Hi,

Here is what I was looking for in the start up list:

AC6845349187F7DC.job


That is the driveing force that is keeping LOP infection alive, so let's kill it now.


Download: Microsoft Task Scheduler Command Line Utility

http://mvps.org/winhelp2002/jt.zip

Unzip and copy jt.exe to your Windows folder.


Then


Open Notepad, copy and paste the below and "Save As" KillJobs.bat
In the "Save as type" select: All Files

@echo off
jt /sd AC6845349187F7DC.job

Copy KillJobs.bat to your Windows folder.
Double-click on "KillJobs.bat"
(when prompted, allow the file to run)


Then rescan with Panda and Ewido and post those logs back here and hopefully they will be shorter this time. Thanks.

Two new logs as requested...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:54:47, 23/03/2006
+ Report-Checksum: 51617E3

+ Scan result:

F:\My Documents\Network Tools\7thportscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : Error during cleaning
F:\My Documents\Network Tools\BluesPortScan.exe -> Not-A-Virus.NetTool.Win32.Delf.d : Cleaned with backup
F:\My Documents\Other Things\Network Tools\7thportscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : Error during cleaning
F:\My Documents\Other Things\unorganised stuff\stuff from oldie\Other Things\Crime\l0phtcrack.zip/LC_CLI.EXE -> Not-A-Virus.PSWTool.Win32.Lopht.100 : Cleaned with backup
F:\My Documents\Other Things\unorganised stuff\stuff from oldie\Other Things\Crime\l0phtcrack.zip/lc_gui.exe -> Not-A-Virus.PSWTool.Win32.Lopht.100 : Cleaned with backup


::Report End

************************************************** ******************


Incident Status Location

Adware:Adware/Lop Not disinfected C:\!KillBox\ARMYNOUN.exe
Adware:Adware/Cydoor Not disinfected C:\!KillBox\gdnp.dll
Adware:Adware/Cydoor Not disinfected C:\!KillBox\gdnp.dll( 1)
Potentially unwanted tool:Application/PWDump.C Not disinfected C:\!KillBox\PWDUMP.EXE
Adware:Adware/Lop Not disinfected C:\!KillBox\toolbar_uninstall.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Desktop\lopremover.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\1580c98d.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\15d709e7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\15f46ab7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\15f57236.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\15f5b927.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\15fb192a.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d120b6f8.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d120c949.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d1211073.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d123192a.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d123a88e.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d123a934.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d126a4b1.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d128c5b7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d12d1961.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\elliot\Local Settings\Temp\d7009724.exe
Adware:Adware/Lop Not disinfected C:\Program Files\Hjt\backups\backup-20060320-223555-559.dll
Potentially unwanted tool:Application/PWDump.C Not disinfected F:\My Documents\Other Things\unorganised stuff\stuff from oldie\Other Things\Crime\l0phtcrack.zip[PWDUMP.EXE]


Thanks....

KillBox again,


In case you don't have it any more.


Download KillBox from here:---Please download TheKillbox by Option^Explicit.
from here:
http://downloads.subratam.org/KillBox.zip
or here:
http://download.broadbandmedic.com/
or here:
http://www.bleepingcomputer.com/fil...are/KillBox.zip
Unzip it to the desktop but do NOT run it yet.

1) Open up kill box now.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


F:\My Documents\Network Tools\7thportscan.zip/portscan.exe
C:\Documents and Settings\elliot\Local Settings\Temp\1580c98d.exe
C:\Documents and Settings\elliot\Local Settings\Temp\15d709e7.exe
C:\Documents and Settings\elliot\Local Settings\Temp\15f46ab7.exe
C:\Documents and Settings\elliot\Local Settings\Temp\15f57236.exe
C:\Documents and Settings\elliot\Local Settings\Temp\15f5b927.exe
C:\Documents and Settings\elliot\Local Settings\Temp\15fb192a.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d120b6f8.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d120c949.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d1211073.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d123192a.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d123a88e.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d123a934.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d126a4b1.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d128c5b7.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d12d1961.exe
C:\Documents and Settings\elliot\Local Settings\Temp\d7009724.exe
F:\My Documents\Other Things\unorganised stuff\stuff from oldie\Other Things\Crime\l0phtcrack.zip[PWDUMP.EXE]



4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Give me a new hijackthis log and how is your computer behaving now?

Hi,
PC is behaving a lot better now - thanks. I can't see any problems at all.

The guy is coming to collect his PC later this morning so I won't be able to do much more with it. I've attached the latest Hijack log - does it look better??

Thanks for all your help.

Just my own PC to sort out now !!!

Mark

Logfile of HijackThis v1.99.1
Scan saved at 09:37:47, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1134241360\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MP3SysTray] C:\Program Files\MP3 Manager\MP3TrayApp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134241360\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again....