What is this toolbar?
Medlock
Miramar, Florida Member
OKAY! ONE LAST TIME!!! Freaking IE just locked up for the second time after typing all this up for the second time, after uploading the image below... Here we go... AGAIN! (This came only AFTER this toolbar, btw)
...I'll abbreviate it this time...
Okay, I got this toolbar. How the heck do I get rid of it, and what the heck is it? I ran ad-aware and spybot, removing some things it deemed suspicous, to no avail.
I'm usually on top of these things, but I slipped up ONE TIME and here I am asking for help. (A first for me, for this kind of problem, I'm quite happy to say.) I'm pretty sure this came with an add on for MSN messenger. Umm... what else...
Should I go and grab HJT? How does that program work, and if i do need it, what options should I look at once it is installed?
Thanks for any help. I'm using windows XP Pro if that helps.
EDIT: Oh yeah. this toolbar came with a home page Hijacking. I think it was mywebsearch or something like that. That was fixed after running spybot, and now it's back to yahoo.com as it should be. Also, in the menu that came up after right clicking, in the picture, the one labeled "poke sect" is the one that refers to the toolbar. I can make it disappear, but it just comes back after restarting IE.
-Rick
...I'll abbreviate it this time...
Okay, I got this toolbar. How the heck do I get rid of it, and what the heck is it? I ran ad-aware and spybot, removing some things it deemed suspicous, to no avail.
I'm usually on top of these things, but I slipped up ONE TIME and here I am asking for help. (A first for me, for this kind of problem, I'm quite happy to say.) I'm pretty sure this came with an add on for MSN messenger. Umm... what else...
Should I go and grab HJT? How does that program work, and if i do need it, what options should I look at once it is installed?
Thanks for any help. I'm using windows XP Pro if that helps.
EDIT: Oh yeah. this toolbar came with a home page Hijacking. I think it was mywebsearch or something like that. That was fixed after running spybot, and now it's back to yahoo.com as it should be. Also, in the menu that came up after right clicking, in the picture, the one labeled "poke sect" is the one that refers to the toolbar. I can make it disappear, but it just comes back after restarting IE.
-Rick
0
Comments
At a guess, could this toolbar be prankware???
Trev
Logfile of HijackThis v1.97.7
Scan saved at 9:21:34 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\I Hate This Key\ihtk.exe
C:\Program Files\TrayIt!\trayit!.exe
C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Folding@Home\FAH4Console.exe
C:\Program Files\F@H2\FAH4Console.exe
C:\Documents and Settings\Ricky\Desktop\EMIII\EMIII.exe
C:\Program Files\F@H2\FahCore_78.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Ricky\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ASHAMPOO\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F211D9D9-D720-7FDC-F61E-F1C8C10A863E} - C:\PROGRA~1\WIPEMA~1\Mfcd Aim.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: poke sect - {DEA1B4FE-2386-067F-10C0-3387F80B8FFB} - C:\PROGRA~1\WIPEMA~1\Mfcd Aim.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [IHateThisKey] C:\Program Files\I Hate This Key\ihtk.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: FAH4ConsoleOne.lnk = C:\Program Files\Folding@Home\FAH4Console.exe
O4 - Startup: FAH4ConsoleTwo.lnk = C:\Program Files\F@H2\FAH4Console.exe
O4 - Startup: trayit!.lnk = C:\Program Files\TrayIt!\trayit!.exe
O4 - Startup: EMIII.lnk = C:\Documents and Settings\Ricky\Desktop\EMIII\EMIII.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.7514583333
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
Thanks again!
Edit: Yup, that was it. It seems to be gone. Thanks all, I'll keep this program. Handy dandy!
Yep, these programs are *EXTREMELY* dangerous:
O4 - Startup: FAH4ConsoleTwo.lnk = C:\Program Files\F@H2\FAH4Console.exe
O4 - Startup: EMIII.lnk = C:\Documents and Settings\Ricky\Desktop\EMIII\EMIII.exe
...If you guys don't mind, is there anything suspicious in my HJT log that would make this keep happening? Or is it some website I'm visiting? I think it may be yahoo, so I'll stay away from there for now, but I have a yahoo e-mail account and I need to check it sometime...
Logfile of HijackThis v1.97.7
Scan saved at 12:59:37 PM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\I Hate This Key\ihtk.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\TrayIt!\trayit!.exe
C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
C:\Documents and Settings\Ricky\Desktop\EMIII\EMIII.exe
C:\Program Files\Folding@Home\FAH4Console.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\F@H2\FAH4Console.exe
C:\Program Files\F@H2\FahCore_78.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ricky\Desktop\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ASHAMPOO\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F211D9D9-D720-7FDC-F61E-F1C8C10A863E} - C:\PROGRA~1\WIPEMA~1\Mix Find.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: poke sect - {DEA1B4FE-2386-067F-10C0-3387F80B8FFB} - C:\PROGRA~1\WIPEMA~1\Mix Find.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Waitroam] C:\PROGRA~1\PlanBolt\oncelist.exe
O4 - HKCU\..\Run: [IHateThisKey] C:\Program Files\I Hate This Key\ihtk.exe
O4 - Startup: FAH4ConsoleOne.lnk = C:\Program Files\Folding@Home\FAH4Console.exe
O4 - Startup: FAH4ConsoleTwo.lnk = C:\Program Files\F@H2\FAH4Console.exe
O4 - Startup: trayit!.lnk = C:\Program Files\TrayIt!\trayit!.exe
O4 - Startup: EMIII.lnk = C:\Documents and Settings\Ricky\Desktop\EMIII\EMIII.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.7514583333
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks for any help.
-Rick
C:\WINDOWS\System32\MsPMSPSv.exe
If doing that stops your issue, possibly your box got hit by a Peper Trojan, so if it stops it with that in quarantine, or deleted, I would Google 'Peper Trojan' and look for reg entries that correspond to instructions in hits on that pair of words.
AVERT\AERT has removal tool and instructions for same, the google hit with nai.vil (AVERT\AERT's virus info library at network associates inc) in URL for Peper Trojan popped up way deep down in results when I Googled this file complete with path, file is not on my specimen XP install here. Peper uses pseudo-random name files, that particular one is not a known and documented one yet.
IF it is not peper, it 90+% probably is a new trojan executable, one with a pseudo-random executable rename on infect capability. IF it were a worm like msblast, I would expect many other renamed files to be involved. AERT\AVERT's stinger can kill msblast and a whole bunch of other majors. Stinger is a freebie, often updated.
Boot up in SAFE MODE. Run HJT (make sure you have it installed in it's own folder so it can safely save backups.) FIX the following:
O2 - BHO: (no name) - {F211D9D9-D720-7FDC-F61E-F1C8C10A863E} - C:\PROGRA~1\WIPEMA~1\Mix Find.dll
O3 - Toolbar: poke sect - {DEA1B4FE-2386-067F-10C0-3387F80B8FFB} - C:\PROGRA~1\WIPEMA~1\Mix Find.dll
O4 - HKLM\..\Run: [Waitroam] C:\PROGRA~1\PlanBolt\oncelist.exe
O4 - HKCU\..\Run: [IHateThisKey] C:\Program Files\I Hate This Key\ihtk.exe
(This is not an Omegasearch variable I have seen before, but the name is odd. Is this something you installed? If so, leave it alone. If not, toast it.)
You may then locate those exe and dll files manually, and delete them.
Reboot normally, you should be cleaned.
Dexter...
http://www.short-media.com/forum/showthread.php?t=3120&page=3&pp=20
I tried everything to get rid of it but suceeded in the end.
Um, John, this is a legitimate process related to Windows Media Player.
That file and pipe it controlled had holes in it:
MS02-32
KB321677
So, if quarantining broke nothing, that is cuz user of Windows Media Player 7 was not using SDMI and AFAIK most do not. this quarantine will not break media player adn IE can still use media player as this is a helper service for Media Player.
NOT CRITICAL FILE. KNOWN COMPROMISED FILE.
See KB321677 for fix, which is a version upgrade of Media Player to 7.1 or above. But, same fix would have replaced file also.
I will defend myself when folks do not Google thoroughly and want me to be short then accuse of what is not in fact true. File is legit, supports a not often used function, and also has been patched since with new versions of several files used to control the SDMI pipe.