Tried everything to get this thing off my desktop, but no luck. Any help you could give me woud be gratly appreciated. Attached is my logfile. Thanks

Logfile of HijackThis v1.99.0
Scan saved at 6:47:23 PM, on 2/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Cursors\faxvss.exe
C:\WINNT\system32\PELMICED.EXE
C:\WINNT\system32\Ibmmon.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Reflection\r2win.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.backpacker.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://dealerconnect.chrysler.com/d...troller/Portal
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINNT\System32\belezus.dll (file missing)
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agvpxe.dat (file missing)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4dpUswodniW.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ssvxaf.dat
O2 - BHO: (no name) - {C4D145DB-66B6-36F2-49D9-726B6277434B} - C:\DOCUME~1\ADMINI~1\APPLIC~1\BALMGR~1\amok bat.exe
O2 - BHO: (no name) - {E214E91A-7AB0-1DFC-4D31-C807D4BBD507} - C:\PROGRA~1\BALMGR~1\amok bat.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Ibmmon.exe] Ibmmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BEEP64REMOTEBODY] C:\Documents and Settings\All Users\Application Data\MeowSpamBeep64\Dale Mags.exe
O4 - HKLM\..\RunOnce: [*faxvss] C:\WINNT\Cursors\faxvss.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.e xe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Meet Gram] C:\DOCUME~1\ADMINI~1\APPLIC~1\MfcdByte\amen axis.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - https://dealerconnect.chrysler.com/s...1_02-win_i.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup143.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

I am off for the evening I will check back tomorrow. Thanks

Can you please move HijackThis to it's own folder on your C:drive (example: C:\HijackThis). The program makes important backups which can be accidently lost when running from it's current location. If anything goes wrong with your fix, you may need these backups to restore your machine to it's previous state.

To do this, go to My Computer (Windows key+e)
Double click on C:
then right click and select New > Folder
Name it HijackThis and unzip/move your copy of HJT to it for future use.

The LOP infection comes bundled with Messenger Plus. To remove it we will try the simple way first.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed

(the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, reboot your computer and, hopefully the infection is gone.

6. Please then post a new log after rebooting.

NB. If you want to keep Messenger Plus, download it again AFTER we've cleaned you. The Lop sponsored advertising program must be rejected.
Read the installation procedures carefully.
When you get to the Sponsor Agreement, SELECT:
’I Refuse to give my support, install Messenger Plus! without the sponsor'.

Thanks for the response, however I do not have Messenger Plus on my system. Or at least it is not showing up in my add and remove programs. Any other suggestions. Thanks Heather

So you don't LOL. I didn't even bother looking. Messenger Plus and Lop are synonymous with each other.


Can you please move HijackThis to it's own folder on your C: (example: C:\HijackThis). The program makes important backups which can be accidently lost when running from it's current location. If anything goes wrong with your fix, you may need these backups to restore your machine to it's previous state.

To do this, go to My Computer (Windows key+e)
Double click on C:
then right click and select New > Folder
Name it HijackThis and unzip/move your copy of HJT to it for future use.


Download and install Crap Cleaner for later use.



Run HJT again and checkmark the boxes next to the following:-

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINNT\System32\belezus.dll (file missing)
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agvpxe.dat (file missing)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4dpUswodniW.dat
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ssvxaf.dat
O2 - BHO: (no name) - {C4D145DB-66B6-36F2-49D9-726B6277434B} - C:\DOCUME~1\ADMINI~1\APPLIC~1\BALMGR~1\amok bat.exe
O2 - BHO: (no name) - {E214E91A-7AB0-1DFC-4D31-C807D4BBD507} - C:\PROGRA~1\BALMGR~1\amok bat.exe (file missing)
O4 - HKLM\..\Run: [BEEP64REMOTEBODY] C:\Documents and Settings\All Users\Application Data\MeowSpamBeep64\Dale Mags.exe
O4 - HKLM\..\RunOnce: [*faxvss] C:\WINNT\Cursors\faxvss.exe rerun
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.e xe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Meet Gram] C:\DOCUME~1\ADMINI~1\APPLIC~1\MfcdByte\amen axis.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup143.cab

Now close ALL windows & browsers and click FIX CHECKED



Please set Windows to Show Hidden Files & Folders and then reboot in to Safe Mode.



Uninstall both Spykiller and Bestpopupkiller via Add/Remove Programs, they're scumware.


Delete the following folders in bold:

C:\Program Files\SpyKiller
C:\Program Files\BestPopUpKiller
C:\Documents and Settings\Administrator\Appplication Data\BALMGR <--Folder starting with these 6 letters
C:\Documents and Settings\All Users\Application Data\MeowSpamBeep64
C:\Documents and Settings\All Users\Application Data\IESERVice
C:\Documents and Settings\Administrator\Application Data\MfcdByte



Delete the following file in bold:

C:\WINNT\Cursors\faxvss.exe


Open Crap Cleaner and run it. Note: This will remove all login cookies unless individually retained via Options> Cookies.


Reboot and post a fresh log in this thread.


**Please let me know if this machine has any other user accounts. If it does, it's more than likely we'll have to clean those as well to completely remove the Lop infection.

Thanks, I will try and let you know, I have moved hijack to its own file. I will post a new log when I am finished. Thanks Heather

My God you are sooooooooo GOOD!! If I was close I would kiss ya!! Really appreciate your help. The blue tool bar from hell is finally gone. I will certainly be making a donation. Below is my new log. Thanks again.

Logfile of HijackThis v1.99.0
Scan saved at 3:01:47 PM, on 2/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PELMICED.EXE
C:\WINNT\system32\Ibmmon.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Config\expwave.exe
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.backpacker.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://dealerconnect.chrysler.com/d...troller/Portal
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawpxe.dat
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ofnissv.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Ibmmon.exe] Ibmmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [*expwave] C:\WINNT\Config\expwave.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\java\trustlib\waveip.exe ren my_time:1107454803
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - https://dealerconnect.chrysler.com/s...1_02-win_i.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

I wish the wife still made comments like that


Run HJT again and checkmark the boxes next to the following:-

O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawpxe.dat
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ofnissv.dat
O4 - HKLM\..\RunOnce: [*expwave] C:\WINNT\Config\expwave.exe rerun
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\java\trustlib\waveip.exe ren my_time:1107454803

Now close ALL windows & browsers and click FIX CHECKED



Reboot and post a fresh log.