1. Before you start!
    All given instructions in this forum are customized for each help request, the tools used may cause damage if used on a computer with different infections. If you think you have similar issues, please post the appropriate logs in our Malware Removal Assistance forum and wait for help.

    Please be aware that removing Malware is a potentially hazardous undertaking. We will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for us to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and we cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
    We strongly advise you to backup any personal files and folders before you start.

Can't remove Sweetpacks toolbar in add/remove programs

Discussion in 'Malware Removal Assistance' started by jr70895, Jul 20, 2013.

  1. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
    Did all suggestings by malware tips to remove sweetpacks and all seemed fine. However, under add/remove programs Internet Explorer Toolbar 4.9 by Sweetpacks is listed.
    When I tried to uninstall it re-installed itself. It blcoks acces to tool/ie options so not able to reset internet explorer. Did a system restore and all is fine but it is still listed in the add/remove programs.

    Also ran ccleaner, malwarebytes, spybot, wise registry cleaner, and nothing helps.

    Thanks
     
  2. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    11
    Hi and welcome to MalwareTips! :)

    I'm Fiery and I would gladly assist you in removing the malware on your computer.

    PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

    Before we start:
    • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
    • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
    • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
    • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
    • The absence of symptoms does not mean your PC is fully disinfected.
    • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
    • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

    <hr>
    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
    • Click delete
    • Please post the content of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt

    Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select Run as Administrator to start
    • Wait until Prescan has finished, then click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • Click delete and wait until it saids deleting finished
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
      Exit/Close RogueKiller+

    Please download Junkware Removal Tool to your desktop from here
    • Turn off your antivirus software now to avoid potential conflicts
    • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
    • The tool will open and start scanning your system
    • Please be patient as this can take a while to complete depending on your system's specifications
    • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
    • Post the contents of JRT.txt into your next reply

    Download OTL by Old Timer from here and save it to your Desktop.
    • Double click on OTL.exe to run it.
    • Click the Scan All Users checkbox.
    • Check the boxes beside LOP Check and Purity Check
    • Click on Run Scan at the top left hand corner.
    • When done, two Notepad files will open.
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Please attach the contents of these 2 Notepad files in your next reply.

    If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
     
  3. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
    Computer has been taken over by Sweetpacks, have been trying to get rid of it. After many attempts with some success the computer seems to be running fine except there is an entry in add/removes programs:
    Internet Explorer Toolbar 4.9 by Sweetpacks
    I have attached the requested files
    Thanks


     

    Attached Files:

  4. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    11
    Hi,

    Open OTL. Under custom scan/fixes, copy and paste the following:

    Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

    Download Farbar Recovery Scan Tool from the below link:
    <ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a USB/flash drive.
    </li>

    <li>Plug the flashdrive into the infected PC.</li>
    <li>Transfer the file from your USB onto your Desktop and double-click it.</li>
    <li>The tool will start to run.</li>
    <li>When the tool opens click <>Yes</> to disclaimer.</li>
    <li>Press <>Scan</> button.</li>
    <li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
    <li>Please copy and paste FRST.txt in your next reply</li></li>
    </ol>
    </ul>
     
    Last edited by a moderator: Mar 13, 2014
  5. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
    The OTL scan below, would not allow me to attach. 2 other scans attached.
    Thanks



    All processes killed
    ========== OTL ==========
    Service Zumie Search Service stopped successfully!
    Service Zumie Search Service deleted successfully!
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\furball\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\furball\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 3315765 bytes
    ->Temporary Internet Files folder emptied: 398298 bytes
    ->FireFox cache emptied: 3212855 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56504 bytes

    User: furball
    ->Temp folder emptied: 2130341 bytes
    ->Temporary Internet Files folder emptied: 5637827 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 11387608 bytes
    ->Flash cache emptied: 15509163 bytes

    User: Guest
    ->Temp folder emptied: 6856 bytes
    ->Temporary Internet Files folder emptied: 1510446 bytes
    ->Flash cache emptied: 470 bytes

    User: Jason
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 112245896 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33293 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 1028018 bytes
    ->Temporary Internet Files folder emptied: 65670 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 48724 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 511431538 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 680946028 bytes

    Total Files Cleaned = 1,287.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 07252013_042614

    Files\Folders moved on Reboot...
    C:\Documents and Settings\furball\Local Settings\Temp\JavaDeployReg.log moved successfully.
    C:\Documents and Settings\furball\Local Settings\Temporary Internet Files\Content.IE5\K17I47KX\Thread-Can-t-remove-Sweetpacks-toolbar-in-add-remove-programs[1].htm moved successfully.
    C:\Documents and Settings\furball\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...



     

    Attached Files:

    Last edited by a moderator: Mar 13, 2014
  6. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
     

    Attached Files:

    Last edited by a moderator: Mar 13, 2014
  7. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
    Sorry if this appears as a double post but having problems attaching the OTL.

    OTL posted here, 2 others attached
    still noted in add/remove programs
    Thanks

    All processes killed
    ========== OTL ==========
    Service Zumie Search Service stopped successfully!
    Service Zumie Search Service deleted successfully!
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\furball\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\furball\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 3315765 bytes
    ->Temporary Internet Files folder emptied: 398298 bytes
    ->FireFox cache emptied: 3212855 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56504 bytes

    User: furball
    ->Temp folder emptied: 2130341 bytes
    ->Temporary Internet Files folder emptied: 5637827 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 11387608 bytes
    ->Flash cache emptied: 15509163 bytes

    User: Guest
    ->Temp folder emptied: 6856 bytes
    ->Temporary Internet Files folder emptied: 1510446 bytes
    ->Flash cache emptied: 470 bytes

    User: Jason
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 112245896 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33293 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 1028018 bytes
    ->Temporary Internet Files folder emptied: 65670 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 48724 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 511431538 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 680946028 bytes

    Total Files Cleaned = 1,287.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 07252013_042614

    Files\Folders moved on Reboot...
    C:\Documents and Settings\furball\Local Settings\Temp\JavaDeployReg.log moved successfully.
    C:\Documents and Settings\furball\Local Settings\Temporary Internet Files\Content.IE5\K17I47KX\Thread-Can-t-remove-Sweetpacks-toolbar-in-add-remove-programs[1].htm moved successfully.
    C:\Documents and Settings\furball\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...














     

    Attached Files:

    Last edited by a moderator: Mar 13, 2014
  8. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    11
    Download Malwarebytes Anti-Rootkit from here to your Desktop
    • Unzip the contents to a folder on your Desktop.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
    • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
    • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

    Please download ComboFix from one of these locations:

    <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
    <a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
    <ul>
    <li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
    <li>Double click on Combo-Fix & follow the prompts.</li>
    </ul>

    When finished, ComboFix will produce a log.

    <>Note:</>
    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
     
    Last edited by a moderator: Mar 13, 2014
  9. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    11
    Download Malwarebytes Anti-Rootkit from here to your Desktop
    • Unzip the contents to a folder on your Desktop.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
    • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
    • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

    Please download ComboFix from one of these locations:

    <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
    <a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

    <>* IMPORTANT !!! Save ComboFix to your Desktop as ComboFix.exe</>
    <ul>
    <li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
    <li>Double click on Combo-Fix & follow the prompts.</li>
    <li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
    <li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
    </ul>
    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    <img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    <img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
    Click on <>Yes</>, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    <>Note:</>
    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
     
    Last edited by a moderator: Mar 13, 2014
  10. jr70895

    jr70895 New Member

    Reputation:
    0
    Joined:
    Jul 20, 2013
    Messages:
    6
    Likes Received:
    0
    The Malware bytes anti root kit came back clean with no log.
    TheCombo Fix is attached,

    Still listed in add/remove programs. Can't delete
     

    Attached Files:

  11. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    11
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

    Note: The log can also be found on your Desktop entitled SystemLook.txt
     

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: Can't remove
Forum Title Date
Malware Removal Assistance Fake Security Alert Win32/Caphaw... need help can't remove it Today at 11:31 AM
Malware Removal Assistance Can't Remove GoSave Monday at 9:13 AM
Malware Removal Assistance Can't remove Go Save extention Sunday at 4:09 AM
Malware Removal Assistance Can't remove GoSave Friday at 5:20 PM
Malware Removal Assistance Can't remove NextCoup and GoSave extensions Oct 12, 2014

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.