Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


hjt Log - lop and searchweb2

  • This topic is locked This topic is locked
2 replies to this topic

#1 hopelesshelpless


  • Members
  • 1 posts
  • Local time:05:31 PM

Posted 27 October 2004 - 11:55 PM

I get a message that something is trying to change parts of my computer about every 15 seconds. And I have an annoying search bar at the bottom of the screen that cannot be removed or moved and that blocks several items. Clicking on it shows me names that include "lop" or "searchweb2" which I understand do not constitute good news (I once got "lop" into the system, and foolishly contacted the lop folks to ascertain how to remove it; did not then know that their technique actually leaves it in the system).

I have Norton running, and run adaware about once a week.

Anyway, I have run hijack this - maybe incorrectly, for it took much less time than I expected and several of the steps did not seem to be required - and got the following log. Can anyone tell me what to do next?

Logfile of HijackThis v1.98.2
Scan saved at 9:03:18 PM, on 10/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\GORDON~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F17C962-514F-41CA-1422-9EE7CB5252DA} - C:\PROGRA~1\OKAYDV~1\inside heck.exe (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error soap link nurb] C:\Documents and Settings\All Users\Application Data\Amen ping error soap\Hope cash.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Htmdriveerrordead] C:\Documents and Settings\All Users\Application Data\bagsabouthtmdrive\time dog.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [fourlink] C:\DOCUME~1\GORDON~1\APPLIC~1\MIXRDR~1\Log Logo.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {59F6BF5C-34EF-42B2-B3D7-1773A5895B7A} - http://www.jorc-cdreldj.ca/winform.stop/wi.../en/WinForm.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:31 PM

Posted 28 October 2004 - 04:42 PM

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 ddeerrff



  • Malware Response Team
  • 2,741 posts
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:31 PM

Posted 01 November 2004 - 04:27 PM

Hello hopelesshelpless and welcome to Bleeping Computer.

You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder. If required a tutorial is here: Hijackthis Folder Tutorial

You have SpywareGuard running. This is a good program, but if left running may interfere with the fix. Please right click the running icon of Spywareguard, it will open the program then select Menu, file, exit, and confirm the programs close.

You are running Messenger Plus. This application has been associated with a malware infection called LOP. I strongly recommend you remove the app entirely. To do so, go to Control Panel, Add/Remove Programs, and uninstall Messenger Plus.

You have a LOP infection.

Go to Add/Remove in your control panel then look for and uninstall if found, Window Search, Window Searching, Lop.com, LOP Search, Browser Enhancer, or Ultimate Browser Enhancer. If you are given a code to insert, do so.

If those that are listed above are not installed then you will need to use the LOP uninstaller.

Download the LOP uninstaller from here. Close IE and run the uninstaller; click OK > it will then ask you to type in a number that it supplies, do so and click 'uninstall' > yes > OK > OK.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O2 - BHO: (no name) - {3F17C962-514F-41CA-1422-9EE7CB5252DA} - C:\PROGRA~1\OKAYDV~1\inside heck.exe (file missing)
O4 - HKLM\..\Run: [Error soap link nurb] C:\Documents and Settings\All Users\Application Data\Amen ping error soap\Hope cash.exe
O4 - HKLM\..\Run: [Htmdriveerrordead] C:\Documents and Settings\All Users\Application Data\bagsabouthtmdrive\time dog.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

If removing Messenger Plus, also check these lines if they still exist:
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe" /WinStart

I find no information on this program. If you know what it is and want to keep it, leave this alone. Otherwise check for removal:
O4 - HKCU\..\Run: [fourlink] C:\DOCUME~1\GORDON~1\APPLIC~1\MIXRDR~1\Log Logo.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Reboot into Safe Mode and enable viewing of Hidden and System files. Open Windows Explorer (Windows key+e), drill down and delete the following files and folders if found:

C:\Documents and Settings\All Users\Application Data\Amen ping error soap\ <--Folder
C:\Documents and Settings\All Users\Application Data\bagsabouthtmdrive\ <--Folder

C:\Program Files\Messenger Plus! 2\ <--Folder, only if removing Messenger Plus
C:\DOCUME~1\GORDON~1\APPLIC~1\MIXRDR~1\ <--Folder, only if removing fourlink/log logo.exe

Reboot back into normal mode and post a new HJT log.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users