Something strange Listed in Tool Bars

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Krissa88b

Thread Starter
Joined
Jun 9, 2003
Messages
69
Hi...I am on Windows XP. When I right click in the right corner of the taskbar and then click on Toolbars, I see I have Quick Launch checked and there's something else there that is also checked. It's L2M. I have no idea what this is, but when I click to unckeck it, I get the error message that says windows has encountered a problem and will shut down. Then I lose everything right back to the desktop. Does anyone know what this is or what the problem might be? How do I get rid of an unwanted item in the toolbar list? Thanks!
 
Joined
Aug 10, 2003
Messages
401
Oh Oh!!! :(
If it's the same toolbar as these people were discussing then you may be in for a bit of a nightmare trying to uninstall it. Read their attempts,
http://forums.spywareinfo.com/index.php?showtopic=10786

Could you go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Krissa88b

Thread Starter
Joined
Jun 9, 2003
Messages
69
Yup! That's the one! I did have Grokster sometime ago, but it got so bad I uninstalled it. I don't know when this L2M showed up. I use to be on Windows 98, had the same programs and visited the same sites and never had the problems I'm having with XP and spyware installing itself on here. I NEVER had popups and didn't have any kind of popup stopper program.
Here's my Hijack This! log. Thanks.

Logfile of HijackThis v1.96.2
Scan saved at 11:31:38 AM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\Program Files\SpyStopper\spystopper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HomeKeyLogger\KeyLogger.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {154C4D3B-4F2E-43A1-8AB4-32F8F0C7C6CA} - C:\WINNT\System32\cerxtcli.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] "GWMDMMSG.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - ftp://download2.us4.outblaze.com/download/mail.com/emailalert/mail_mcea115.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3665F08-0C10-488D-BE42-F3FB2848039B} (PagooOneClickInstallActiveXControl Control) - http://www.pagoo.com/PagooOneClickInstallActiveXControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
 
Joined
Aug 10, 2003
Messages
401
In your processes I see: C:\WINNT\System32\wuauclt.exe. It should be in windows folder,not the system folder. This is added as result of Troj/Cult-B.
See link for info on this and how to remove

http://www.sophos.com/virusinfo/analyses/trojcultb.html


Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.compuserve.com/gatewaynet/menu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O2 - BHO: (no name) - {154C4D3B-4F2E-43A1-8AB4-32F8F0C7C6CA} - C:\WINNT\System32\cerxtcli.dll
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11

Then reboot in safe mode (press F8 repeatedly during start-up) and delete the following :

C:\WINNT\System32\cerxtcli.dll
C:\Program Files\HomeKeyLogger\KeyLogger.exe (delete entire homekeylogger directory)


Check this thread, install each program it recommends to prevent spyware on your machine

And finally, are you just using the firewall that comes with XP? If so then I highly recommend you install a free firewall from Sygate or ZoneAlarm

Hopefully that should do the trick. If there's any further problems let us know.

:D
 

Krissa88b

Thread Starter
Joined
Jun 9, 2003
Messages
69
OK, thanks.....will do! One question though, I have homekeylogger on here intentionally. I've been using it for a couple of years now. There have been times when I'm writing in Yahoo email and get timed out or booted back to the desk top and lose everything. With the key logger I can just go and recover what I had written. I'm the only one on this computer so I don't worry too much about covering tracks. Is there a specific reason why I should get rid of that? Thanks again.
 
Joined
Aug 10, 2003
Messages
401
If you're the one that put it there then ignore this entry:
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeyLogger\KeyLogger.exe
and leave Homelogger where it is.
 
Joined
Jul 26, 2002
Messages
46,331
These look like they are legitimate DNS's.

O17 - HKLM\System\CCS\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{16546A62-5D88-4048-AB35-F8A0EDE520DE}: NameServer = 216.238.0.10 216.238.0.11

according to this:

Search results for: 216.238.0.10

OrgName: Caravela Software
OrgID: CASO
Address: 8 Way Road
City: Middlefield
StateProv: CT
PostalCode: 06455
Country: US

NetRange: 216.238.0.0 - 216.238.255.255
CIDR: 216.238.0.0/16
NetName: THEBIZ
NetHandle: NET-216-238-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEBIZ.NET
NameServer: NS2.THEBIZ.NET
Comment:
RegDate: 1999-09-08
Updated: 2001-01-17

TechHandle: ZB54-ARIN
TechName: BiznessOnline.com
TechPhone: +1-518-452-5772
TechEmail: [email protected]

http://ws.arin.net/cgi-bin/whois.pl

Krissa88b

If the above is provided by your ISP leave the 017 entries.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top