Please what do I delete ?

Unknown
edited October 2004 in Spyware & Virus Removal
I'm in need of your help again please. I have run ongeakiller, spywareblaster, spybot and ad-aware before running HJT. Here is log it created. I'm thinking anything with 'lop' in name is probably not good but didn't want to do any thing til I'd checked with someone knowledgeable.

Logfile of HijackThis v1.98.2
Scan saved at 11:15:51 AM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Documents and Settings\Janet\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://uvxtpbzyvlxgbbawllbrajaf.org/CIu3eTdJjiFzR0K9dFs00_4CXuU/TOlm0VgJS_Y6Lh5JCQ1aK8IaJdY5xfK/usUC.html
O1 - Hosts: 127.0.0.26 www.active-max.com
O1 - Hosts: 127.0.0.9 www.allaboutsearching.com
O1 - Hosts: 127.0.0.60 amazingautossearch.com
O1 - Hosts: 127.0.0.77 contexualsearch.com
O1 - Hosts: 127.0.0.86 crap2.com
O1 - Hosts: 127.0.0.2 www.crap2.com
O1 - Hosts: 127.0.0.97 www.dialup2.com
O1 - Hosts: 127.0.0.3 ecpm.com
O1 - Hosts: 127.0.0.45 lop.com
O1 - Hosts: 127.0.0.43 ayb.lop.com
O1 - Hosts: 127.0.0.63 bins.lop.com
O1 - Hosts: 127.0.0.82 srch.lop.com
O1 - Hosts: 127.0.0.54 www1.lop.com
O1 - Hosts: 127.0.0.250 www.lop2.com
O1 - Hosts: 127.0.0.6 maxexp.com
O1 - Hosts: 127.0.0.238 www.mp3search.com
O1 - Hosts: 127.0.0.66 mysearchnow.com
O1 - Hosts: 127.0.0.41 search200.com
O1 - Hosts: 127.0.0.31 www.search200.com
O1 - Hosts: 127.0.0.224 search.mysearchnow.com
O1 - Hosts: 127.0.0.69 www.mysearchnow.com
O1 - Hosts: 127.0.0.233 netsearchsoft.com
O1 - Hosts: 127.0.0.0 omegasearch.com
O1 - Hosts: 127.0.0.250 www.omegasearch.com
O1 - Hosts: 127.0.0.49 www.rub.to
O1 - Hosts: 127.0.0.84 searchexe.com
O1 - Hosts: 127.0.0.95 www.searchexe.com
O1 - Hosts: 127.0.0.3 searchweb2.com
O1 - Hosts: 127.0.0.28 www.searchweb2.com
O1 - Hosts: 127.0.0.81 www.spawnet.com
O1 - Hosts: 127.0.0.200 tdmy.com
O1 - Hosts: 127.0.0.94 tefs.com
O1 - Hosts: 127.0.0.243 www.tfil.com
O1 - Hosts: 127.0.0.8 tdko.com
O1 - Hosts: 127.0.0.40 www.tdko.com
O1 - Hosts: 127.0.0.200 wrn.net
O1 - Hosts: 127.0.0.60 software.wrn.net
O1 - Hosts: 127.0.0.79 www.wrn.net
O1 - Hosts: 127.0.0.239 www.mp3search.com
O1 - Hosts: 127.0.0.76 www.negativebeats.com
O1 - Hosts: 127.0.0.222 best.omega-search.com
O1 - Hosts: 127.0.0.37 www.omega-search.com
O1 - Hosts: 127.0.0.203 www.trinityacquisitions.com
O1 - Hosts: 127.0.0.63 www.errorfreesearch.com
O1 - Hosts: 127.0.0.87 isearchhere.com
O1 - Hosts: 127.0.0.71 www.isearchhere.com
O1 - Hosts: 127.0.0.234 iwantosearch.com
O1 - Hosts: 127.0.0.5 www.iwantosearch.com
O1 - Hosts: 127.0.0.52 opensearch.org
O1 - Hosts: 127.0.0.246 www.searchbee.net
O1 - Hosts: 127.0.0.76 www.searchhotsex.com
O1 - Hosts: 127.0.0.232 ifsearch.com
O1 - Hosts: 127.0.0.213 mastersearcher.com
O1 - Hosts: 127.0.0.55 aavc.com
O1 - Hosts: 127.0.0.29 www.aavc.com
O1 - Hosts: 127.0.0.229 acjp.com
O1 - Hosts: 127.0.0.219 www.acjp.com
O1 - Hosts: 127.0.0.67 ecmh.com
O1 - Hosts: 127.0.0.239 wabq.com
O1 - Hosts: 127.0.0.243 www.wabq.com
O1 - Hosts: 127.0.0.211 maximumexperience.com
O1 - Hosts: 127.0.0.92 www.maximumexperience.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [mapi build] C:\PROGRA~1\STARTO~1\Bytenameplus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [moisdne.exe] C:\DOCUME~1\Janet\MYDOCU~1\jason\MOISDN~1.EXE /r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MyEmoticons] C:\Program Files\MyEmoticons\MYEMOTICONS.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42

Thanks for taking time to look.

Comments

  • Access_DeniedAccess_Denied tennessee
    edited October 2004
    lord... looks like you have lots and lots of spyware entrys.. lop is very safe to delete btw.. it is a search engine/spyware related but i dont know why ad-aware didnt pick up on it.. did you do a full system scan or a quick scan? :scratch:
  • jaybee
    edited October 2004
    thanks, done as you suggested, removed lop entries and then rebooted. Will post HJT log below. Ran in depth scan with ad-aware.
    Logfile of HijackThis v1.98.2
    Scan saved at 1:48:16 PM, on 12/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\MyEmoticons\MYEMOTICONS.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\Documents and Settings\Janet\Desktop\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://uvxtpbzyvlxgbbawllbrajaf.org/CIu3eTdJjiFzR0K9dFs00_4CXuU/TOlm0VgJS_Y6Lh5JCQ1aK8IaJdY5xfK/usUC.html
    O1 - Hosts: 127.0.0.26 www.active-max.com
    O1 - Hosts: 127.0.0.9 www.allaboutsearching.com
    O1 - Hosts: 127.0.0.60 amazingautossearch.com
    O1 - Hosts: 127.0.0.77 contexualsearch.com
    O1 - Hosts: 127.0.0.86 crap2.com
    O1 - Hosts: 127.0.0.2 www.crap2.com
    O1 - Hosts: 127.0.0.97 www.dialup2.com
    O1 - Hosts: 127.0.0.6 maxexp.com
    O1 - Hosts: 127.0.0.238 www.mp3search.com
    O1 - Hosts: 127.0.0.233 netsearchsoft.com
    O1 - Hosts: 127.0.0.0 omegasearch.com
    O1 - Hosts: 127.0.0.49 www.rub.to
    O1 - Hosts: 127.0.0.84 searchexe.com
    O1 - Hosts: 127.0.0.95 www.searchexe.com
    O1 - Hosts: 127.0.0.81 www.spawnet.com
    O1 - Hosts: 127.0.0.200 tdmy.com
    O1 - Hosts: 127.0.0.94 tefs.com
    O1 - Hosts: 127.0.0.243 www.tfil.com
    O1 - Hosts: 127.0.0.8 tdko.com
    O1 - Hosts: 127.0.0.40 www.tdko.com
    O1 - Hosts: 127.0.0.200 wrn.net
    O1 - Hosts: 127.0.0.60 software.wrn.net
    O1 - Hosts: 127.0.0.79 www.wrn.net
    O1 - Hosts: 127.0.0.239 www.mp3search.com
    O1 - Hosts: 127.0.0.222 best.omega-search.com
    O1 - Hosts: 127.0.0.203 www.trinityacquisitions.com
    O1 - Hosts: 127.0.0.71 www.isearchhere.com
    O1 - Hosts: 127.0.0.234 iwantosearch.com
    O1 - Hosts: 127.0.0.5 www.iwantosearch.com
    O1 - Hosts: 127.0.0.232 ifsearch.com
    O1 - Hosts: 127.0.0.213 mastersearcher.com
    O1 - Hosts: 127.0.0.55 aavc.com
    O1 - Hosts: 127.0.0.29 www.aavc.com
    O1 - Hosts: 127.0.0.229 acjp.com
    O1 - Hosts: 127.0.0.219 www.acjp.com
    O1 - Hosts: 127.0.0.67 ecmh.com
    O1 - Hosts: 127.0.0.239 wabq.com
    O1 - Hosts: 127.0.0.243 www.wabq.com
    O1 - Hosts: 127.0.0.211 maximumexperience.com
    O1 - Hosts: 127.0.0.92 www.maximumexperience.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [mapi build] C:\PROGRA~1\STARTO~1\Bytenameplus.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [moisdne.exe] C:\DOCUME~1\Janet\MYDOCU~1\jason\MOISDN~1.EXE /r
    O4 - HKCU\..\Run: [MyEmoticons] C:\Program Files\MyEmoticons\MYEMOTICONS.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2004
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://uvxtpbzyvlxgbbawllbrajaf.org...Y5xfK/usUC.html
    O4 - HKLM\..\Run: [mapi build] C:\PROGRA~1\STARTO~1\Bytenameplus.exe
    O4 - HKCU\..\Run: [moisdne.exe] C:\DOCUME~1\Janet\MYDOCU~1\jason\MOISDN~1.EXE /r
    O4 - HKCU\..\Run: [MyEmoticons] C:\Program Files\MyEmoticons\MYEMOTICONS.EXE
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart


    Fix those entries then find and delete the files listed above, reboot and post a new log.
  • jaybee
    edited October 2004
    Thanks SpywareShooter. I have followed your advice. Also repaired ad-aware as found there was a problem. Here is new log
    Logfile of HijackThis v1.98.2
    Scan saved at 1:05:21 PM, on 13/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Documents and Settings\Janet\Desktop\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2004
    Your log looks okay now. Are you still having any problems?
  • jaybee
    edited October 2004
    Problems seem to be fixed. Thanks for help once again.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited October 2004
    You should uninstall messenger plus as it is that which installs the LOPware. If you do not, it will come back. You can reinstall it again but choose not to install the 3rd party sponsor.

    Start\Settings\Control Panel\Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
    http://members.rogers.com/rjmac/new_uninstall.exe
  • jaybee
    edited October 2004
    Thanks for that justlooking. Have now removed program, kids had installed it but found no-one used it so won't bother re-installing. Good to know where lop has been coming from. Hopefully everything will now be resolved. Will post new HJT log below for perusal.

    Logfile of HijackThis v1.98.2
    Scan saved at 4:43:47 PM, on 15/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Janet\Desktop\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42

    I see there are still entries related to messenger, not sure if messenger plus or msn messenger though. Thanks again. :D
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited October 2004
    Clean log there :). One is MSN Messenger, the other is Windows Messenger. Unless you are on a network I would advise you to disable it in Services. Or you can go to www.grc.com & download a small program called *shoot the messenger* which will do it for you.
  • jaybee
    edited October 2004
    :D:thumbsup: Thanks for the reply. Kids use MSN frequently so will keep it. I've kept copies of all the advice so I can keep an eye on things and fix any that reappear. I'm getting slightly more confident now thanks to the help from this site. Keep up the great work. :D
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited October 2004
    I meant that you should disable Windows Messenger too, not MSN :).
  • jaybee
    edited October 2004
    Oops sorry. :o Have checked and computer tells me we are not connected to windows messenger. Is this sufficient? Many thanks for your patience. :)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited October 2004
    If you go to C:\WINDOWS\system32\services.msc & start services, scroll down to messenger, you will see if it is enabled or not. If it is you need to stop it, then disable it. Right click on it & select properties then go to startup type & set it to disabled.
  • jaybee
    edited October 2004
    Thank you, I found it and it is already disabled in systems so I guess that makes me all clear. Thanks for everything. Much appreciated. :D
This discussion has been closed.