Spyware.IEToolbar message appears every time I turn my computer on

Norton Security | Norton Internet Security
1

I installed Norton Internet Security 2009 this week and every time I turn my computer on I receive a message which says ‘Spyware.IEToolbar detected by Auto-Protect.’ After a few minutes another box appears where I am able to fix the problem. After I fix the problem the internet shuts down and I have to go into it again. This happens every time I log into my computer. I was previously using Norton Internet Security 2008 and I only started noticing these Spyware.IEToolbar messages about 2 months ago. Today I decided I’d had enough so I called a computer technician. He spent 2 hours trying to fix this problem and after consulting with two other computer technicians on his mobile he said he was unable able to help me. He said he tried everything he could think of. He suggested I contact Norton and see if they can help me or at least reimburse me in some way since I paid $69.00 for NIS 2009. He thinks I should remove Norton Internet Security 2009 and use an antivirus which he uses. He thinks Norton is the problem. I’m not sure what to think. I find it strange that I was using NIS 2008 for about 10 months before these Spyware.IEToolbar messages started appearing so I’m not entirely convinced that Norton is the problem. I’m really confused as to what to do now. I’d really appreciate some advice. Thank you.

2

Did the problem occur when you installed Norton or was it allready on your machine?

 

3

Can you provide us with a HiJackThis log?  Then we would be able to take a better look at what is happening behind the scenes.

Please download HiJackThis for this web site.  Choose the third one on the list; the executable and save it on your desktop.  Run the file and select the first option on the main menu "Do a system scan and save a log file".  When this is finished, Notepad will open with the log file in it. Save the file as "jayana.log" .  Then attach the file to a reply post here using the Add Attachment link under the orange Post button.

4

The problem started to occur about 2 months ago in May when I had Norton Internet Security 2008 on my computer and had been using it for about 10 months since July 2008. 

5

Why could the 3 technicians not help, in person??

 

What is the file and location it is detecting??

 

Quads 

6

Sorry, I didn't mention in my first post that the first technician did come out in person.  I assume he was running out of ideas so he phoned two other technicians while I was sitting with him. They told him to try things he'd already tried.

 

In answer to your question about the files and locations I'll do my best in answering but you'll have to bear with me since I'm in no way an expert when it comes to computers.

 

In Norton it says - When Spyware.IEToolbar is installed, it performs the following actions -

 

1. Opens the browser to display a page at www.searchit.com

 

2. Creates the following files -

 

- about.html

- error.html

- logos.html

- nav.html

- options.html

- toolbar.crc

- toolbar.dll

- toolbar.inf

 

in one of the following locations-

 

- %ProgramFiles%\IEToolbar

- %Windir%\Downloaded Program Files

7

No What does it say in NIS 2009 that the name of files are and where they are located on your PC.

 

Not what the Symantec writeup says as there are new variants since then that also affect Vista

 

Other variants

 

 

%ProgramFiles%\amazon toolbar\amazon.dll

 

%ProgramFiles%\barra multibusca\bf.dll

%ProgramFiles%\barradetrobat\trobat-v-xp.dll

%ProgramFiles%\freeviewmovies\tbhelper.dll

%ProgramFiles%\freeviewmovies\tbu08046\tbhelper.dll

%ProgramFiles%\phazebar\phazebar.dll

%ProgramFiles%\privacybar\privacybar.dll

%ProgramFiles%\saint-coran toolbar\tbhelper.dll

%ProgramFiles%\search-earn toolbar turkish\tbhelper.dll

%ProgramFiles%\search-earn toolbar\tbhelper.dll

%ProgramFiles%\barradetrobat\

 

 

 

Quads 

Message Edited by Quads on 07-10-2009 06:49 PM
Message Edited by Quads on 07-10-2009 06:50 PM
8

Jayana:

 

Click on history on the main screen.  When that opens, there is a menu bar at the top.  One of the choices is unresolved threats, another is resolved threats.  Check both of those logs.  When you find the threat click on that and you will be able to select more details.  This should give you the path of the files.

9

I went into Unresolved Security Risks which said - There are no items to view for this category.

 

I went into Resolved Security Risks and clicked on the threat and more details. I clicked on View Risk Details which gave me the following information which I hope is what you need -

 

Affected Area - 6 Registry Entries, 4 Files, 1 Browser Cache

 

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\->SearchAssistant:http://www.symantec.com

 

- HKEY_USERS\S-1-5-21-1275210071-1958367476-839522115-1004\Software\Microsoft\Internet Explorer\URLSearchHooks->(CFBFAE00-17A6-11D0-99CB-00C04FD64497):0

 

- HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\URLSearchHooks->(CFBFAE00-17A6-11D0-99CB-00C04FD64497):0

Message Edited by Jayana on 07-10-2009 01:26 AM
10

Here are the remaining 3 -

 

- HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\URLSearchHooks->(CFBFAE00-17A6-11D0-99CB-00C04FD64497):0

 

- HKEY_USERS\S-1-5-21-1275210071-1958367476-839522115-500\Software\Microsoft\Internet Explorer\URLSearchHooks->(CFBFAE00-17A6-11D0-99CB-00C04FD64497):0

 

- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearch Hooks->(CFBFAE00-17A6-11D0-99CB-00C04FD64497):0

 

 

Message Edited by Jayana on 07-10-2009 01:19 AM
Message Edited by Jayana on 07-10-2009 01:27 AM
11

Click on the "Files" to show the list of files.

 

Quads 

12

Sorry, I clicked on the threat which was removed this morning when I turned my computer on and there was one file I clicked on which showed - c:\documents and settings\wendy\local settings\temp\(a8bf8187-61dd-4ebf-b7da-20203cef20bf)\-extra\objects\cmdline.dll

 

I hope this is right.

13

Earlier one you said 

 

"Affected Area - 6 Registry Entries, 4 Files, 1 Browser Cache"   4 files,

 

You have given 1 location it states,  "C:\documents and settings\wendy\local settings\temp\(a8bf8187-61dd-4ebf-b7da-20203cef20bf)\-extra\objects\cmdline.dll"

 

Is there Not 3 more??

 

Quads 

14

Sorry, the location I gave you for the one file was the one for today 11 July. Today there was 6 Registry Entries, 1 File, 1 Process and 1 Browser Cache. I gave you the one for today 11 July since I thought you'd need the most recent one. I've noticed that the number of Registry Entries and Files is sometimes different each time I turn my computer on. Yesterday on 10 July there were 6 Registry Entries, 4 Files and 1 Browser Cache. On 9 July there were 5 Registry Entries, 2 Files, 1 Process and 1 Browser Cache.

 

Here are the 4 Files for 10 July -

 

c:\documents and settings\wendy\local settings\temp\(3a206e75-400d-42e5-b83b-6a5c05caf16a)\_extra\objects\cmdline.dll

 

c:\documents and settings\wendy\local settings/temp\(2734f963-e408-4f92-8923-d17921dba4e6)\_extra\objects\cmdline.dll

 

c:\documents and settings\wendy\local settings\temp\(3f897144-50c4-4695-bffe-1ad251400f74)\_extra\objects\cmdline.dll

 

c:\documents and settings\wendy\local settings\temp\(0d3bece7-dbc2-4fd2-be60-64aa74ad7e51)_extra\objects\cmdline.dll

15

Hi

 

 

Are you using like Optus DSL as your ISP??  

 

 

Quads 

16

Yes, Optus is my ISP.

17

Ok

 

It's to do with the OPTUS "Desktop Service Centre" recreating the entry every time it is deleted etc. it is created by the file "dsc.exe"

 

Other AV's detect this also,

 

Ways around this

 

1.  Disconnected your dsl cable from your computer uninstall YES optus software(the one you installed when you recieved modem).  Reconnect your dsl cable. Use as normall cmdline.dll can now be deleted as someone else put it.  OPTUS NEED A KICK IN THE BUTT FOR THIS 

 

2. Use Hijackthis and delete this entry

 

 "O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe"

 

I am not sure if Norton/Symantec and others would call this a False Positive,

 

People asking about this  on the net go back to 2007

 

Quads 

18

Hi Quads,

 

Thank you for your help. I should mention that I have cable broadband with Optus not DSL. I also did a test to see what happens if I disconnect my modem from my computer. I still get the same message when I'm not connected to the internet so I think that means the problem is within my laptop and has nothing to do with Optus. You may be right and I may be wrong but I'm not prepared to uninstall the Optus software at this stage. I'm thinking of doing another test. I want to see what happens if I uninstall NIS 2009 and try using another antivirus. I think the other antivirus will also detect this Spyware. I don't believe the problem is with Norton. I'm worried about uninstalling NIS 2009 though in case I have problems re-installing it. I might give it a go. I really do appreciate your help and I don't mean to upset you by not doing what you suggested. I'm just a bit anxious about it, that's all.

 

Jayana

19

Oh well, your choice but I found others with other AV software with the problem.

 

It is the Optus software [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe"  not the hardware and the modem itself. As it is the addon program by Optus it is still OPTUS

 

As it is the extra software is not needed on startup anyway.

 

http://www.computer-aid.com.au/blog/2007/09/19/cmdlinedll-keeps-reappearing/ 

 

Quads 

Message Edited by Quads on 07-11-2009 07:55 PM