Plz..plz...plz...getting crazy...

**kikki70** · 09-22-2004, 04:49 PM

Hi all.
I'm new here, and i'm trying to my pc fixed since 1 month!!
I was in SWI forum too, but no way to get the prob fixed.
I have some files like: inst.exe,Wipe cast tray.exe,...that i cannot even find on my pc to get fixed.
Somebody can help me plz?
Thanks in advance from someone that is really getting crazy...;-)

Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 10:40:20 PM, on 9/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\eMule\emule.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O13 - DefaultPrefix:
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

**Steve** · 09-22-2004, 11:31 PM

Hi kikki70,

Looks to me like you've picked up a LOP infection, evident in this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH...XIBPy8R2uZ.html

You can download and run the lop uninstaller here:

http://lop.com/new_uninstall.exe

Then post a fresh HJT log.

**Budfred** · 09-23-2004, 12:28 AM

If someone is helping you at SWI, it is not a good idea to go to another forum and ask for help... If you are not going to continue with SWI, please post a note to that effect so none of the volunteers waste time working up a fix that you won't be using....

Also, please note that the uninstall is from LOP itself, so there is no guarantee that you won't get other malware from them or that the fix will work... It can be removed manually by booting to Safe Mode and checking these items in HJT:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH...XIBPy8R2uZ.html
O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

Close all open windows and browsers, click on FIX...

It would also be a good idea to download setup and update Ad-Aware SE and also McAfee Stinger before going into safe mode and run them there... One of those items is from a worm...

Then make sure Windows is set to show all hidden and system files and look for these and delete them if you can find them...

C:\WINDOWS\System\Inst.exe install
C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

Then reboot and post a fresh HJT log...

**Steve** · 09-23-2004, 06:03 PM

Budfred is correct. The uninstaller is from LOP.

so there is no guarantee that you won't get other malware from them or that the fix will work

Guarantees are hard to come by in this world but having used it a dozen times in the shop and having recommended it on a few successful internet fixes, I'm pretty confident that it will work. None of the machines I've used it on has been infected with anything new.

Bud', seeing that you're keeping track of the traffic at Spyware info, have you seen any cases where it didn't work or the computers were infected with more malware? I'd hate to use or recommend it if there are known problems.

**Budfred** · 09-23-2004, 07:08 PM

I have not seen any cases where it is used and hasn't work... I have seen a number of cases where it wasn't used and LOP was cleared out... My concern is that you are allowing the scumwriters who created LOP access to your system and you have no way to know for sure that they didn't bury some kind of time bomb in the user's system or that even though it was benign last time that it is not malicious today... I don't trust the malware producers to fixt the crap they hide in our systems... If they were honest, would they need to disguise their program so the average user can't identify and remove it??

Regardless of what you do with LOP, that other issue needs to be addressed...

**Steve** · 09-23-2004, 07:30 PM

Thanks Bud'.

I think what is going on is the LOP people are trying to stay one inch inside the legal line. They put this crap on your computer but they also provide an effective way to remove it ... if you can recognize it as LOP and if you can find the uninstaller. Nice guys...

**kikki70** · 09-24-2004, 01:01 AM

Hi Budfred,Steve,
i tryed weeks ago with the lop uninstaller, but no way. Things are always on my pc, and i keep having connection problems.
I will not suggest to other people with the same prob to use the Lop new_uninstaller (pehaps the older version ways working, but the new_....)
The big prob is that i cannot phisically find this items on my PC, even with show hidden files:
Inst.exe install
Wipe cast tray.exe
Wipe Win.exe

Is there a way to find them?
(I already used: WinTasks 4 pro, Disk Investigator,Power Searcher and Disk Investigator)

Thx in advance for helping me

**Steve** · 09-24-2004, 05:25 PM

Hi kikki70,

If you open Windows Explorer and click Tools > Folder Options > View, the forth item in the list is "Display the contents of system folders". That item will need to be checked for you to find that file.

Give that a look and let us know if that solves the problem.

**Budfred** · 09-24-2004, 10:27 PM

If that doesn't work, there is a way to show "superhidden" files so we will have to do that... It involves a Regedit, so try the easier way first...

**kikki70** · 09-25-2004, 02:04 AM

Bud,Steve,

the box "Display contents of sys folder" is already checked.
It's about superhidden.
How to get them with regedit?

**Budfred** · 09-25-2004, 02:27 AM

Use this and see if you can kill those files... You will need to delete them in Safe Mode so they are less likely to be running... Also, did you run the HJT fixes??

Run this registry script, which forces Windows to show so called "superhidden" files:
Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

This is only for XP or 2000 systems

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001

[snapback]652[/snapback]

**kikki70** · 09-25-2004, 05:55 AM

Bud,
even with the regedit i cannot see those files...it's unbelivable.
What is not in my C is:
C:\WINDOWS\System\Inst.exe install
C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

Strange is that my system folder is written as "system", and not "System" (note caps)
The other folders, even with supehidden doesnt show up.
I run yesterday HJT. Today my log is this one:

Logfile of HijackThis v1.98.2
Scan saved at 11:58:09 AM, on 9/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O13 - DefaultPrefix:
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

The trojans or spywares r always active, as u can see in the Ad-Watch log:

Ad-watch Logfile, exported on 9/25/2004
Total number of events:5
===============================================
9/25/2004 11:58:29 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Inst
Data:C:\WINDOWS\System\Inst.exe install
New Data:

Attempt to alter the autostart section (Blocked)

===============================================
9/25/2004 11:58:30 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Remote win
Data:C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
New Data:

Attempt to alter the autostart section (Blocked)

===============================================
9/25/2004 11:58:30 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:OkayVcLinkWipe
Data:C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
New Data:

Attempt to alter the autostart section (Blocked)

===============================================
9/25/2004 11:58:31 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Search
Value:Start Page
Data:
New Data:about:blank

Possible browser hijack attempt (Blocked)

===============================================
9/25/2004 11:58:31 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

Possible browser hijack attempt (Blocked)

===============================================

Some more suggetions?

Sorry for that, its one month about having troubles with my PC...i'm thinking to format, if it's the only solution..

**Budfred** · 09-25-2004, 09:09 AM

It is very odd that you can't find those files with Superhidden files revealed... You should be able to see just about everything... Did you run the online virus scan?? You might want to run a couple more or download and run Stinger from McAfee in Safe Mode...

Also, keep in mind on this one:

O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe

That this is shortened by HJT and only an indication of what the folder is actually called: "SIGNLO~1".... Look for a folder in the larger PROGRA~1 folder that starts with that and kill it...

**kikki70** · 09-25-2004, 01:41 PM

Hey Bud,
i would really take a screenshot of my C: folder, where u will see that the folder
PROGRA~1 is not inside, even with superhidden files.
I did an online virus scan, and run in safe mode stinger.exe.

What's up to my PC?
Is there any other utility that can show up every file on my HD?

**Steve** · 09-25-2004, 02:04 PM

kikki70,

I think the reason that you can't find the files is that they just aren't on your computer. There is no evidence of them in your last HJT log. Whether it's because of the LOP uninstaller or the manual fix, they're gone. There is no evidence of a LOP infection in your latest HJT log. Your log looks clean.

You can fix the following entry with HJT:

O13 - DefaultPrefix:

I assume the Ad-Watch log you posted is from AdAware. Ad-Watch uses the same definitions as AdAware. If you are stilled concerned, run AdAware.

Are you having any problems with your computer?

**kikki70** · 09-25-2004, 02:41 PM

Bud,
i fixed O13 - DefaultPrefix: , things are always bad.
I have a benchmark to test my PC: Running Toca Race Driver 2 on multiplayer.
I got always cropped frames, this means that something is trying to connect to internet, or somewhere else.
Some when running other multiplayer games...

(

This is my new log:

Logfile of HijackThis v1.98.2
Scan saved at 8:46:37 PM, on 9/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O13 - DefaultPrefix:
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

What do u think now?

**Budfred** · 09-25-2004, 03:54 PM

Those LOP and the worm items are back in this log...

Keep in mind that this "PROGRA~1" is probably actually the folder Program Files and you pretty much have to have that on your C: since it is where most programs install.... Again, that is just the way HJT shortens things to fit them in the window...

I am not sure what else to try at this point... You could download the trial of TrojanHunter or TDS3 to see if there is a trojan keeping things going... You will need to turn AdWatch off to successfully remove these things, so if you haven't already tried that, turn it off, run the fixes and deletions again, then see if your system is clean...

**kikki70** · 09-25-2004, 04:26 PM

Bud,Steve,

thx really a lot for helping me...i think the only solution that i have....well...is the hardest...just formatting.
I scanned all the machine with TrojanHunter and TDS3, nothing strange found.
Thanks a lot again.

**Steve** · 09-25-2004, 04:35 PM

kikki,

LOP is installed by ActiveX from many sites, often pop-up ads. It is usually an easy pest to get rid of. Seeing that your logs show that you are clear of this adware and then you have it again, I think you are being reinfected by going to a site that is using drive by ActiveX infection methods. The only protection for this, that I know of, is to shut off all ActiveX in IE or switching to a browser that doesn't have this vulnerability such as Firefox.

You should use the uninstaller or the manual methods to clean your machine, again, and then take one of the precautions I mentioned.

Good luck...

**kikki70** · 09-27-2004, 04:27 PM

Guys,
something strange happens.
After uninstalling LOP,fixing by HJT, using stinger, rebooting, and all that, when rebbooting my pc i have the lag prob as before, but if a fix in HJT the 013- default prefix the prob desappears.
Well, i introduced the task when booting my PC..:-)

**Budfred** · 09-27-2004, 06:08 PM

I'm sorry, but I don't know what you are saying... Could you say it in more detail??

**kikki70** · 09-29-2004, 02:40 PM

Hi Bud,

the situation now is that if i fix 013- default prefix with HJT all the problems on my pc seems to be avoid.
Just this.
Thx for supporting me.

bye

**Paul Komski** · 09-29-2004, 08:27 PM

save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

If one decides to save as any file - then as long as the whole file name plus its file extension is within inverted columns the file will saved as is with only what is inside the inverted commas - and whether the file name has an extension or not.

So, for example, if you were to use notepad with its setting Save as type set to text documents (*.txt) then one should get the following results:

"ntldr" gets saved as ntldr but ntldr gets saved as ntldr.txt
"thisfile.xxx" gets saved as thisfile.xxx but thisfile.xxx gets saved as thisfile.xxx.txt

He He He and there's always an exception

"Unhide.reg" gets saved as Unhide.reg but (on my current system anyways) Unhide.reg also gets saved as Unhide.reg

This thing of file names in parenthesis being saved as is is not unique to notepad and should work in any application that uses the Common Dialog Control to do this.

Thread: Plz..plz...plz...getting crazy...

Thread Tools

Plz..plz...plz...getting crazy...

Here's a really useful tip!

Thread Information

Users Browsing this Thread

Posting Permissions