|
|
|
Scary Intruder Alert Warning
|
|
Senior Member
|
22. June 2007 @ 06:23 |
Link to this message
|
Hi, I've been getting this alert for at least 1 month now. And as my Norton Anti-Virus end date nears, the more frightening it becomes lol. I have scanned my laptop for viruses and spyware and removed them all, but it still seems to keep popping up. So without further a do, here are the images I get:
Then,
How alarmed should I be? How can I stop this person/robot from attempting to access my computer? Help me out here please.
Regards,
Est. 1991
|
|
Advertisement
|
 |
|
|
|
bluecoal
Suspended due to non-functional email address
|
24. June 2007 @ 18:42 |
Link to this message
|
Hi,
The first screen talks about something called LOP. It used to come if you installed messenger plus with sponsors, I guess now it comes from other sources as well.
Heres a link with a program and some instructions:
http://www.geekstogo.com/forum/index.php...ads&showfile=14
Please post that report back and we can see if that is the problem.
bc
|
|
MichaelP1
Suspended permanently
|
24. June 2007 @ 19:09 |
Link to this message
|
|
also don't renew Norton go with something better
We shall go to the end,we shall fight in France,we shall fight on the seas and oceans,we shall fight with growing confidence and growing strength in the air,we shall defend our Island,whatever the cost may be,we shall fight on the beaches,we shall fight on the landing grounds,we shall fight in the fields and in the streets,we shall fight in the hills;we shall never surrender
|
AfterDawn Addict
1 product review
|
24. June 2007 @ 19:39 |
Link to this message
|
Download either AVG Anti-Virus Free or Avira AntiVir Free so you can keep yourself protected after Norton expires. Both programs are 100% free and among the highest rated free antiviruses. Remeber free doesn't always mean bad/cheap/limited.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08 |
|
MichaelP1
Suspended permanently
|
24. June 2007 @ 19:40 |
Link to this message
|
|
and Avria was rated the best
We shall go to the end,we shall fight in France,we shall fight on the seas and oceans,we shall fight with growing confidence and growing strength in the air,we shall defend our Island,whatever the cost may be,we shall fight on the beaches,we shall fight on the landing grounds,we shall fight in the fields and in the streets,we shall fight in the hills;we shall never surrender
|
AfterDawn Addict
1 product review
|
24. June 2007 @ 19:44 |
Link to this message
|
|
Yeah I have been using Avira ever since the free Norton trial ran out on my PC and I have never looked back. It uses up next to no memory/system resources and the scans are quick yet still thorough. Plus they have a specially designed scan just to find rootkits! Avira AntiVir is, in my opinion, the best free antivirus.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
MichaelP1
Suspended permanently
|
24. June 2007 @ 20:06 |
Link to this message
|
they have a pay version also an Internet Security suite with firewall and all
We shall go to the end,we shall fight in France,we shall fight on the seas and oceans,we shall fight with growing confidence and growing strength in the air,we shall defend our Island,whatever the cost may be,we shall fight on the beaches,we shall fight on the landing grounds,we shall fight in the fields and in the streets,we shall fight in the hills;we shall never surrender
|
AfterDawn Addict
1 product review
|
24. June 2007 @ 20:37 |
Link to this message
|
Yeah but there are better free firewalls, one of the best free firewalls is made by Comodo. When compared to ZoneAlarms/ZoneLabs's free firewall Comodo uses next to no system resources.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
Senior Member
|
25. June 2007 @ 04:40 |
Link to this message
|
Originally posted by bluecoal:
Hi,
The first screen talks about something called LOP. It used to come if you installed messenger plus with sponsors, I guess now it comes from other sources as well.
Heres a link with a program and some instructions:
http://www.geekstogo.com/forum/index.php...ads&showfile=14
Please post that report back and we can see if that is the problem.
bc
Well I do have messenger plus, perhaps if I uninstalled the programme it would go away? Also I downloaded the programme, unzipped and doubleclicked findlop.bat, it gave me a .txt document and then I dont know what to do.
Originally posted by PeaInAPod:
Download either AVG Anti-Virus Free or Avira AntiVir Free so you can keep yourself protected after Norton expires. Both programs are 100% free and among the highest rated free antiviruses. Remeber free doesn't always mean bad/cheap/limited.
Yer I will consider Avira, I used to use AVG on my old laptop, but when I purchased this laptop it came with norton so I used it. Will Avira get rid of the security alert or will it merely protect me from it?
This message has been edited since posting. Last time this message was edited on 25. June 2007 @ 04:50
|
|
bluecoal
Suspended due to non-functional email address
|
25. June 2007 @ 05:32 |
Link to this message
|
|
Please open a reply box for this thread. Then open your text document and highlight all the text. Right click, and one of the options should be copy. select that. Then go to the other window with the reply box. Right click and select the paste option. That should copy the contents of the text file into the reply box so you can post it here.
|
AfterDawn Addict
1 product review
|
25. June 2007 @ 07:28 |
Link to this message
|
|
When Norton expires/is uninstalled the warning message will go away. Should Avira AntiVir find this "LOP Toolbar" to be suspicious or malicous in anyway it will block it and alert you asking you what to do whether it be "Ignore" it, "Block" it from running, or "Quarentine" it.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
Senior Member
|
26. June 2007 @ 08:02 |
Link to this message
|
Quote:
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AD886A80948C1AF0.job'
[TRACE] Printing all job properties
ApplicationName: 'c:\docume~1\owner~1.you\applic~1\warnso~1\Axis Bash Frag.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/16/2007 14:00:00
NextRun: 06/26/2007 18:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/17/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties
ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-Task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/07/2007 6:53:00
NextRun: 07/02/2007 6:53:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 04/12/2007
EndDate: 00/00/0000
StartTime: 06:53
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
[TRACE] Activating job 'Norton AntiVirus - Run Full System Scan - Owner.job'
[TRACE] Printing all job properties
ApplicationName: 'C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe'
Parameters: '/TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/15/2007 20:00:00
NextRun: 06/29/2007 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 07/10/2006
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
|
|
bluecoal
Suspended due to non-functional email address
|
26. June 2007 @ 10:09 |
Link to this message
|
---------------------------------------
This is what I was looking for:
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AD886A80948C1AF0.job'
[TRACE] Printing all job properties
ApplicationName: 'c:\docume~1\owner~1.you\applic~1\warnso~1\Axis Bash Frag.exe'
This is a LOP job to help it keep itself installed on your system.
------------------------------------------------------
If you would like to try uninstalling the messenger plus program, you may do so. Whether you choose to do that or not, I would still like to go through these other steps with you because I am not sure how complete the uninstall cleanup is. If you do choose to uninstall messenger plus now, you should be able to reinstall it later ? without sponsors ? and be able to continue using it without the LOP problems.
This step will remove the scheduler job:
Please Download NoLop to your desktop from the link below...
http://www.thespykiller.co.uk/index.php?...=tpmod;dl=get16
? First close any other programs you have running as this will require a reboot
? Double click NoLop.exe to run it.
? Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
? When scanning is finished you will be prompted to reboot only if infected, Click OK
? Now click the "REBOOT" Button.
? A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
This will help me to see the folders that you need to remove:
1. Download combofix from one of these links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
I will have some additional instructions after I see these two logs.
Thanks.
bc
|
Senior Member
|
28. June 2007 @ 01:42 |
Link to this message
|
contents of C:\NoLop.txt
Quote:
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Owner.YOUR-466833E80C\Desktop
[28/06/2007]
[10:38:32]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AD886A80948C1AF0.job
I ran the NoLop Program, search and destroy and it detected a virus. Gonna Reboot now then I will follow your next set of instructions, thanks for the help.
|
Senior Member
|
28. June 2007 @ 02:16 |
Link to this message
|
Okay, I have ran combo fix and it gave me a log (rather long) but oh well here goes.
Quote:
"Owner" - 2007-06-28 10:57:30 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))
2007-06-28 10:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 10:39 <DIR> d-------- C:\NoLopBackups
2007-06-28 10:38 132 --a------ C:\delete.bat
2007-06-26 19:53 <DIR> d-------- C:\Program Files\BearShare
2007-06-23 21:59 <DIR> d-------- C:\Program Files\KeepV Converter
2007-06-22 22:21 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-06-22 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-06-22 22:20 <DIR> d-------- C:\Program Files\TechSmith
2007-06-22 18:21 <DIR> d-------- C:\Program Files\AskPBar
2007-06-21 20:31 <DIR> d-------- C:\Program Files\ImTOO
2007-06-21 18:48 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2007-06-21 18:31 <DIR> d-------- C:\Program Files\3GP Converter 2007
2007-06-19 21:21 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\DivX
2007-06-16 22:40 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WinRAR
2007-06-15 16:29 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Media Player Classic
2007-06-14 23:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-06-14 23:56 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-14 23:56 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-06-14 23:56 <DIR> d-------- C:\Program Files\K-Lite codec Pack
2007-06-14 13:11 332 --a------ C:\WINDOWS\desctemp.dat
2007-06-13 20:57 <DIR> d-------- C:\Program Files\TVersity
2007-06-06 20:18 <DIR> d-------- C:\Program Files\Orb Networks
2007-06-05 21:40 <DIR> d-------- C:\Program Files\iTunes
2007-06-05 19:37 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-06-05 19:37 487,479 --a------ C:\WINDOWS\system32\SkinMagic.dll
2007-06-05 19:37 <DIR> d-------- C:\WINDOWS\system32\avsplugin
2007-06-05 19:37 <DIR> d-------- C:\Program Files\Smallvideosoft
2007-06-02 17:01 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-02 17:01 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-02 14:55 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-02 14:55 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-02 14:55 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-02 14:55 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-02 14:55 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-02 14:55 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-02 14:55 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-02 14:55 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-28 09:02:25 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-06-28 08:43:46 -------- d-----w C:\Program Files\MessengerPlus! 3
2007-06-28 08:37:52 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-22 20:32:28 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-06-22 16:33:58 -------- d-----w C:\Program Files\Symantec
2007-06-21 13:42:58 -------- d-----w C:\Program Files\WinXMedia
2007-06-19 02:06:23 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-18 14:25:42 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-18 14:08:06 -------- d-----w C:\Program Files\Google
2007-06-17 19:31:12 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-06-17 13:55:32 -------- d-----w C:\Program Files\vso
2007-06-14 21:56:45 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Apple Computer
2007-06-14 21:29:02 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Google
2007-06-14 14:58:10 -------- d-----w C:\Program Files\TVAnts
2007-06-05 20:10:32 69,632 ----a-w C:\WINDOWS\SecureWin31.dll
2007-06-05 20:10:32 32,768 ----a-w C:\WINDOWS\SecureWin33.exe
2007-05-16 18:21:26 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2007-05-16 18:08:24 -------- d-----w C:\Program Files\Samsung
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 19:55:31 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\dvdcss
2007-05-13 19:48:02 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Vso
2007-05-12 17:53:43 -------- d-----w C:\Program Files\Alcohol Soft
2007-05-12 17:20:30 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-11 04:37:16 740,442 ----a-w C:\WINDOWS\system32\divx.dll
2007-05-09 19:47:26 -------- d-----w C:\Program Files\TVUPlayer
2007-05-08 18:23:10 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-05-07 15:04:05 -------- d-----w C:\Program Files\Apple Software Update
2007-05-02 18:04:20 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-05-02 18:02:08 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-05-02 15:38:04 935,816 ----a-w C:\WINDOWS\system32\Steven Gerrard.scr
2007-04-28 12:54:36 593,920 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-03 09:55:37 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-28 16:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 16:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2006-08-01 16:27]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2006-02-07 09:35]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2006-10-17 14:44]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2006-08-01 16:23]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2005-09-15 16:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"grim enc"="C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WARNSO~1\bin book program.exe" [2007-02-13 15:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-08-31 21:27]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\blueyonder Instant Support Tool.lnk
backup=C:\WINDOWS\pss\blueyonder Instant Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NoLop.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NoLop.exe
backup=C:\WINDOWS\pss\NoLop.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-466833E80C^Start Menu^Programs^Startup^Freecom Personal Media Suite.lnk]
path=C:\Documents and Settings\Owner.YOUR-466833E80C\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk
backup=C:\WINDOWS\pss\Freecom Personal Media Suite.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-466833E80C^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner.YOUR-466833E80C\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\block buster]
C:\Documents and Settings\Owner.YOUR-466833E80C\Desktop
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FirstSteps]
C:\FirstSteps\FirstSteps.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\grim enc]
C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WARNSO~1\bin book program.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Webcam Recorder]
"C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9]
C:\Program Files\pspvideo9\pspVideo9.exe -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
"C:\Documents and Settings\tasha\Application Data\Smilebox\SmileboxTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedOptimizer]
C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"iPod Service"=3 (0x3)
"Crypkey License"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"SDhelper"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16de05e6-acc2-11db-bb41-000a94177cca}]
AutoRun\command- G:\LaunchU3.exe
Contents of the 'Scheduled Tasks' folder
2007-05-07 04:53:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-22 18:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 11:04:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]
Completion time: 2007-06-28 11:06:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 11:06
--- E O F ---
I am guessing that everything is resolved now and I am safe to uninstall norton and go for avira. I hope so.
|
|
bluecoal
Suspended due to non-functional email address
|
28. June 2007 @ 06:36 |
Link to this message
|
This is from the combofix log:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"grim enc"="C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WARNSO~1\bin book program.exe" [2007-02-13 15:49]
It also relates to LOP. It?s old enough that it doesn?t show in the file listing, so I can?t tell for sure if NoLOP deleted the other files or not.
The references I am going to give you are all abbreviated, the folders you are looking for will begin with the first 6 characters shown.
Please check your system for:
C:\programfiles\WARNSO~1
c:\documents and settings\owner~1.you\application data\warnso~1
If you find either one, before you delete it, notice the date, sort the folders by date and then see if there are any other peculiar made up looking named folders that were created about the same time. If there are, they may be LOP as well, we can discuss them.
Then delete any of the folders I listed that you find.
You can find HijackThis on this page:
http://www.malwareremoval.com/downloads.html
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run.
Check the listed lines for an 04 line that begins with HKCU and includes this folder reference: C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WARNSO~1
Check that line and allow HijackThis to fix it.
At this point you have removed the task scheduler job,
Any LOP folders we know about,
And the one LOP reference combofix showed in the registry.
That is what I know to look for for that problem.
Regards.
bluecoal
|
Senior Member
|
28. June 2007 @ 08:28 |
Link to this message
|
|
Thought I should let you know, both these references are folders C:\programfiles\WARNSO~1
AND
c:\documents and settings\owner~1.you\application data\warnso~1
are folders. shall I delete the whole folders?
also, when I go to srart run -> msconfig i click startup tab and bin book programme appears. thought i should inform
|
|
bluecoal
Suspended due to non-functional email address
|
28. June 2007 @ 09:05 |
Link to this message
|
Yes, delete the entire folders.
The docs & settings LOP folder will contain at least these two programs:
Axis Bash Frag.exe and bin book program.exe
I don't know what LOP puts in the c:programfiles LOP folder, I just know it creates one. If you can tell me anything about the contents of that folder, I would be interested.
The HijackThis repair should remove the registry entry and eliminate the calling of the program.
This message has been edited since posting. Last time this message was edited on 28. June 2007 @ 09:23
|
Senior Member
|
28. June 2007 @ 09:23 |
Link to this message
|
|
i run thehijack.exe file it does not install. just goes straight to the programme :S
|
|
bluecoal
Suspended due to non-functional email address
|
28. June 2007 @ 11:00 |
Link to this message
|
Hi,
My fault, I gave you a link with too many choices.
If you downloaded the exe file, just put it in its own folder (such as c:\hjt) and then run it from there. Putting in its own folder gives it a place to put the backups that it makes.
Then when you run the program, you will see lines with boxes on the left. Find the 04 line that has the folder and file reference we talked about, check that one line and let HijackThis fix it.
This link has a lot of information on hijackthis:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If you scroll down to figure 4, you will see a sample of what your screen should look like. The line you want to find will probably be down towards the end of the group of 04 lines in your log.
EDIT
Figure 6 shows you an example of selecting and fixing an item.
ENDEDIT
This message has been edited since posting. Last time this message was edited on 28. June 2007 @ 11:05
|
Senior Member
|
29. June 2007 @ 04:44 |
Link to this message
|
Inform
Right, I have now installed AVG, (faster download, so I figured more people were using that over Avira). I deleted the two folders you told me to delete and hae uninstalled messenger plus. I think I should be safe now, there is nothing else I need to do is there?
|
|
Advertisement
|
|
|
|
bluecoal
Suspended due to non-functional email address
|
29. June 2007 @ 05:35 |
Link to this message
|
|
No, that should take care of it.
|
|
