Logfile of HijackThis v1.99.1
Scan saved at 1:27:59 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\peiying_2\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hzxfmqxruclrdnj.us/gYFs/K...LvwIaJIEeX.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Manageronlineonceroad] C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\sizebin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [web skip] C:\DOCUME~1\PEIYIN~1\APPLIC~1\CREATI~1\Send Bits Type.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Welcome,

You have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully voila one nasty infection is gone.

Reboot and post a new Hijackthis log please.

i don't see any sponsors in my taskbar, and i'm pretty sure i didn't even install them in the first place.
so, how do i proceed?

If you didn't remove messenger plus 3 from add/remove do so now please.


Reboot if you did.


Run both of these uninstallers

Download both these uninstallers...and run them


http://lop.com/new_uninstall.exe

http://lop.com/toolbar_uninstall.exe



Save to your desktop and then run them.

FYI. File Sharing, bad and better.
http://www.spywareinfo.com/articles/p2p/

Reboot and do the below:


Lets see what some virus scans can uncover and we will go from there.

Get the stinger here:
http://vil.nai.com/vil/stinger/

Download it to another computer if need be, and bring it to the affected computer on floppy disk.

It will kill the top 53 virus files if any are found there

then,

Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html


These scans will take over an hour to complete panda and bitdefender both make logs of what is found please save those and post them for me to take a look at please plus a new Hijackthis log also. Thanks

this is the activescan log.

Incident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Atom stupid.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Bat16.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\BoobStupid.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\For dupe.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Heart bend.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\partcamp.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\REGSTHUNK.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Safe plan.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\SeekTime.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Soap Stop.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\window exit.exe
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WPE PRO.exe
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WpeSpy.dll
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WPE PRO.exe
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WpeSpy.dll
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WPE PRO.exe
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WpeSpy.dll
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WPE PRO.exe
Hacktool:Sniffer/WpePro No disinfected C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WpeSpy.dll
Adware:Adware/Lop No disinfected C:\Documents and Settings\peiying_2\Application Data\Creative Mode Lies\fvdhjbvu.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\peiying_2\Local Settings\Temp\18bc203c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\peiying_2\Local Settings\Temp\aetwnfvh.exe
Virus:Trj/Agent.ANF Disinfected C:\WINDOWS\system32\MSAgentXP.exe
Possible Virus. No disinfected C:\WINDOWS\system32\ulib.exe

BitDefender Online Scanner

Scan report generated at: Sat, Oct 15, 2005 - 20:49:26

Statistics
Time 00:32:05
Files 173409
Folders 3287
Boot Sectors 4
Archives 1153
Packed Files 26820

Results
Identified Viruses 9
Infected Files 28
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 28

Engines Info
Virus Definitions
221628
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 39
Unpack plugins 4
E-mail plugins 6
System plugins 1

Scanned File
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Atom stupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Atom stupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Atom stupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Bat16.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Bat16.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\Bat16.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\BoobStupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\BoobStupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\BoobStupid.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\For dupe.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\For dupe.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\For dupe.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\partcamp.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\partcamp.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\partcamp.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\REGSTHUNK.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\REGSTHUNK.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\REGSTHUNK.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\SeekTime.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\SeekTime.exe
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\SeekTime.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.188\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX00.812\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX02.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WPE PRO.exe
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Local Settings\Temp\Rar$EX47.078\all hacks\WPE\WpeSpy.dll
C:\Documents and Settings\peiying_2\Application Data\Creative Mode Lies\fvdhjbvu.exe
C:\Documents and Settings\peiying_2\Application Data\Creative Mode Lies\fvdhjbvu.exe
C:\Documents and Settings\peiying_2\Application Data\Creative Mode Lies\fvdhjbvu.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\18bc203c.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\18bc203c.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\18bc203c.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\aetwnfvh.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\aetwnfvh.exe
C:\Documents and Settings\peiying_2\Local Settings\Temp\aetwnfvh.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002185.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002185.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002185.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002187.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002187.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002187.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002188.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002188.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002188.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002189.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002189.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002189.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002190.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002190.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002190.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002191.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002191.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002191.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002192.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002192.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002192.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002193.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002193.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002193.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002205.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002205.exe
C:\System Volume Information\_restore{F83A438A-0F34-4B28-8B96-B0D7CD763C6D}\RP16\A0002205.exe
C:\WINDOWS\system32\agentsvr.exe
C:\WINDOWS\system32\agentsvr.exe
C:\WINDOWS\system32\agentsvr.exe
__________________________________________________ ______________________

and lastly, the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:53:52 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\peiying_2\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vrnjwrcbsflfjeyxkwdk.biz/...LvwIaJIEeX.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43AC62ED-248E-AE4F-10EB-FAA618EA6DF3} - C:\DOCUME~1\JIAMIN~1.DEL\APPLIC~1\MULTIG~1\poll beep.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Manageronlineonceroad] C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\sizebin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [web skip] C:\DOCUME~1\PEIYIN~1\APPLIC~1\CREATI~1\Send Bits Type.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Welcome back,

Did you run the uninstallers for LOP?

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.


Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

do not run the tool yet please we will from afe mode
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".



Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vrnjwrcbsflfjeyxkwdk.biz...vw IaJIEeX.php

O2 - BHO: (no name) - {43AC62ED-248E-AE4F-10EB-FAA618EA6DF3} - C:\DOCUME~1\JIAMIN~1.DEL\APPLIC~1\MULTIG~1\poll beep.exe (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [Manageronlineonceroad] C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online\sizebin.exe
O4 - HKCU\..\Run: [web skip] C:\DOCUME~1\PEIYIN~1\APPLIC~1\CREATI~1\Send Bits Type.exe



Again make sure all browser windows are closed and click FIX


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Now run CCleaner useing the windows tab only please

Still in safe mode


Now navigate to these file/folders(s) thru WINDOWS EXPLORER and delete them please:

C:\DOCUME~1\JIAMIN~1.DEL\Application data\MULTIG~1 < folder--begins with MULTIG--in the application data folder
C:\Documents and Settings\All Users\Application Data\Regs Film Manager Online < folder
C:\DOCUME~1\PEIYIN~1\Application data\Creative mode lies---also in application data folder
C:\WINDOWS\system32\ulib.exe < file


Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start.



Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.




Post a new HJT log for further review and the Ewido log please.

i couldnt run the uninstallers for LOP. whenever i download, some trojan would be detected..

Logfile of HijackThis v1.99.1
Scan saved at 3:25:21 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_______________________________________________


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:22:12 PM, 10/16/2005
+ Report-Checksum: B7736FC5

+ Scan result:

C:\Documents and Settings\Guest\Cookies\guest@lop[2].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\jiaming\Local Settings\Application Data\Wildtangent\Cdacache\00\00\21.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@ayb.lop[1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@lop[2].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\jiaming.DELL-0XUKCRTV2V\Cookies\jiaming@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End

Great job, LOP is no longer showing


Your log is now clean.

How is your computer behaving?

Let me know as I have some free prevention tools for you to help keep you safe on the net, kind of a going away prize, actually more like prize(s).