Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 23 of 23

Thread: Plz..plz...plz...getting crazy...

  1. #1

    Angry Plz..plz...plz...getting crazy...

    Hi all.
    I'm new here, and i'm trying to my pc fixed since 1 month!!
    I was in SWI forum too, but no way to get the prob fixed.
    I have some files like: inst.exe,Wipe cast tray.exe,...that i cannot even find on my pc to get fixed.
    Somebody can help me plz?
    Thanks in advance from someone that is really getting crazy...;-)

    Here is my HJT log:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:40:20 PM, on 9/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\LIUtilities\WinTasks\wintasks.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\Profiler\lwemon.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
    C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\eMule\emule.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
    O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
    O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
    O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
    O13 - DefaultPrefix:
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

  2. #2
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    Hi kikki70,

    Looks to me like you've picked up a LOP infection, evident in this entry:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH...XIBPy8R2uZ.html

    You can download and run the lop uninstaller here:

    http://lop.com/new_uninstall.exe

    Then post a fresh HJT log.

  3. #3
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    If someone is helping you at SWI, it is not a good idea to go to another forum and ask for help... If you are not going to continue with SWI, please post a note to that effect so none of the volunteers waste time working up a fix that you won't be using....

    Also, please note that the uninstall is from LOP itself, so there is no guarantee that you won't get other malware from them or that the fix will work... It can be removed manually by booting to Safe Mode and checking these items in HJT:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH...XIBPy8R2uZ.html
    O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
    O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

    Close all open windows and browsers, click on FIX...

    It would also be a good idea to download setup and update Ad-Aware SE and also McAfee Stinger before going into safe mode and run them there... One of those items is from a worm...

    Then make sure Windows is set to show all hidden and system files and look for these and delete them if you can find them...

    C:\WINDOWS\System\Inst.exe install
    C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

    Then reboot and post a fresh HJT log...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  4. #4
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    Budfred is correct. The uninstaller is from LOP.

    so there is no guarantee that you won't get other malware from them or that the fix will work
    Guarantees are hard to come by in this world but having used it a dozen times in the shop and having recommended it on a few successful internet fixes, I'm pretty confident that it will work. None of the machines I've used it on has been infected with anything new.

    Bud', seeing that you're keeping track of the traffic at Spyware info, have you seen any cases where it didn't work or the computers were infected with more malware? I'd hate to use or recommend it if there are known problems.

  5. #5
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    I have not seen any cases where it is used and hasn't work... I have seen a number of cases where it wasn't used and LOP was cleared out... My concern is that you are allowing the scumwriters who created LOP access to your system and you have no way to know for sure that they didn't bury some kind of time bomb in the user's system or that even though it was benign last time that it is not malicious today... I don't trust the malware producers to fixt the crap they hide in our systems... If they were honest, would they need to disguise their program so the average user can't identify and remove it??

    Regardless of what you do with LOP, that other issue needs to be addressed...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  6. #6
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    Thanks Bud'.

    I think what is going on is the LOP people are trying to stay one inch inside the legal line. They put this crap on your computer but they also provide an effective way to remove it ... if you can recognize it as LOP and if you can find the uninstaller. Nice guys...

  7. #7
    Hi Budfred,Steve,
    i tryed weeks ago with the lop uninstaller, but no way. Things are always on my pc, and i keep having connection problems.
    I will not suggest to other people with the same prob to use the Lop new_uninstaller (pehaps the older version ways working, but the new_....)
    The big prob is that i cannot phisically find this items on my PC, even with show hidden files:
    Inst.exe install
    Wipe cast tray.exe
    Wipe Win.exe

    Is there a way to find them?
    (I already used: WinTasks 4 pro, Disk Investigator,Power Searcher and Disk Investigator)

    Thx in advance for helping me

  8. #8
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    Hi kikki70,

    If you open Windows Explorer and click Tools > Folder Options > View, the forth item in the list is "Display the contents of system folders". That item will need to be checked for you to find that file.

    Give that a look and let us know if that solves the problem.

  9. #9
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    If that doesn't work, there is a way to show "superhidden" files so we will have to do that... It involves a Regedit, so try the easier way first...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  10. #10
    Bud,Steve,

    the box "Display contents of sys folder" is already checked.
    It's about superhidden.
    How to get them with regedit?

  11. #11
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Use this and see if you can kill those files... You will need to delete them in Safe Mode so they are less likely to be running... Also, did you run the HJT fixes??

    Run this registry script, which forces Windows to show so called "superhidden" files:
    Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

    Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

    This is only for XP or 2000 systems

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer]
    "SearchSystemDirs"=dword:00000001
    "SearchHidden"=dword:00000001
    "IncludeSubFolders"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced]
    "Hidden"=dword:00000001
    "ShowSuperHidden"=dword:00000001
    [snapback]652[/snapback]
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  12. #12
    Bud,
    even with the regedit i cannot see those files...it's unbelivable.
    What is not in my C is:
    C:\WINDOWS\System\Inst.exe install
    C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe

    Strange is that my system folder is written as "system", and not "System" (note caps)
    The other folders, even with supehidden doesnt show up.
    I run yesterday HJT. Today my log is this one:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:58:09 AM, on 9/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\Profiler\lwemon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
    C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
    O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
    O13 - DefaultPrefix:
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

    The trojans or spywares r always active, as u can see in the Ad-Watch log:

    Ad-watch Logfile, exported on 9/25/2004
    Total number of events:5
    ===============================================
    9/25/2004 11:58:29 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:Inst
    Data:C:\WINDOWS\System\Inst.exe install
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================
    9/25/2004 11:58:30 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:Remote win
    Data:C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================
    9/25/2004 11:58:30 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:OkayVcLinkWipe
    Data:C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================
    9/25/2004 11:58:31 AM - Registry modification detected
    Root:HKEY_CURRENT_USER
    Key:Software\Microsoft\Internet Explorer\Search
    Value:Start Page
    Data:
    New Data:about:blank

    Possible browser hijack attempt (Blocked)

    ===============================================
    9/25/2004 11:58:31 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Internet Explorer\Search
    Value:SearchAssistant
    Data:http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
    New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

    Possible browser hijack attempt (Blocked)

    ===============================================

    Some more suggetions?

    Sorry for that, its one month about having troubles with my PC...i'm thinking to format, if it's the only solution..

  13. #13
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    It is very odd that you can't find those files with Superhidden files revealed... You should be able to see just about everything... Did you run the online virus scan?? You might want to run a couple more or download and run Stinger from McAfee in Safe Mode...

    Also, keep in mind on this one:

    O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe

    That this is shortened by HJT and only an indication of what the folder is actually called: "SIGNLO~1".... Look for a folder in the larger PROGRA~1 folder that starts with that and kill it...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  14. #14
    Hey Bud,
    i would really take a screenshot of my C: folder, where u will see that the folder
    PROGRA~1 is not inside, even with superhidden files.
    I did an online virus scan, and run in safe mode stinger.exe.

    What's up to my PC?
    Is there any other utility that can show up every file on my HD?

  15. #15
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    kikki70,

    I think the reason that you can't find the files is that they just aren't on your computer. There is no evidence of them in your last HJT log. Whether it's because of the LOP uninstaller or the manual fix, they're gone. There is no evidence of a LOP infection in your latest HJT log. Your log looks clean.

    You can fix the following entry with HJT:

    O13 - DefaultPrefix:

    I assume the Ad-Watch log you posted is from AdAware. Ad-Watch uses the same definitions as AdAware. If you are stilled concerned, run AdAware.

    Are you having any problems with your computer?

  16. #16
    Bud,
    i fixed O13 - DefaultPrefix: , things are always bad.
    I have a benchmark to test my PC: Running Toca Race Driver 2 on multiplayer.
    I got always cropped frames, this means that something is trying to connect to internet, or somewhere else.
    Some when running other multiplayer games...(

    This is my new log:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:46:37 PM, on 9/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\Profiler\lwemon.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
    C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mzidndqnytml.com/PGWGTKH5...IBPy8R2uZ.html
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
    O4 - HKLM\..\Run: [Remote win] C:\PROGRA~1\SIGNLO~1\Wipe cast tray.exe
    O4 - HKLM\..\Run: [OkayVcLinkWipe] C:\Documents and Settings\All Users\Application Data\LIES COPY OKAY VC\Wipe Win.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
    O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
    O13 - DefaultPrefix:
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

    What do u think now?

  17. #17
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Those LOP and the worm items are back in this log...

    Keep in mind that this "PROGRA~1" is probably actually the folder Program Files and you pretty much have to have that on your C: since it is where most programs install.... Again, that is just the way HJT shortens things to fit them in the window...

    I am not sure what else to try at this point... You could download the trial of TrojanHunter or TDS3 to see if there is a trojan keeping things going... You will need to turn AdWatch off to successfully remove these things, so if you haven't already tried that, turn it off, run the fixes and deletions again, then see if your system is clean...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  18. #18
    Bud,Steve,

    thx really a lot for helping me...i think the only solution that i have....well...is the hardest...just formatting.
    I scanned all the machine with TrojanHunter and TDS3, nothing strange found.
    Thanks a lot again.

  19. #19
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    kikki,

    LOP is installed by ActiveX from many sites, often pop-up ads. It is usually an easy pest to get rid of. Seeing that your logs show that you are clear of this adware and then you have it again, I think you are being reinfected by going to a site that is using drive by ActiveX infection methods. The only protection for this, that I know of, is to shut off all ActiveX in IE or switching to a browser that doesn't have this vulnerability such as Firefox.

    You should use the uninstaller or the manual methods to clean your machine, again, and then take one of the precautions I mentioned.

    Good luck...

  20. #20
    Guys,
    something strange happens.
    After uninstalling LOP,fixing by HJT, using stinger, rebooting, and all that, when rebbooting my pc i have the lag prob as before, but if a fix in HJT the 013- default prefix the prob desappears.
    Well, i introduced the task when booting my PC..:-)

  21. #21
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    I'm sorry, but I don't know what you are saying... Could you say it in more detail??
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  22. #22
    Hi Bud,

    the situation now is that if i fix 013- default prefix with HJT all the problems on my pc seems to be avoid.
    Just this.
    Thx for supporting me.

    bye

  23. #23
    Join Date
    Oct 2001
    Location
    N of the S of Ireland
    Posts
    20,501

    Here's a really useful tip!

    save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")
    If one decides to save as any file - then as long as the whole file name plus its file extension is within inverted columns the file will saved as is with only what is inside the inverted commas - and whether the file name has an extension or not.

    So, for example, if you were to use notepad with its setting Save as type set to text documents (*.txt) then one should get the following results:

    "ntldr" gets saved as ntldr but ntldr gets saved as ntldr.txt
    "thisfile.xxx" gets saved as thisfile.xxx but thisfile.xxx gets saved as thisfile.xxx.txt

    He He He and there's always an exception
    "Unhide.reg" gets saved as Unhide.reg but (on my current system anyways) Unhide.reg also gets saved as Unhide.reg

    This thing of file names in parenthesis being saved as is is not unique to notepad and should work in any application that uses the Common Dialog Control to do this.
    Take nice care of yourselves - Paul - ♪ -
    Help to start using BiNG. Some stuff about Boot CDs & Data Recovery Basics & Back-up using Knoppix.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •