Mystery Toolbar: How to remove? (1 Viewer)

[Mark Shannon]

One of hte joys of sharing a computer with others (primarily a 14 year old who doesn't know the consequences of malware and spyware) is coming home every day and finding mysterious programs installed on the computer. Never ceasing to amaze, this was found on my computer today:



I have no idea how to remove it, and have tried running Ad-Aware several times to no avail. Can any of the Computer Savvy geniouses help me out?

 

[Will_B]

I'm not sure if that's malware. But if it is...

Can you "roll back" your computer to a few days ago? (You can on XPs, but I don't know about other operating systems). If you can, do it at once. Don't even think of trying something else. Roll back now, now now!

I'd strongly suggest that because a lot of the current malware cannot be removed, no matter how hard one tries.

Once you've done so, stop using IE at once, and start using a less targeted browser such as Firefox. You won't want to remove IE, but hide it so your child doesn't launch it.

 

[Mark Shannon]

Thanks Will for the help, but it doesn't seem to be working.I've never seemed to have much luck with System Restore, be it on Me or XP. Even after booting in safe mode and trying it, still no luck. It constantly gives me the message that no changes have been made.

I don't use IE as my primary browser, as I use Opera. Explorer is just too slow and clumsy.

Oh, and I'm 17. The 14 year old is my ignorant brother, not child.

I suppose I'll just have to search for a program that can find and destroy this annoying malware.

 

[todbnla]

Two usefull tips if you have a teenager (I have 2 girls )

Download and install:

Ad-aware-great for junk software..

Hi-Jack this-great for spyware..

Both are freeware for personal use.

 

[Will_B]

What search engine does that toolbar engage?

 

[James T]

Hi-jack this works well, but you have to know what you're looking for, because deleting the wrong thing might be very bad.

If you don't know, you can post the log here and I'm sure someone will tell you what should be there and what shouldn't.

You may also want to search for a program called CWShredder

 

[Mike Fassler]

get ad aware, spyhunter and cwshredder and your good to go

 

[Robt_Moore]

Mark

Go to your control panel, click on ad/remove programs, and check to see if the tool bar is there. If it is, remove it.

Otherwise, do a search for "Hijack This", download it, run it, and post the report here. People on this forum should be able to tell you what has caused the problem. (Most likely it is a Browser Helper"

Bob

 

[Chris]

The guy behind CWShredder gave up a while back, though, so it hasn't been updated in a while. Someone else picked it up and released a new product based on same idea, called AboutBuster (now at version 3.0)

 

[Mark Shannon]

I've tried that already and failed to find anything that didn't look right. Thanks for the suggestion.

I'm going to post my log, as a couple of you have suggested, and see if someone can help point out what doesn't belong:

[rant]Logfile of HijackThis v1.98.2
Scan saved at 7:52:37 PM, on 27/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32svchost.exe
E:UTILIT~1VCOMSYSTEM~1MXTask.exe
E:UTILIT~1VCOMSYSTEM~1mxtask.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
Crogram FilesLogitechiTouchiTouch.exe
Erogram FilesiTunesiTunesHelper.exe
C:WINDOWSSystem32LVCOMSX.EXE
Crogram FilesLogitechMouseWaresystemem_exec.exe
Crogram FilesiPodbiniPodService.exe
Erogram FilesLogitechVideoLogiTray.exe
Erogram FilesMessenger Plus! 3MsgPlus.exe
Crogram FilesJavaj2re1.4.2_04binjusched.exe
C:WINDOWSSystem32ctfmon.exe
c:progra~1intern~1iexplore.exe
Crogram FilesInternet Exploreriexplore.exe
Erogram FilesAceLogixFree Ram Optimizerfro.exe
Erogram FilesLogitechVideoFxSvr2.exe
Crogram FilesMSN Messengermsnmsgr.exe
Erogram FilesOperaopera.exe
C:WINDOWSSystem32wpabaln.exe
Cocuments and SettingsMarkDesktopHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://sympatico.msn.ca/
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.fpeglxzlbyfj.net/V61roJA8...ZrWh6IL2ZE.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Erogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - EROGRA~1POPUPP~1PopLib.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - EROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {95BD3FA8-9AC5-7C4D-70F4-F4291BB5EBFA} - CROGRA~1WARNSE~1startcurb.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [zBrowser Launcher] Crogram FilesLogitechiTouchiTouch.exe
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [Fix-It AV] E:UTILIT~1VCOMSYSTEM~1MemCheck.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] Erogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [LVCOMSX] C:WINDOWSSystem32LVCOMSX.EXE
O4 - HKLM..Run: [LogitechVideoRepair] Erogram FilesLogitechVideoISStart.exe
O4 - HKLM..Run: [LogitechVideoTray] Erogram FilesLogitechVideoLogiTray.exe
O4 - HKLM..Run: [MessengerPlus3] "Erogram FilesMessenger Plus! 3MsgPlus.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_04binjusched.exe
O4 - HKLM..Run: [wipe meal audio hope] Cocuments and SettingsAll UsersApplication Datalive view wipe mealThird Load.exe
O4 - HKLM..Run: [file surf] CROGRA~1RULESU~1ScrPopBind.exe
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [LogitechSoftwareUpdate] "Erogram FilesLogitechVideoManifestEngine.exe" boot
O4 - HKCU..Run: [MessengerPlus3] "Erogram FilesMessenger Plus! 3MsgPlus.exe" /WinStart
O4 - HKCU..Run: [Free Ram Optimizer] Erogram FilesAceLogixFree Ram Optimizerfro.exe
O4 - HKCU..Run: [msnmsgr] "Crogram FilesMSN Messengermsnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = Crogram FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = Crogram FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = E:UtilitiesMicrosoft OfficeOfficeOSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - Erogram FilesPopupPopperSiteList.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O15 - Trusted Zone: http://www.hometheaterforum.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095439771187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
[/rant]

 

[todbnla]

Wow, thats a big log file!:frowning:
Look here for help/info...
http://forums.spywareinfo.com/index.php?showforum=18

 

[Glenn Overholt]

I have to ask the really dumb question here. You've got a new homepage, and it can be changed with the Tools menu of IE. Click on internet options and home.

If that doesn't work, get IE reinstalled, and take a few minutes to teach your brother a few things, please?

Glenn

 

[Mike Fassler]

limit access to IE all together and keep using Opera or mozilla. IE is the most bloated pos browser around, but your log file looks pretty clean. update your WinXP to SP2 as well.

 

[Marko Berg]

I'm afraid I can't offer advice regarding the removal of this toolbar, but there are a few things you can do to prevent this from happening again (if you haven't already).

1. Set a separate user account for each individual user.
2. You should be the only administrator on the computer. Configure everybody else's account type as "Restricted". Restricted users aren't allowed to install programs. If it's necessary for someone else to install programs, configure that user's account type as Power User.
3. Set passwords for each account.
4. Configure the visitor account for casual users (teens' friends etc.) Any changes they make to the system (they aren't allowed to make many changes in the first place) will not survive a logout or a reboot.
5. Turn off the quick user change feature that does not force a user to log off and close programs the user is running.

 

[James T]

That is a pretty big log. I'm surprised a toolbar is your only problem.


That doesn't look familiar to me and the thing that pops up(no pun intended) is the word popup in there. Is it a popup stopper?

And Marko's idea is great, but you'll need Windows 200x or XP Pro to do that.

 

[Mark Shannon]

Well, i know there's a couple things there, such as:

R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.fpeglxzlbyfj.net/V61roJA...eZrWh6IL2ZE.cgi

which shouldn't be there.

James, that line you pointed out is for a popup blocker I installed before I encountered this problem.

 

[Robt_Moore]

Mark:

What are these things:

C:WINDOWSSystem32LVCOMSX.EXE
C:WINDOWSSystem32wpabaln.exe

Hijackers like to hide in windowssystem32.

Also, do you need this:

O2 - BHO: (no name) - {95BD3FA8-9AC5-7C4D-70F4-F4291BB5EBFA} - CROGRA~1WARNSE~1startcurb.exe

BHO is browser helper object--these are toolbars (and other things), and I don't recognize this one.

And you may want to check out what these are:

O4 - HKLM..Run: [LVCOMSX] C:WINDOWSSystem32LVCOMSX.EXE
O4 - HKLM..Run: [file surf] CROGRA~1RULESU~1ScrPopBind.exe
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - Erogram FilesPopupPopperSiteList.exe

These are the suspicious looking items.

Hope that helps.

Bob

 

[Mark Shannon]

Thanks Bob. The first, LVCOMSX.EXE is actually required by Logitech webcams to connect to programs such as netmeeting, etc. As such, I can't very well delete that.


As for
C:WINDOWSSystem32wpabaln.exe
and
O4 - HKLM..Run: [file surf] CROGRA~1RULESU~1ScrPopBind.exe

I couldn't find any information regarding these.

The others that you mentioned I know are supposed to be there. The Sun Java Console one is what is installed when you install the Opera browser with Java support. Also the PopupPopper control panel is a program I willingly installed prior to this problem which I wanted to get rid of useless popups from websites.

Thanks for the help though Bob.

I took the advice of someone who posted here earlier, and downloaded the AboutBuster software, followed the instructions, and the problem seems to have disappeared. On my profile at least. I still need to log onto each user's profile in order to run this program, but now that I know it works, it wont be a problem.

Thanks to everyone for your help, and especially to Chris for suggesting AboutBuster.

 

[Wayne Bundrick]

WPABALN is the balloon reminder for Windows Product Authentication. It shouldn't be running unless you've just installed Windows XP and haven't authenticated it yet.

 

[Mark Shannon]

Heh, that's exactly it Wayne. I just installed it a couple weeks ago and haven't got around to authenticating it yet. Thanks for noticing though.