My Log

[n3rrd]

Here is my log. I have been having an issue with this computer having icons added to the desktop at every restart. There was a whole slew of them at one point but now it is down to "Casino Online" and "Poker".

As far as I understand, these are symptoms commonly associated with Lop... I have deleted all the files in "Bold File Move" and "Hole Store", aswell as "loud roam blah" etc. folders in the "Application Data" of each users folders...

There were a whole slew of bookmarks added with all of this mess, too. My homepage also keeps trying to be changed to "http://www.sadfklemarawefasdf.com", or some similar random gibberish every so often.

This is what happens with you have a disobedient thirteen year old sister who insists on installing MSN Plus, and the like, I suppose.

I keep missing something because it keeps coming back. Can you check out the log and see if you can find anything that shouldn't be there?

Here is the log:

-----------------

Logfile of HijackThis v1.99.1

Scan saved at 4:17:39 PM, on 2/19/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\Tablet.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\sstray.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\WINDOWS\system32\LVComS.exe

C:\Program Files\Logitech\Video\LowLight.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Brian\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.udohlgkqckx.com//_O01Lp2R/1pCAI...weK73wb5hd.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lwugrxywykzifng.com//_O01Lp2R/3...ZwHnIweBic.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [blahlinkactivepop] C:\Documents and Settings\All Users\Application Data\loud roam blah link\Plan Anti.exe

O4 - HKLM\..\Run: [bird chin mpeg find] C:\Documents and Settings\All Users\Application Data\coalbasebirdchin\Jump up.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Rule Road] C:\DOCUME~1\Brian\APPLIC~1\BOLDFI~1\sendeachloud.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\J2RE14~1.2\bin\npjpi142_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\J2RE14~1.2\bin\npjpi142_04.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab

O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--------------

I know the entries like "Jump Up" and "Plan Anti" shouldn't be there, but everytime I remove them and delete the folder they are in, etc. they come back anyways...

[Canoeingkidd]

Hello n3rrd,

I'm assuming you have already uninstalled Msg Plus? If you have not uninstall it from Add/Remove Programs now.

This item

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

suggests you have disabled items in MSConfig. If you have, please re-enable them now so I can see other problems if they exsist.

Run HijackThis, do a scan, and place a check next to the following items to be fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.udohlgkqckx.com//_O01Lp2R/1pCAI...weK73wb5hd.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lwugrxywykzifng.com//_O01Lp2R/3...ZwHnIweBic.html

O4 - HKLM\..\Run: [blahlinkactivepop] C:\Documents and Settings\All Users\Application Data\loud roam blah link\Plan Anti.exe

O4 - HKLM\..\Run: [bird chin mpeg find] C:\Documents and Settings\All Users\Application Data\coalbasebirdchin\Jump up.exe

O4 - HKCU\..\Run: [Rule Road] C:\DOCUME~1\Brian\APPLIC~1\BOLDFI~1\sendeachloud.exe

Unless you or an administrator set this place a check next to this item (Programs such as Spybot - S&D may set these also):

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <-- Disables access to certain options in Internet Explorer

Close all browsers and windows except HijackThis and click "Fix checked".

You may need to configure your computer to show hidden files. See HERE for how to show hidden files.

Now reboot into Safe mode by tapping the F8 key while your computer starts up and selecting "Safe Mode" from the menu that appears. (You will not be able to access the internet while in Safe mode).

Delete the folders in bold:

C:\Documents and Settings\All Users\Application Data\loud roam blah link\

C:\Documents and Settings\All Users\Application Data\coalbasebirdchin\

C:\DOCUME~1\Brian\APPLIC~1\BOLDFI~1\

Folders and files with a tilde (~) and a number at the end means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Reboot back to normal mode and post a new HijackThis log in a reply to this topic. If you have any other user accouns on XP please post logs from them also.

[n3rrd]

Thanks for the quick response, CanoeingKidd. Yeah, I have a few programs that I just got tired of starting up at boot disabled, but I can enable them if that would help.

At the moment, the computer that is having the difficulties is being used by my grandmother, so I cannot do much to it at the moment. I will post new log(s) as soon as I can, though. Sorry if this is an inconvenience to you!

Those folders just keep coming back... I've deleted the keys/disabled them, and deleted the folders many many times. Another thing of interest, if you look through the log you'll notice two instances of iexplorer.exe, and those are caused by whatever is making the shortcuts.

I have internet explorer disabled on the problematic computer, and it should not be able to run. Funny thing, is when you try to end the process, it immediately replaces itself. I have FireFox as the default and only enabled browser on all of the computers in this house to try and prevent the problems that my grandma and youngest sister cause.

Thanks again for the quick response, though. I will have new logs up ASAP.

[Dan]

Hi n3rrd,

Sorry to barge in, I will let Canoeingkidd do the rest of the fix.

iexplore is internet explorer. iexplorer is probably malware.

Also, you can install MessengerPlus, but choose NO Sponsors. (Note: It is urged NOT to install this program if not necessary.)

Please post a log.

dk

[n3rrd]

Yeah, sorry. I read it wrong, it is iexplore.exe. Regardless, it shouldn't be running in the background, especially if it's been disabled. I'll post a new log soon.

[Canoeingkidd]

Due to the lack of feedback this Topic is closed.