1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Something strange Listed in Tool Bars

Discussion in 'Windows XP' started by Krissa88b, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Krissa88b

    Krissa88b Thread Starter

    Joined:
    Jun 9, 2003
    Messages:
    69
    Hi...I am on Windows XP. When I right click in the right corner of the taskbar and then click on Toolbars, I see I have Quick Launch checked and there's something else there that is also checked. It's L2M. I have no idea what this is, but when I click to unckeck it, I get the error message that says windows has encountered a problem and will shut down. Then I lose everything right back to the desktop. Does anyone know what this is or what the problem might be? How do I get rid of an unwanted item in the toolbar list? Thanks!
     
  2. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Oh Oh!!! :(
    If it's the same toolbar as these people were discussing then you may be in for a bit of a nightmare trying to uninstall it. Read their attempts,
    http://forums.spywareinfo.com/index.php?showtopic=10786

    Could you go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Krissa88b

    Krissa88b Thread Starter

    Joined:
    Jun 9, 2003
    Messages:
    69
    Yup! That's the one! I did have Grokster sometime ago, but it got so bad I uninstalled it. I don't know when this L2M showed up. I use to be on Windows 98, had the same programs and visited the same sites and never had the problems I'm having with XP and spyware installing itself on here. I NEVER had popups and didn't have any kind of popup stopper program.
    Here's my Hijack This! log. Thanks.

    Logfile of HijackThis v1.96.2
    Scan saved at 11:31:38 AM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\LIUtilities\WinTasks\wintasks.exe
    C:\Program Files\SpyStopper\spystopper.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\HomeKeyLogger\KeyLogger.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {154C4D3B-4F2E-43A1-8AB4-32F8F0C7C6CA} - C:\WINNT\System32\cerxtcli.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] "GWMDMMSG.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar
    O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - ftp://download2.us4.outblaze.com/download/mail.com/emailalert/mail_mcea115.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C3665F08-0C10-488D-BE42-F3FB2848039B} (PagooOneClickInstallActiveXControl Control) - http://www.pagoo.com/PagooOneClickInstallActiveXControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
    O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
     
  4. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    In your processes I see: C:\WINNT\System32\wuauclt.exe. It should be in windows folder,not the system folder. This is added as result of Troj/Cult-B.
    See link for info on this and how to remove

    http://www.sophos.com/virusinfo/analyses/trojcultb.html


    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    O2 - BHO: (no name) - {154C4D3B-4F2E-43A1-8AB4-32F8F0C7C6CA} - C:\WINNT\System32\cerxtcli.dll
    O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

    O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
    O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11

    Then reboot in safe mode (press F8 repeatedly during start-up) and delete the following :

    C:\WINNT\System32\cerxtcli.dll
    C:\Program Files\HomeKeyLogger\KeyLogger.exe (delete entire homekeylogger directory)


    Check this thread, install each program it recommends to prevent spyware on your machine

    And finally, are you just using the firewall that comes with XP? If so then I highly recommend you install a free firewall from Sygate or ZoneAlarm

    Hopefully that should do the trick. If there's any further problems let us know.

    :D
     
  5. Krissa88b

    Krissa88b Thread Starter

    Joined:
    Jun 9, 2003
    Messages:
    69
    OK, thanks.....will do! One question though, I have homekeylogger on here intentionally. I've been using it for a couple of years now. There have been times when I'm writing in Yahoo email and get timed out or booted back to the desk top and lose everything. With the key logger I can just go and recover what I had written. I'm the only one on this computer so I don't worry too much about covering tracks. Is there a specific reason why I should get rid of that? Thanks again.
     
  6. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    If you're the one that put it there then ignore this entry:
    O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe
    and leave Homelogger where it is.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    These look like they are legitimate DNS's.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
    O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11

    according to this:

    Search results for: 216.238.0.10

    OrgName: Caravela Software
    OrgID: CASO
    Address: 8 Way Road
    City: Middlefield
    StateProv: CT
    PostalCode: 06455
    Country: US

    NetRange: 216.238.0.0 - 216.238.255.255
    CIDR: 216.238.0.0/16
    NetName: THEBIZ
    NetHandle: NET-216-238-0-0-1
    Parent: NET-216-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.THEBIZ.NET
    NameServer: NS2.THEBIZ.NET
    Comment:
    RegDate: 1999-09-08
    Updated: 2001-01-17

    TechHandle: ZB54-ARIN
    TechName: BiznessOnline.com
    TechPhone: +1-518-452-5772
    TechEmail: [email protected]

    http://ws.arin.net/cgi-bin/whois.pl

    Krissa88b

    If the above is provided by your ISP leave the 017 entries.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165600

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice