Mystery Toolbar: How to remove?

Mark Shannon · 09-27-2004, 04:33 PM

One of hte joys of sharing a computer with others (primarily a 14 year old who doesn't know the consequences of malware and spyware) is coming home every day and finding mysterious programs installed on the computer. Never ceasing to amaze, this was found on my computer today:

I have no idea how to remove it, and have tried running Ad-Aware several times to no avail. Can any of the Computer Savvy geniouses help me out?

Will_B · 09-27-2004, 06:07 PM

I'm not sure if that's malware. But if it is...

Can you "roll back" your computer to a few days ago? (You can on XPs, but I don't know about other operating systems). If you can, do it at once. Don't even think of trying something else. Roll back now, now now!

I'd strongly suggest that because a lot of the current malware cannot be removed, no matter how hard one tries.

Once you've done so, stop using IE at once, and start using a less targeted browser such as Firefox. You won't want to remove IE, but hide it so your child doesn't launch it.

Quote:

XP: Use System Restore

After you've decided to use System Restore to revert your system to a previous state, start the System Restore Wizard and follow the prompts. To use the System Restore Wizard, make sure you're logged on as an administrator, and then follow these steps:

1.

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.

2.

On the Welcome screen, click Restore my computer to an earlier time, and then click Next.

3.

On the Select a Restore Point page, select the date from the calendar that shows the point you'd like to restore to, as shown in Figure 2, and then click Next.

Figure 2

4.

On the Confirm Restore Point Selection page, verify that the correct restore point is chosen, and then close any open programs.

5.

Click Next if you are ready to proceed or click Back to change the restore point.

6.

The computer will shut down automatically and reboot. On reboot, you'll see the Restoration Complete page, and then click OK.

After reviewing the stability of your system, you can choose another restore point or undo this restoration. Just open System Restore and make the appropriate choice. After you use System Restore, you'll have an additional task, Undo my last restoration, on the System Restore Welcome page. Remember that you'll have to reinstall any programs that were installed after the restore point.

If System Restore doesn't work in Normal Mode, it might work in Safe Mode. To use System Restore in Safe Mode, press the F8 key during reboot and choose Safe Mode. When your computer starts in either Safe Mode or Normal Mode, System Restore can be used to capture a working previous state. System Restore can't be opened unless the system is bootable into one of these modes.

Mark Shannon · 09-27-2004, 07:18 PM

Thanks Will for the help, but it doesn't seem to be working.I've never seemed to have much luck with System Restore, be it on Me or XP. Even after booting in safe mode and trying it, still no luck. It constantly gives me the message that no changes have been made.

I don't use IE as my primary browser, as I use Opera. Explorer is just too slow and clumsy.

Oh, and I'm 17. The 14 year old is my ignorant brother, not child.

I suppose I'll just have to search for a program that can find and destroy this annoying malware.

todbnla · 09-27-2004, 07:19 PM

Two usefull tips if you have a teenager (I have 2 girls

)

Download and install:

Ad-aware-great for junk software..

Hi-Jack this-great for spyware..

Both are freeware for personal use.

Will_B · 09-27-2004, 08:18 PM

What search engine does that toolbar engage?

**HTF Ads**

James T · 09-27-2004, 09:04 PM

Hi-jack this works well, but you have to know what you're looking for, because deleting the wrong thing might be very bad.

If you don't know, you can post the log here and I'm sure someone will tell you what should be there and what shouldn't.

You may also want to search for a program called CWShredder

Mike Fassler · 09-27-2004, 09:13 PM

get ad aware, spyhunter and cwshredder and your good to go

Robt_Moore · 09-27-2004, 09:33 PM

Mark

Go to your control panel, click on ad/remove programs, and check to see if the tool bar is there. If it is, remove it.

Otherwise, do a search for "Hijack This", download it, run it, and post the report here. People on this forum should be able to tell you what has caused the problem. (Most likely it is a Browser Helper"

Bob

Chris · 09-27-2004, 09:59 PM

The guy behind CWShredder gave up a while back, though, so it hasn't been updated in a while. Someone else picked it up and released a new product based on same idea, called AboutBuster (now at version 3.0)

Mark Shannon · 09-27-2004, 10:59 PM

Quote:

What search engine does that toolbar engage?

http://lop.com/search/search.cgi?s=H...heater%20Forum

Quote:

Go to your control panel, click on ad/remove programs, and check to see if the tool bar is there. If it is, remove it.

I've tried that already and failed to find anything that didn't look right. Thanks for the suggestion.

I'm going to post my log, as a couple of you have suggested, and see if someone can help point out what doesn't belong:

[rant]Logfile of HijackThis v1.98.2
Scan saved at 7:52:37 PM, on 27/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
E:\UTILIT~1\VCOM\SYSTEM~1\MXTask.exe
E:\UTILIT~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Logitech\Video\LogiTray.exe
E:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Opera\opera.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fpeglxzlbyfj.net/V61roJA8...ZrWh6IL2ZE.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - E:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {95BD3FA8-9AC5-7C4D-70F4-F4291BB5EBFA} - C:\PROGRA~1\WARNSE~1\startcurb.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Fix-It AV] E:\UTILIT~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [wipe meal audio hope] C:\Documents and Settings\All Users\Application Data\live view wipe meal\Third Load.exe
O4 - HKLM\..\Run: [file surf] C:\PROGRA~1\RULESU~1\ScrPopBind.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Free Ram Optimizer] E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Utilities\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - E:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.hometheaterforum.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095439771187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
[/rant]