Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
5 replies to this topic

#1 hkaura

hkaura

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 October 2004 - 05:04 PM

Hi there, I know next to nil about computers, but I also follow directions very well. I was looking on the web for possible solutions to my www.searchweb2.com issue. This website keeps becoming my homepage and places toolbars on my window. I uninstalled messenger plus 3, as i read elsewhere that this would help. i downloaded hijack this and folowed the tutorial, this is what i came up with. this is my first time even posting anything, so I'm not evn sure how to check when i get a response! please help, my adaware isn't doing much to rid my computer of this annoyance. here's my logfile....

Logfile of HijackThis v1.98.2
Scan saved at 5:52:23 PM, on 10/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\Mixer.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\Hema\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.swjalmrumsydklgm.org/G7w1bv2ySI...XSu0B2oStC.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://spnpynmhqfkipahcipuhgnsj.com/G7w1bv...zNM9uGz1yJI.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62C4BD74-1E7F-B4D3-F752-3DD81960B665} - C:\DOCUME~1\Hema\APPLIC~1\STYLET~1\internetoption.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Remote ping ooze free] C:\Documents and Settings\All Users\Application Data\Close Debug Remote Ping\settings plan.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\Hema\LOCALS~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [hope fast] C:\DOCUME~1\Hema\APPLIC~1\MEOWGR~1\DupePlus.exe
O4 - HKCU\..\RunOnce: [remititit24895] C:\WINDOWS\system32\command.com /c del C:\DOCUME~1\ALLUSE~1\APPLIC~1\CLOSED~1\HOLEGP~1
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097373948484

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 25 October 2004 - 08:55 PM

Hi hkaura,

You have a LOP infection, when you downloaded Messenger Plus! you were given the option to opt out of the sponsorship installation. Unfortunately you didn't opt out and here you are. Unfortunately, uninstalling Messenger Plus! won't get rid of LOP.

Go to Add/Remove in your control panel then look for and uninstall if found, Window Search, Window Searching, Lop.com, LOP Search, Browser Enhancer, Ultimate Browser Enhancer . If you are given a code to insert, do so.

If those that are listed above are not installed then d/l the LOP uninstaller.

Download the LOP uninstaller from HERE. Close IE and run the uninstaller; click OK>it will then ask you to type in a number that it supplies, do so and click 'uninstall'>yes>OK>OK.

Reboot, then post a new log and let us know how things are running.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 hkaura

hkaura
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 October 2004 - 10:10 PM

Thank you for your help, I appreciate it. Unfortuneatly, the website withthe lop uninstaller did not work, i entered in the code and all, but the searchweb2 toolbar still shows up. Under my add/remove programs, I have none of the above listed. Here is my current logfile:

Logfile of HijackThis v1.98.2
Scan saved at 10:51:17 PM, on 10/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\Mixer.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Hema\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62C4BD74-1E7F-B4D3-F752-3DD81960B665} - C:\DOCUME~1\Hema\APPLIC~1\STYLET~1\internetoption.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [hope fast] C:\DOCUME~1\Hema\APPLIC~1\MEOWGR~1\DupePlus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097373948484

Any more help would be greatly appreciated!
hkaura

#4 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 25 October 2004 - 10:37 PM

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

O2 - BHO: (no name) - {62C4BD74-1E7F-B4D3-F752-3DD81960B665} - C:\DOCUME~1\Hema\APPLIC~1\STYLET~1\internetoption.exe

O4 - HKCU\..\Run: [hope fast] C:\DOCUME~1\Hema\APPLIC~1\MEOWGR~1\DupePlus.exe

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then find and delete:

C:\DOCUMEMENTS AND SETTINGS\Hema\APPLICATION DATA\STYLET <-------- Delete the folder starting with these six letters (contains the file: internetoption.exe.
C:\DOCUMEMENTS AND SETTINGS\Hema\APPLICATION DATA\MEOWGR <-------- Delete the folder starting with these six letters (contains the file: DupePlus.exe.

Reboot, then post a new log and let us know how things are running.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#5 hkaura

hkaura
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 28 October 2004 - 04:37 PM

Thank you soo much for your help! No more problems, I appreciate your help.

Logfile of HijackThis v1.98.2
Scan saved at 5:32:23 PM, on 10/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\Mixer.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Hema\LOCALS~1\Temp\Temporary Directory 5 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Remote ping ooze free] C:\Documents and Settings\All Users\Application Data\Close Debug Remote Ping\ShimCoal.exe
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hope fast] C:\DOCUME~1\Hema\APPLIC~1\MEOWGR~1\DupePlus.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

#6 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 29 October 2004 - 02:58 AM

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

O4 - HKLM\..\Run: [Remote ping ooze free] C:\Documents and Settings\All Users\Application Data\Close Debug Remote Ping\ShimCoal.exe
O4 - HKCU\..\Run: [hope fast] C:\DOCUME~1\Hema\APPLIC~1\MEOWGR~1\DupePlus.exe

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then find and delete:

C:\Documents and Settings\All Users\Application Data\Close Debug Remote Ping <-------- Delete this folder.
C:\Documents and Settings\Hema\Application Data\MEOWGR <-------- Delete the folder starting with these letters.

Reboot, then post a new log and let us know how things are running.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users