Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RESOLVED] Unwanted Searchbars


  • This topic is locked This topic is locked

#1
Barclay

Barclay

    Member

  • Member
  • PipPip
  • 16 posts
Have follwed all required steps before posting a log. So here it is, thanks to anyone who can help =)

Logfile of HijackThis v1.99.1
Scan saved at 20:28:52, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-gb\msnappau.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.efehkjxcw...DqLDsvedhs.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {33023A6C-8226-0B2B-7683-6D727DEB6785} - C:\DOCUME~1\Barclay\APPLIC~1\FILMCHIN\loadgram.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Global Nurb Browse Type] C:\Documents and Settings\All Users\Application Data\Comp frag global nurb\seek peak.exe
O4 - HKCU\..\Run: [SETUPDART] C:\DOCUME~1\Barclay\APPLIC~1\SPAMST~1\birdbendaim.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117790146629
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{061BD6FA-CD6A-4E53-9691-C25CFBB721F3}: NameServer = 100.100.100.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{061BD6FA-CD6A-4E53-9691-C25CFBB721F3}: NameServer = 100.100.100.100
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by Bugbatter, 11 September 2005 - 06:29 AM.

  • 0

Advertisements


#2
Bugbatter

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Hi, Barclay,

Welcome :tazz:

How many users are there on that computer?

I see that this account is running MessengerPlus3.
Messenger Plus is an add-on. It is not written by Microsoft.
You may have installed Plus with the Sponsor.
The Sponsor software will give you C2Media\LOP (parasite)
If you installed the Sponsor, you have spyware and adware as a result.

Please print these instructions so you can refer to them easily.

** You should download LSPfix from http://www.cexx.org/lspfix.htm
so you can use LSPFix if you lose your internet connection after removing LOP.

First, you need to uninstall Messenger Plus. If you still want to use it, I will let you know how to install it safely when we are finished cleaning.

Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

First close MessengerPlus in Task Manager.
Using XP: First, click on "Start" => "Control Panel" => "Administrative Tools" => "Services".
Look for the service, double-click to open, then click on the Stop button. Then you can end it in Task Manager this way: Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for the name. If you find the files, click on them, and then click End Process => Exit the Task Manager

Uninstall Plus via Add\Remove Programs.

Now to uninstall the spyware it added....

Go to Add/Remove Programs and remove all/any of these:
"Window Search", "My Web Search", "Win Tools", "NaviSearch", "Web Offer". "Window Active", "Browser Enhancer", "Brows er Enhancer", "Ultimate Browse r Enhancer", "Ultimate Browser En hancer", "L.O P. Un insta11", "L O.P. Un instal1", "Live 0n line Portal", "Live.0nli ne Porta1" (however listed)
You will be given a security code to insert, do so. Once you enter the code, press Uninstall.
If you entered the code properly, the program will ask you to confirm that you want to uninstall. You MUST answer "Yes" to this question or you won't have another chance of uninstalling.
To complete the uninstallation, follow the instructions that are displayed (making sure all Internet Explorer windows are closed)

Reboot when done.

If not there, then use these two uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Look for: C:\Program Files\Messenger Plus!3\MsgPlus.exe"
Delete the entire "MessengerPlus", "My Web Search", "WinTools", "NaviSearch", "Web Offer",Browser Enhance r, Brows er Enhancer, Ultimate Browse r Enhancer, Ultimate Browser En hancer, L.O P. Un insta11, L O.P. Un instal1, Live 0n line Portal, Live.0nli ne Porta1 folders IF they still exist.

Have HijackThis fix the following if they still exist:
Tick these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.efehkjxcw...DqLDsvedhs.html
O2 - BHO: (no name) - {33023A6C-8226-0B2B-7683-6D727DEB6785} - C:\DOCUME~1\Barclay\APPLIC~1\FILMCHIN\loadgram.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Global Nurb Browse Type] C:\Documents and Settings\All Users\Application Data\Comp frag global nurb\seek peak.exe
O4 - HKCU\..\Run: [SETUPDART] C:\DOCUME~1\Barclay\APPLIC~1\SPAMST~1\birdbendaim.exe


Close all windows except HJT and click "Fix Checked".

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

Delete the specified folders/files if they still exist:
C:\DOCUME~1\Barclay\APPLIC~1\FILMCHIN <--folder
C:\DOCUME~1\Barclay\APPLIC~1\SPAMST~1 <--folder (There are some letters missing here, but it will start with "SPAMST"

C:\Documents and Settings\All Users\Application Data\Comp frag global nurb <--file

Reboot normally.
Download: CCleaner from either of these sites:
http://www.ccleaner.com/
http://www.filehippo...d_ccleaner.html

Once installed, launch CCleaner:
Do not change any settings, except to make sure on the Options tab>Advanced "Only delete files in Windows Temp folders older than 48 hours" is NOT checked.
Click Run Cleaner (bottom right). When finished> Exit (top right) (reboot)

Please launch HJT again.
Go into the Config option when you start HijackThis, and then click on the Misc Tools button at the top. You should see a screen .
You will then click on the button labeled "Generate StartupList Log" Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into your next post. Also include another HJT log.
Thanks.
  • 0

#3
Barclay

Barclay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks for your help. You were correct in it being the messenger plus! sponsor program. The computer is my old laptop used by my little sister mainly and she had installed it without really knowing what she was doing. She had already attempted an uninstall but the sponsor program was still present. As there was nothing of any real importance on the computer I have just reformatted it and reinstalled all of you reccomended programs. Have also reinstalled the messenger plus program this time without the sponsor.

Thanks again for your assitance in this matter.

Matt
  • 0

#4
Bugbatter

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Hi, Matt,
Thank you for letting us know. :tazz:
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)
If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP