Lop and Mysearch2 removal

Forums: Computers
Email this Topic • Print this Page

Hey everyone, I've got a problem with spyware. As far as i know I've got a lop infection, and mysearch2 toolbar. On the other hand it's possible there are other bits of spyware. This is my mother's computer and she just can't resist shitty little programs that infect your computer. Anyway I've followed these steps to remove as much as I can on my own:

Dl'ed CW Shredder, ran this it removed one thing.
Updated and ran Adaware SE, removed all things it picked up.
Did the Same for Spybot,
Updated and ran AVG virus scanner,
Rebooted in safe mode and repeated the above steps.
Whilst in safe mode I cleared these temp folders:
C:\Documents and Settings\ \Local Settings\ temp
C:\temp
C:\windows\temp
I also wiped the temp internet files and cookies.(inc. offline content)
Before I restarted in normal mode I also turned off system restore.

Restarted and ran all the spyware and virus checkers again.
I also ran a test with Bitdefender and Trend Micro.
I've also ran BHOdemon and blocked two suspect BHOs. Finally I've popped HJT into it's own folder and got a log.

If anyone can point out the evil bits that I should remove from this report I'd really appreciate it.

Here's the HJT report :
Logfile of HijackThis v1.98.2
Scan saved at 14:28:15, on 06/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sjzldieahbxszxobbnylav.com/A/bIUebAJzLdk70W0TlAatdLBF4qTLn4qKUyHBelLfCoCZuqPmyT1aBmB0NO5Vnx.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BACF732-770F-9056-8B9B-768C9E7B27FF} - C:\DOCUME~1\User\APPLIC~1\STUPID~1\FaceByte.exe (disabled by BHODemon)
O2 - BHO: (no name) - {506F0294-EAD1-940E-DDA2-6D6A5AAEBF33} - C:\PROGRA~1\STUPID~1\bib atom.exe (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CDXYUYFQ] c:\windows\system32\cdxyuyfq.exe /install
O4 - HKLM\..\Run: [JZJYVXXZ] c:\windows\system32\jzjyvxxz.exe /install
O4 - HKLM\..\Run: [MXOVDXNY] c:\windows\system32\mxovdxny.exe /install
O4 - HKLM\..\Run: [Mess Jugs Plus Bat] C:\Documents and Settings\All Users\Application Data\city ball mess jugs\LogoMove.exe
O4 - HKLM\..\Run: [UMKXACCQ] c:\windows\system32\umkxaccq.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BuildAdminCastAnte] C:\Documents and Settings\All Users\Application Data\less grim build admin\program store.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run:

C:\DOCUME~1\User\APPLIC~1\infodupe\Fordbatcorn.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab Thanks in advance :)

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 846 • Replies: 5

No top replies

Hi Wiggles and welcome to A2K.

Your headed in the right direction,
Go to Add/Remove programs, ( Click Start, Click Settings, Click Control Panel, Click Add/Remove Programs ) Remove "Messenger Plus!"
Restart your computer

Post back a fresh log,
There will be a few more things to clean up after that

0 Replies

The worrying thing is that was the first thing I did!
It's not on the add/remove list.

0 Replies

OK Wiggles, Lets see if we can't get it sorted out for you,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sjzldieahbxszxobbnylav.com/A/bIUebAJzLdk70W0TlAatdLBF4qTLn4qKUyHBelLfCoCZuqPmyT1aBmB0NO5Vnx
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [CDXYUYFQ] c:\windows\system32\cdxyuyfq.exe /install
O4 - HKLM\..\Run: [JZJYVXXZ] c:\windows\system32\jzjyvxxz.exe /install
O4 - HKLM\..\Run: [MXOVDXNY] c:\windows\system32\mxovdxny.exe /install
O4 - HKLM\..\Run: [Mess Jugs Plus Bat] C:\Documents and Settings\All Users\Application Data\city ball mess jugs\LogoMove.exe
O4 - HKLM\..\Run: [UMKXACCQ] c:\windows\system32\umkxaccq.exe /install
O4 - HKLM\..\Run: [BuildAdminCastAnte] C:\Documents and Settings\All Users\Application Data\less grim build admin\program store.exe
O4 - HKCU\..\Run:

C:\DOCUME~1\User\APPLIC~1\infodupe\Fordbatcorn.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all [URL=http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5]Hidden Files/Folders[/URL] search for and delete the following in BOLD C:\Program Files\Messenger Plus! 2\[b]MsgPlus.exe[/b] c:\windows\system32\[b]cdxyuyfq.exe[/b] c:\windows\system32\[b]jzjyvxxz.exe[/b] c:\windows\system32\[b]mxovdxny.exe[/b] C:\Documents and Settings\All Users\Application Data\city ball mess jugs\[b]LogoMove.exe [/b] c:\windows\system32\[b]umkxaccq.exe[/b] C:\Documents and Settings\All Users\Application Data\less grim build admin\[b]program store.exe[/b] C:\DOCUME~1\User\APPLIC~1\infodupe\[b]Fordbatcorn.exe[/b] C:\Program Files\MyWebSearch\bar\1.bin\[b]MWSOEMON.EXE [/b] Restart your computer, Restart HJT and post back a fresh log please,

0 Replies

Hey Don thanks a lot for your help it's much appreciated.
I've fixed the items you highlighted in HJT, However I was unable to remove the exe files in safe mode quite simply because they weren't there.
I did full system searchs and checked through explorer to no avail. I had checked the box to show hidden files and even revealed protected system files. Not one of the .exes were there. I did remove one suspicious folder with a file i'd never seen before. One possible problem could be: that when safe mode started I was prompted to either log on as administrator or user. I chose user. I doubted it would ahve much effect. Would that have been the reason I couldn't find the .exes?

Either way the end result is that the bar is no longer there and since I've been online I haven't had one pop-up. One area of concern is that I ran ad aware and spybot and Ad aware picked up a tracking cookie whilst in safe mode. This could be an old one I picked up whilst posting this morning.

Anyway here's my latest HTJ log since safe mode:
Logfile of HijackThis v1.98.2
Scan saved at 15:56:10, on 06/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BACF732-770F-9056-8B9B-768C9E7B27FF} - C:\DOCUME~1\User\APPLIC~1\STUPID~1\FaceByte.exe (disabled by BHODemon)
O2 - BHO: (no name) - {506F0294-EAD1-940E-DDA2-6D6A5AAEBF33} - C:\PROGRA~1\STUPID~1\bib atom.exe (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

Once again thanks, and please reply with any problems this log may raise!
Very Happy

0 Replies

Hi again Wiggles,
Your log looks fine now,
You should log on Admin just be sure see if you can't find the files,
Cleant out the Temp Folders
Run a scan with Ad-aware and Spybot while under Admin,

Download the following programs, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.

Download Spyware Blaster and SpywareGaurd

Check for updates after you install them, And check weekly as well

Keep Ad-aware and Spybot handy, Check them for updates and run them weekly
Same with your Anti Virus,
Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well,

Quote:

Reboot to safe mode ( By tapping the F8 key on start up)

Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Empty your Recycle Bin

After you Emptied your Temp folders, Run Ad-aware and see if it comes up with anything

0 Replies

Lop and Mysearch2 removal

Related Topics

Quick Links

My Account

able2know