Post by: LuckyTom on December 20, 2004, 06:42:56 PM
Iv deleated as much as i can (that i know won't break anything) but most of it seems to just come back once rebooted.
However i do not think these things are safe and when running virus scanners over 200 problems were found. I have deleated all of these.
I have used have some problems with my computer and i remember hi-jack this helped to get rid of these problems so i have used it and this is what it has come up with:
Logfile of HijackThis v1.99.0
Scan saved at 22:00:48, on 20/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qnebhtvzqm.com/Jk3QWFSIuq_U2/PG...HBsT92ILiMK.php (http://\"http://www.qnebhtvzqm.com/Jk3QWFSIuq_U2/PGu9W3EzlMRCEtJpDggvtuDRDvk9KeeshpDgz72HBsT92ILiMK.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.globaleaccess.com/ (http://\"http://community.globaleaccess.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: 1097087511 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file)
O2 - BHO: (no name) - {35316FCB-61F6-C922-C81A-219CA2DC1AA2} - C:\DOCUME~1\EWENBA~1\APPLIC~1\AMOKTI~1\BARB REMOTE.exe
O2 - BHO: No description - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINNT\DOWNLO~1\pdfmgr.dll
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINNT\system32\tkp785A.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\geaccess.exe -N
O4 - HKLM\..\Run: [dart locks load idol] C:\Documents and Settings\All Users\Application Data\4 bold dart locks\ItchBeep.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [eggsbone] C:\DOCUME~1\EWENBA~1\APPLIC~1\SLOWSI~1\hidememo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - http://exweb.exchange.uk.com/clientbinarie...ies/texInfo.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/texInfo.CAB\")
O16 - DPF: {0FA8E95B-C23A-11D5-8F5F-0008C7E9C2C6} (Pensions.desInput) - http://exweb.exchange.uk.com/clientbinarie...sionsPhase2.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/PensionsPhase2.CAB\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab\")
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.143/100039/uk/gegames/geaccess.exe (http://\"http://64.158.165.143/100039/uk/gegames/geaccess.exe\")
O16 - DPF: {786F41FA-AC32-11D5-9B73-00508B6BAAB3} (exWebStopper.texexweb) - http://exweb.exchange.uk.com/download/upda...xWebStopper.CAB (http://\"http://exweb.exchange.uk.com/download/update/exWebStopper.CAB\")
O16 - DPF: {7B5A1CB7-2E01-11D7-90C1-0008C7E9C2C6} (PHI.desInput) - http://exweb.exchange.uk.com/clientbinaries/PHI.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/PHI.CAB\")
O16 - DPF: {83742947-3994-9943-2039-746302840329} (Exweb XML Files for Focus Renderer) - http://exweb.exchange.uk.com/download/upda...te/xmlfiles.cab (http://\"http://exweb.exchange.uk.com/download/update/xmlfiles.cab\")
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab (http://\"http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - http://exweb.exchange.uk.com/clientbinarie...VersionInfo.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB\")
O16 - DPF: {A32DBCA3-4BFD-11D3-B9E4-008048FCE443} (Complist Class) - file://E:\CAB\eXwebCListCtl.cab
O16 - DPF: {A45CF69C-19E0-4090-99DA-286A7C1C257B} (exWebUpdater.clsINIFile) - http://exweb.exchange.uk.com/download/upda...xWebUpdater.CAB (http://\"http://exweb.exchange.uk.com/download/update/exWebUpdater.CAB\")
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - http://exweb.exchange.uk.com/clientbinarie.../eXwebUtils.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB\")
O16 - DPF: {A98277A1-A141-11D5-98B9-00508B64538B} (Complist2 Class) - http://exweb.exchange.uk.com/clientbinarie...ebCListCtl2.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl2.CAB\")
O16 - DPF: {A9F86998-BB62-11D2-A988-006097E20477} (eXwebUtils.clsVersionInfo) - file://E:\CAB\eXwebUtils.cab
O16 - DPF: {A9F869B2-BB62-11D2-A988-006097E20477} (eXwebOccList.clsVersionInfo) - file://E:\CAB\eXwebOcc.cab
O16 - DPF: {A9F869C0-BB62-11D2-A988-006097E20477} (PHIHelpText.clsVersionInfo) - file://E:\CAB\PHIHelpText.cab
O16 - DPF: {A9F869CE-BB62-11D2-A988-006097E20477} (PHIToolTips.clsVersionInfo) - file://E:\CAB\PHIToolTips.cab
O16 - DPF: {AB5ED3AE-DE26-11D3-AD7A-0050044495F0} (WholeLife.clsVersionInfo) - file://E:\CAB\wholelife.cab
O16 - DPF: {AB5ED422-DE26-11D3-AD7A-0050044495F0} (WholeLife.desWOLBlank) - http://exweb.exchange.uk.com/clientbinarie...s/WholeLife.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/WholeLife.CAB\")
O16 - DPF: {ABF92614-EBA5-11D3-A315-006008134E84} (Annuities.dsrMain) - http://exweb.exchange.uk.com/clientbinaries/ann_GD.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/ann_GD.CAB\")
O16 - DPF: {B539A417-0C5E-11D4-97CF-00508B64538B} (Bonds.GLBI030) - file://E:\CAB\Bonds.cab
O16 - DPF: {B539A425-0C5E-11D4-97CF-00508B64538B} (Bonds.clsBondBusinessLogic) - http://exweb.exchange.uk.com/clientbinaries/Bonds.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/Bonds.CAB\")
O16 - DPF: {B5805B24-2D86-11D0-ADA6-00400520799C} (ProtoView Calendar Control) - file://E:\CAB\pvcalctl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {CC696B63-4159-11D0-BDCB-0020A90B183A} (ProtoView Date Control) - file://E:\CAB\pvdate2.cab
O16 - DPF: {DB1F089D-F410-11D3-A316-006008134E84} (CombinedTerm.desInput) - http://exweb.exchange.uk.com/clientbinarie...rmAssurance.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/TermAssurance.CAB\")
O16 - DPF: {DB1F08C5-F410-11D3-A316-006008134E84} (CombinedTerm.desUserDefaultsGrid) - file://E:\CAB\TermAssurance.cab
O16 - DPF: {DBA9E4A1-885A-11D3-8919-0050049D81F4} (TexPHIDS.dsrPHIInput) - file://E:\CAB\TexPHIDS.cab
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - http://exweb.exchange.uk.com/clientbinarie...es/printdll.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/printdll.CAB\")
O16 - DPF: {E5CFA957-1CD1-11D2-85AD-006097B42E68} (TEXCList.ctlCompanyList) - file://E:\CAB\eXwebCList.cab
O16 - DPF: {E672FC91-6A8F-11D3-82DC-0008C78A797E} (CTP Printing Update) - http://exweb.exchange.uk.com/download/upda...ctpprinting.cab (http://\"http://exweb.exchange.uk.com/download/update/ctpprinting.cab\")
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - http://exweb.exchange.uk.com/clientbinarie...es/eXwebOcc.CAB (http://\"http://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB\")
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - file://E:\CAB\pvdt70.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O16 - DPF: {F952EDBD-84EF-11D5-8F0C-0008C7E9C2C6} (exchange Scripting Update) - http://exweb.exchange.uk.com/download/upda...ting_update.CAB (http://\"http://exweb.exchange.uk.com/download/update/scripting_update.CAB\")
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
If you could please help me by telling me what i should deleate. If more information is needed i will try to answer as helpfull as possible however i do not know much about this computer as it is not mine.
Post by: guestolo on December 20, 2004, 08:38:04 PM
But first, because of the Installation of Messenger Plus 3 your sis's computer is infected with Spyware called LOP
Could you Access Add/Remove programs via Control Panel and uninstall it for now
If it is needed in the future please do not Install the SPONSOR
Also while uninstalling Messenger Plus
Could you also look for these entries and remove them
Lop.com' or 'LOP SEARCH' or 'Window Searching' or ‘'Window Active' or "Browser Enhancer" or "Ultimate Browser Enhancer"
If given a code to Insert, do so
Remember to restart the computer
I see that you have SpyKiller installed, if you haven't paid for it I would recommend that you uninstall it also
Link will let you know why
Rogue Anti-Spyware Products (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")
Restart if/when removed
A couple of recommended Spyware removal programs that are yours for free
Please
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
If you don't have this verision,install this one
Open Ad-Aware, ensure to click the check for updates online link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer again to finish the cleaning process
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
While installing please do not enable TEA TIMER, it's a very good addon but can get in the way of any fixes we will manually try on your log
After installation--SEARCH FOR UPDATES
Download all updates and then close and Restart the program
Click the Search & Destroy Button on the left
Check for Problems---Let it Finish Scanning---Check and FIX everything in RED
RESTART your computer to finish the cleaning
After you have done the above post back a fresh hijackthis log afterwards
Please don't reinstall Messenger Plus 3 without the Sponsor until we have her clean, thanks
Post by: LuckyTom on December 21, 2004, 02:44:28 PM
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> However I have decided to deleate the programs that i know she wont need, for example 'SpyKiller'Quote
I see that you have SpyKiller installed, if you haven't paid for it I would recommend that you uninstall it
You have said that I should uninstall it, however I am not sure how. I have checked 'Add/Remove Program', but i can't find it in there. Did you mean for me to deleate it in a different way?
Post by: guestolo on December 21, 2004, 08:20:18 PM
Quote
Could you Access Add/Remove programs via Control Panel and uninstall it for now
If it is needed in the future please do not Install the SPONSOR
It's the best method for removing LOP
You can install it later without the SPONSOR
If Spykiller is not in the Add/Remove Programs,don't worry about it for now
Follow my instructions from my last post, including removing MSN PLUS and LOP from Add/Remove
Install those two free spyware removal programs, they're very much recommended
Even by Microsoft
Make sure to update them both and run scans