag Select All.
Click button Empty Selected.

Are you using the Firefox browser:
Click “Firefox”, tag Select All.
Do you want to keep the Firefox saved passwords, click in the window that appears for “No”.
(this will untag “Firefox saved passwords”)
Click the button for Empty Selected.

Do you use the Opera browser:
Then click “Opera”, tag Select All.
Do you want the keep the saved passwords, click in the window that appears for “No”.
Clcik the button Empty Selected.
In “Main” go and click the Exit button to close down the program.

Also run this batfile:
http://downloads.sophos.com/tools/rmgonera.bat

Go to start-- execute and give in: ipconfig /flushdns

That is it,

polonus