LOP.com AARRGH! Please help

  1. 15-12-2004  #1
    Tiffany
    Tiffany is offline Newbie

    LOP.com AARRGH! Please help

    Hi
    My friend is running windows xp and has 5 users on the machine and she cannot get rid of Lop.
    Have run avg, spyware, adaware and spybot and have done system restore on and off, have also done the uninstall that they recommend but it keeps coming back. I know it was from messenger plus and although have deleted it have seen some evidence of it still in the HJT log but need someone with more skills than me to analyse the rest of it please, I and she would be so grateful. I know that thias has been asked before but as this is the hjt log of her computer I do not want to mess up, any help would be appreciated.Thanks
    Logfile of HijackThis v1.97.7
    Scan saved at 09:42:28, on 29/11/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\maria\Local Settings\Temporary Internet Files\Content.IE5\CT2BGPI7\HijackThis[1].exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\VU9ZF577\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cdradyinjgdzapybfd.uk/NfS...556w1MtpKZ.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/abonnes/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.noos.fr
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Noos
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://p2.hostingprod.com/@writeerror.net/index.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2BF9CE91-00F0-6EED-D585-FBE3FBE6C9EB} - C:\DOCUME~1\james\APPLIC~1\SCRWAR~1\Deaf Dent.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\nuhstghb.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [MORESEEKAMENBAIT] C:\Documents and Settings\All Users\Application Data\Rect itch more seek\Metaiso.exe
    O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\System32\flood.exe
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Joy Size] C:\DOCUME~1\james\APPLIC~1\MEOWRU~1\Manager plan byte.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.noos.fr
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICA...a32/wficat.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {7AD10B4D-6A18-4379-95A6-6BAD7CE7FD01} (Project1.SBC) - http://www.spybouncer.com/collect/sb.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

  3. 15-12-2004  #2
    spud
    spud is offline D-A-L Team Member (UK)
    welcome to d-a-l the online computer help forum please follow owen advice on the link under my siignature then posta fresh log please
  4. 15-12-2004  #3
    Tiffany
    Tiffany is offline Newbie
    Hi Spud
    Thanks for responding, I followed your link and we have done all of those things already which is why I posted the log now as we were ready to proceed if you see what I mean ! Thanks for anyhelp.
  5. 15-12-2004  #4
    spud
    spud is offline D-A-L Team Member (UK)
    yes but your hjt log is out of date please update it then post another log

    thanks
  6. 15-12-2004  #5
    Tiffany
    Tiffany is offline Newbie
    sorry, will get her to do another one as soon as she can( she has 5 kids!!) thanks
  7. 15-12-2004  #6
    spud
    spud is offline D-A-L Team Member (UK)
    no probs will wait to hear from you
  8. 16-12-2004  #7
    Tiffany
    Tiffany is offline Newbie
    Hi Spud
    here is the latest log, any info much appreciated.
    Tiffany

    Logfile of HijackThis v1.99.0
    Scan saved at 10:04:39, on 16/12/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Palm\HOTSYNC.EXE
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Steam\Steam.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\WINZIIP1\wzqkpick.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZiip1\WINZIP32.EXE
    C:\unzipped\hijackthis199_beta\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cdradyinjgdzapybfd.uk/NfS...556w1MtpKZ.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/abonnes/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.noos.fr
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://p2.hostingprod.com/@writeerror.net/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Noos
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2BF9CE91-00F0-6EED-D585-FBE3FBE6C9EB} - C:\DOCUME~1\TEMP\APPLIC~1\SCRWAR~1\Deaf Dent.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\nuhstghb.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [MORESEEKAMENBAIT] C:\Documents and Settings\All Users\Application Data\Rect itch more seek\Itch wma.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\System32\flood.exe
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZiip1\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.noos.fr
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
    O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICA...a32/wficat.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {7AD10B4D-6A18-4379-95A6-6BAD7CE7FD01} (Project1.SBC) - http://www.spybouncer.com/collect/sb.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  9. 16-12-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cdradyinjgdzapybfd.uk/Nf...56w1MtpK Z.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://p2.hostingprod.com/@writeerror.net/index.html
    O2 - BHO: (no name) - {2BF9CE91-00F0-6EED-D585-FBE3FBE6C9EB} - C:\DOCUME~1\TEMP\APPLIC~1\SCRWAR~1\Deaf Dent.exe
    O4 - HKLM\..\Run: [MORESEEKAMENBAIT] C:\Documents and Settings\All Users\Application Data\Rect itch more seek\Itch wma.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Internet] C:\WINDOWS\System32\flood.exe
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {7AD10B4D-6A18-4379-95A6-6BAD7CE7FD01} (Project1.SBC) - http://www.spybouncer.com/collect/sb.ocx

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders. Search for files that don't have a specific location:
    C:\DOCUME~1\TEMP\APPLIC~1\SCRWAR~1
    C:\Documents and Settings\All Users\Application Data\Rect itch more seek
    wuam.exe
    C:\WINDOWS\System32\flood.exe

    Reboot and post a fresh log
  10. 16-12-2004  #9
    Tiffany
    Tiffany is offline Newbie
    I shall do that asap; many many thanks, quick question though, I have been looking through other peoples logs and this lop seems to hide under a number of different files, is that true and if so how does it do it?
    Thanks in advance
    Tiffany
  11. 16-12-2004  #10
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    By the way, could you also follow this advice:

    If you want to keep MessengerPlus but didn’t choose the option to refuse the advertising then please uninstall the copy you have then download it again and when you get to the Sponsor Agreement select the option which reads,’I Refuse, do not install the sponsor program’.
+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
« mshjlj.dll virus | Look-Today.com Problem! »