Mystery Toolbar: How to remove?

Discussion in 'Computers' started by Mark Shannon, Sep 27, 2004.

  1. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0
    One of hte joys of sharing a computer with others (primarily a 14 year old who doesn't know the consequences of malware and spyware) is coming home every day and finding mysterious programs installed on the computer. Never ceasing to amaze, this was found on my computer today:

    [​IMG]

    I have no idea how to remove it, and have tried running Ad-Aware several times to no avail. Can any of the Computer Savvy geniouses help me out?
     
  2. Will_B

    Will_B Producer

    Joined:
    Mar 6, 2001
    Messages:
    4,733
    Likes Received:
    1
    I'm not sure if that's malware. But if it is...

    Can you "roll back" your computer to a few days ago? (You can on XPs, but I don't know about other operating systems). If you can, do it at once. Don't even think of trying something else. Roll back now, now now!

    I'd strongly suggest that because a lot of the current malware cannot be removed, no matter how hard one tries.

    Once you've done so, stop using IE at once, and start using a less targeted browser such as Firefox. You won't want to remove IE, but hide it so your child doesn't launch it.

     
  3. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0
    Thanks Will for the help, but it doesn't seem to be working.I've never seemed to have much luck with System Restore, be it on Me or XP. Even after booting in safe mode and trying it, still no luck. It constantly gives me the message that no changes have been made.

    I don't use IE as my primary browser, as I use Opera. Explorer is just too slow and clumsy.

    Oh, and I'm 17. The 14 year old is my ignorant brother, not child.

    I suppose I'll just have to search for a program that can find and destroy this annoying malware.
     
  4. todbnla

    todbnla Screenwriter

    Joined:
    Oct 17, 1999
    Messages:
    1,521
    Likes Received:
    0
    Location:
    39466
    Real Name:
    Todd
    Two usefull tips if you have a teenager (I have 2 girls [​IMG] )

    Download and install:

    Ad-aware-great for junk software..

    Hi-Jack this-great for spyware..

    Both are freeware for personal use.

    [​IMG]
     
  5. Will_B

    Will_B Producer

    Joined:
    Mar 6, 2001
    Messages:
    4,733
    Likes Received:
    1
    What search engine does that toolbar engage?
     
  6. James T

    James T Screenwriter

    Joined:
    Aug 8, 1999
    Messages:
    1,643
    Likes Received:
    0
    Hi-jack this works well, but you have to know what you're looking for, because deleting the wrong thing might be very bad.

    If you don't know, you can post the log here and I'm sure someone will tell you what should be there and what shouldn't.

    You may also want to search for a program called CWShredder
     
  7. Mike Fassler

    Mike Fassler Supporting Actor

    Joined:
    Jan 17, 2004
    Messages:
    523
    Likes Received:
    0
    get ad aware, spyhunter and cwshredder and your good to go [​IMG]
     
  8. Robt_Moore

    Robt_Moore Stunt Coordinator

    Joined:
    Feb 27, 2002
    Messages:
    66
    Likes Received:
    0
    Mark

    Go to your control panel, click on ad/remove programs, and check to see if the tool bar is there. If it is, remove it.

    Otherwise, do a search for "Hijack This", download it, run it, and post the report here. People on this forum should be able to tell you what has caused the problem. (Most likely it is a Browser Helper"

    Bob
     
  9. Chris

    Chris Lead Actor

    Joined:
    Jul 4, 1997
    Messages:
    6,790
    Likes Received:
    0
    The guy behind CWShredder gave up a while back, though, so it hasn't been updated in a while. Someone else picked it up and released a new product based on same idea, called AboutBuster (now at version 3.0)
     
  10. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0

    I've tried that already and failed to find anything that didn't look right. Thanks for the suggestion.

    I'm going to post my log, as a couple of you have suggested, and see if someone can help point out what doesn't belong:

    [rant]Logfile of HijackThis v1.98.2
    Scan saved at 7:52:37 PM, on 27/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSSystem32Ati2evxx.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSSystem32svchost.exe
    E:UTILIT~1VCOMSYSTEM~1MXTask.exe
    E:UTILIT~1VCOMSYSTEM~1mxtask.exe
    C:WINDOWSsystem32Ati2evxx.exe
    C:WINDOWSExplorer.EXE
    C:WINDOWSSOUNDMAN.EXE
    C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    C:Program FilesLogitechiTouchiTouch.exe
    E:Program FilesiTunesiTunesHelper.exe
    C:WINDOWSSystem32LVCOMSX.EXE
    C:Program FilesLogitechMouseWaresystemem_exec.exe
    C:Program FilesiPodbiniPodService.exe
    E:Program FilesLogitechVideoLogiTray.exe
    E:Program FilesMessenger Plus! 3MsgPlus.exe
    C:Program FilesJavaj2re1.4.2_04binjusched.exe
    C:WINDOWSSystem32ctfmon.exe
    c:progra~1intern~1iexplore.exe
    C:Program FilesInternet Exploreriexplore.exe
    E:Program FilesAceLogixFree Ram Optimizerfro.exe
    E:Program FilesLogitechVideoFxSvr2.exe
    C:Program FilesMSN Messengermsnmsgr.exe
    E:Program FilesOperaopera.exe
    C:WINDOWSSystem32wpabaln.exe
    C:Documents and SettingsMarkDesktopHijackThis.exe

    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://sympatico.msn.ca/
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.fpeglxzlbyfj.net/V61roJA8...ZrWh6IL2ZE.cgi
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
    O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - E:PROGRA~1POPUPP~1PopLib.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:PROGRA~1SPYBOT~1SDHelper.dll
    O2 - BHO: (no name) - {95BD3FA8-9AC5-7C4D-70F4-F4291BB5EBFA} - C:PROGRA~1WARNSE~1startcurb.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
    O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    O4 - HKLM..Run: [zBrowser Launcher] C:Program FilesLogitechiTouchiTouch.exe
    O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM..Run: [Fix-It AV] E:UTILIT~1VCOMSYSTEM~1MemCheck.exe
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKLM..Run: [iTunesHelper] E:Program FilesiTunesiTunesHelper.exe
    O4 - HKLM..Run: [LVCOMSX] C:WINDOWSSystem32LVCOMSX.EXE
    O4 - HKLM..Run: [LogitechVideoRepair] E:Program FilesLogitechVideoISStart.exe
    O4 - HKLM..Run: [LogitechVideoTray] E:Program FilesLogitechVideoLogiTray.exe
    O4 - HKLM..Run: [MessengerPlus3] "E:Program FilesMessenger Plus! 3MsgPlus.exe"
    O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04binjusched.exe
    O4 - HKLM..Run: [wipe meal audio hope] C:Documents and SettingsAll UsersApplication Datalive view wipe mealThird Load.exe
    O4 - HKLM..Run: [file surf] C:PROGRA~1RULESU~1ScrPopBind.exe
    O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
    O4 - HKCU..Run: [LogitechSoftwareUpdate] "E:Program FilesLogitechVideoManifestEngine.exe" boot
    O4 - HKCU..Run: [MessengerPlus3] "E:Program FilesMessenger Plus! 3MsgPlus.exe" /WinStart
    O4 - HKCU..Run: [Free Ram Optimizer] E:Program FilesAceLogixFree Ram Optimizerfro.exe
    O4 - HKCU..Run: [msnmsgr] "C:Program FilesMSN Messengermsnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = E:UtilitiesMicrosoft OfficeOfficeOSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - E:Program FilesPopupPopperSiteList.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
    O15 - Trusted Zone: http://www.hometheaterforum.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095439771187
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
    [/rant]
     
  11. todbnla

    todbnla Screenwriter

    Joined:
    Oct 17, 1999
    Messages:
    1,521
    Likes Received:
    0
    Location:
    39466
    Real Name:
    Todd
  12. Glenn Overholt

    Glenn Overholt Producer

    Joined:
    Mar 24, 1999
    Messages:
    4,207
    Likes Received:
    0
    I have to ask the really dumb question here. You've got a new homepage, and it can be changed with the Tools menu of IE. Click on internet options and home.

    If that doesn't work, get IE reinstalled, and take a few minutes to teach your brother a few things, please?

    Glenn
     
  13. Mike Fassler

    Mike Fassler Supporting Actor

    Joined:
    Jan 17, 2004
    Messages:
    523
    Likes Received:
    0
    limit access to IE all together and keep using Opera or mozilla. IE is the most bloated pos browser around, but your log file looks pretty clean. update your WinXP to SP2 as well.
     
  14. Marko Berg

    Marko Berg Supporting Actor

    Joined:
    Mar 22, 2002
    Messages:
    857
    Likes Received:
    0
    I'm afraid I can't offer advice regarding the removal of this toolbar, but there are a few things you can do to prevent this from happening again (if you haven't already).

    1. Set a separate user account for each individual user.
    2. You should be the only administrator on the computer. Configure everybody else's account type as "Restricted". Restricted users aren't allowed to install programs. If it's necessary for someone else to install programs, configure that user's account type as Power User.
    3. Set passwords for each account.
    4. Configure the visitor account for casual users (teens' friends etc.) Any changes they make to the system (they aren't allowed to make many changes in the first place) will not survive a logout or a reboot.
    5. Turn off the quick user change feature that does not force a user to log off and close programs the user is running.
     
  15. James T

    James T Screenwriter

    Joined:
    Aug 8, 1999
    Messages:
    1,643
    Likes Received:
    0
    That is a pretty big log. I'm surprised a toolbar is your only problem.


    That doesn't look familiar to me and the thing that pops up(no pun intended) is the word popup in there. Is it a popup stopper?

    And Marko's idea is great, but you'll need Windows 200x or XP Pro to do that.
     
  16. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0
    Well, i know there's a couple things there, such as:

    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.fpeglxzlbyfj.net/V61roJA...eZrWh6IL2ZE.cgi

    which shouldn't be there.

    James, that line you pointed out is for a popup blocker I installed before I encountered this problem.
     
  17. Robt_Moore

    Robt_Moore Stunt Coordinator

    Joined:
    Feb 27, 2002
    Messages:
    66
    Likes Received:
    0
    Mark:

    What are these things:

    C:WINDOWSSystem32LVCOMSX.EXE
    C:WINDOWSSystem32wpabaln.exe

    Hijackers like to hide in windowssystem32.

    Also, do you need this:

    O2 - BHO: (no name) - {95BD3FA8-9AC5-7C4D-70F4-F4291BB5EBFA} - C:PROGRA~1WARNSE~1startcurb.exe

    BHO is browser helper object--these are toolbars (and other things), and I don't recognize this one.

    And you may want to check out what these are:

    O4 - HKLM..Run: [LVCOMSX] C:WINDOWSSystem32LVCOMSX.EXE
    O4 - HKLM..Run: [file surf] C:PROGRA~1RULESU~1ScrPopBind.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - E:Program FilesPopupPopperSiteList.exe

    These are the suspicious looking items.

    Hope that helps.

    Bob
     
  18. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0
    Thanks Bob. The first, LVCOMSX.EXE is actually required by Logitech webcams to connect to programs such as netmeeting, etc. As such, I can't very well delete that.


    As for
    C:WINDOWSSystem32wpabaln.exe
    and
    O4 - HKLM..Run: [file surf] C:PROGRA~1RULESU~1ScrPopBind.exe

    I couldn't find any information regarding these.

    The others that you mentioned I know are supposed to be there. The Sun Java Console one is what is installed when you install the Opera browser with Java support. Also the PopupPopper control panel is a program I willingly installed prior to this problem which I wanted to get rid of useless popups from websites.

    Thanks for the help though Bob.

    I took the advice of someone who posted here earlier, and downloaded the AboutBuster software, followed the instructions, and the problem seems to have disappeared. On my profile at least. I still need to log onto each user's profile in order to run this program, but now that I know it works, it wont be a problem.

    Thanks to everyone for your help, and especially to Chris for suggesting AboutBuster.
     
  19. Wayne Bundrick

    Wayne Bundrick Cinematographer

    Joined:
    May 17, 1999
    Messages:
    2,358
    Likes Received:
    0
    WPABALN is the balloon reminder for Windows Product Authentication. It shouldn't be running unless you've just installed Windows XP and haven't authenticated it yet.
     
  20. Mark Shannon

    Mark Shannon Screenwriter

    Joined:
    May 27, 2002
    Messages:
    1,991
    Likes Received:
    0
    Heh, that's exactly it Wayne. I just installed it a couple weeks ago and haven't got around to authenticating it yet. Thanks for noticing though.
     

Share This Page