Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDJ lop.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 TDJ

TDJ

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 20 February 2005 - 09:02 AM

My computer is infected with spyware from lop.com due to use of messenger plus. Can you help me out?


Logfile of HijackThis v1.99.1
Scan saved at 14:58:10, on 20-2-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kazaa Lite\kazaalite.kpp
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\1337\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\KaZaA Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [RealTray] e:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Wayroadstyle32] C:\Documents and Settings\All Users\Application Data\DaleSettingsWayRoad\aim mfcd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Phone Boob] C:\DOCUME~1\1337\APPLIC~1\BATWAV~1\defaulttrustbib.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104619525577
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{490CCEDA-2769-4FB6-BDAA-F4E977C41F60}: NameServer = 195.121.1.34,195.121.1.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F39490-F68B-4484-9D23-1E38B26B48A3}: NameServer = 195.121.1.34 195.121.1.66
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

thanks in advance

Edited by TDJ, 20 February 2005 - 12:21 PM.


BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:36 PM

Posted 21 February 2005 - 01:33 PM

Hello TDJ and welcome to BleepingComputer.

Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. Go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates.


In regard to Kazaalite, I direct your attention here. Note the section on Cracks.


You appear to have an incomplete install/uninstall of New.net.

Download LSPFix and unzip into it's own folder. If the next step leaves you without a functioning internet connection, you will need to run this.

To remove New.net please go to Add/Remove Programs, look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Note: Misuse of LSPFix can cause loss of internet connectivity. Do not use it if it is not required.


Uninstall Messenger Plus. Many times doing so will also remove LOP.

I need you to check for hidden scheduled tasks that may be reinstalling LOP.
Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

dir c:\windows\tasks /a > sched.txt
echo ------- >> sched.txt
attrib c:\windows\tasks\*.* >> sched.txt
notepad sched.txt
del sched.txt


Select 'Save as type:' as All Files,
Save the file to the desktop as sched.bat. Close Notepad.

Double click on sched.bat and a notepad file should open. Copy the contents of that file to your next post.


Post a new HJT log in addition to the above text file.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:36 PM

Posted 07 March 2005 - 11:36 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users