CiD Popups and other things...

**evilfantasy** · #11 20th Mar 2008, 18:38

Hehe, a crafty bugger for sure. I think it is a LOP infection mate.

Download NoLop to your desktop from one of the links below...

Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
- Your computer will now be scanned for infected files
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Post the contents of C:\NoLop.log in the next reply.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Also post a Hijackthis log after NoLop is complete.

**Hybr!d** · #12 20th Mar 2008, 18:51

NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Jacqui\Desktop
[21/03/2008]
[01:43:22]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\A534C81C918B7B30.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\Administrator.study-computer\Application Data\Apple Computer
C:\Documents and Settings\Administrator.study-computer\Application Data\Google
C:\Documents and Settings\Administrator.study-computer\Application Data\Ibm
C:\Documents and Settings\Administrator.study-computer\Application Data\Identities
C:\Documents and Settings\Administrator.study-computer\Application Data\Microsoft
C:\Documents and Settings\Administrator.study-computer\Application Data\Msninstaller
C:\Documents and Settings\Administrator.study-computer\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Audio 4 Part Browse
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Lenovo
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Thinkvantage
C:\Documents and Settings\All Users\Application Data\Udl
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users\Application Data\Winzip
C:\Documents and Settings\Chaz\Application Data\Adobe
C:\Documents and Settings\Chaz\Application Data\Aol
C:\Documents and Settings\Chaz\Application Data\Apple Computer
C:\Documents and Settings\Chaz\Application Data\Google
C:\Documents and Settings\Chaz\Application Data\Ibm
C:\Documents and Settings\Chaz\Application Data\Identities
C:\Documents and Settings\Chaz\Application Data\Macromedia
C:\Documents and Settings\Chaz\Application Data\Microsoft
C:\Documents and Settings\Chaz\Application Data\Sun
C:\Documents and Settings\Chaz\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Chaz\Application Data\Thinkvantage
C:\Documents and Settings\Default User\Application Data\Google
C:\Documents and Settings\Default User\Application Data\Ibm
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Jack\Application Data\Adobe
C:\Documents and Settings\Jack\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jack\Application Data\Aol
C:\Documents and Settings\Jack\Application Data\Apple Computer
C:\Documents and Settings\Jack\Application Data\Firaxis Games
C:\Documents and Settings\Jack\Application Data\Google
C:\Documents and Settings\Jack\Application Data\Ibm
C:\Documents and Settings\Jack\Application Data\Identities
C:\Documents and Settings\Jack\Application Data\Installshield Installation Information
C:\Documents and Settings\Jack\Application Data\Macromedia
C:\Documents and Settings\Jack\Application Data\Microsoft
C:\Documents and Settings\Jack\Application Data\Mozilla
C:\Documents and Settings\Jack\Application Data\My Games
C:\Documents and Settings\Jack\Application Data\Sun
C:\Documents and Settings\Jack\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Jack\Application Data\Thinkvantage
C:\Documents and Settings\Jack\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Jacqui\Application Data\Adobe
C:\Documents and Settings\Jacqui\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jacqui\Application Data\Aol
C:\Documents and Settings\Jacqui\Application Data\Google
C:\Documents and Settings\Jacqui\Application Data\Ibm
C:\Documents and Settings\Jacqui\Application Data\Icaclient
C:\Documents and Settings\Jacqui\Application Data\Identities
C:\Documents and Settings\Jacqui\Application Data\Macromedia
C:\Documents and Settings\Jacqui\Application Data\Malwarebytes
C:\Documents and Settings\Jacqui\Application Data\Microsoft
C:\Documents and Settings\Jacqui\Application Data\Mozilla
C:\Documents and Settings\Jacqui\Application Data\Sun
C:\Documents and Settings\Jacqui\Application Data\Superantispyware.com
C:\Documents and Settings\Jacqui\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Jacqui\Application Data\Thinkvantage
C:\Documents and Settings\Jacqui\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Ollie\Application Data\Adobe
C:\Documents and Settings\Ollie\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Ollie\Application Data\Aol
C:\Documents and Settings\Ollie\Application Data\Apple Computer
C:\Documents and Settings\Ollie\Application Data\Epson
C:\Documents and Settings\Ollie\Application Data\Google
C:\Documents and Settings\Ollie\Application Data\Ibm
C:\Documents and Settings\Ollie\Application Data\Identities
C:\Documents and Settings\Ollie\Application Data\Macromedia
C:\Documents and Settings\Ollie\Application Data\Microsoft
C:\Documents and Settings\Ollie\Application Data\Mozilla
C:\Documents and Settings\Ollie\Application Data\Screenshot Sender
C:\Documents and Settings\Ollie\Application Data\Sun
C:\Documents and Settings\Ollie\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Ollie\Application Data\Thinkvantage
C:\Documents and Settings\Sarah\Application Data\Aol
C:\Documents and Settings\Sarah\Application Data\Apple Computer
C:\Documents and Settings\Sarah\Application Data\Google
C:\Documents and Settings\Sarah\Application Data\Ibm
C:\Documents and Settings\Sarah\Application Data\Identities
C:\Documents and Settings\Sarah\Application Data\Macromedia
C:\Documents and Settings\Sarah\Application Data\Microsoft
C:\Documents and Settings\Sarah\Application Data\Mozilla
C:\Documents and Settings\Sarah\Application Data\Sun
C:\Documents and Settings\Sarah\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Sarah\Application Data\Thinkvantage

**Hybr!d** · #13 20th Mar 2008, 18:51

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:53:15, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1206062825\ee\AOLSoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jacqui\Desktop\hj.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Part browse safe hold] C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Pile Wipe.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206062825\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8203 bytes

**Hybr!d** · #14 20th Mar 2008, 18:51

Popups still coming...

**evilfantasy** · #15 20th Mar 2008, 19:01

OK mate have HJT fix this.

O4 - HKLM\..\Run: [Part browse safe hold] C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Pile Wipe.exe

The manually go in and delete this whole folder Audio 4 part browse found in C:\Documents and Settings\All Users\Application Data

Also from the CF log in the Scheduled Tasks' folder see if you can find and delete bibmod~1\Defy debug axis.exe. The ~1 symbols are shortened file/folder paths so I am not sure what the whole name for bibmod~1 stands for.
The full path is c:\docume~1\lucy\applic~1\bibmod~1\Defy debug axis.exe

**evilfantasy** · #16 20th Mar 2008, 19:07

P.S, if it comes back you may have to boot into safe mode to delete it. Not sure if it will recreate itself or not (don't think so) but post a new HJT log so we can be sure.

**Hybr!d** · #17 20th Mar 2008, 19:07

All done mate, thanks.

**Hybr!d** · #18 20th Mar 2008, 19:13

Definetly seems much faster, and no popups yet.

Final HJT log after reboot.

Thanks for the help matey.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 02:15:51, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1206062825\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AOL9~1.0\aolphx.exe
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\aoldacl.exe
C:\Documents and Settings\Jacqui\Desktop\hj.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206062825\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7715 bytes

**evilfantasy** · #19 20th Mar 2008, 19:25

Yep, looks to have gotten it.

For the future the Wipe.exe was the malicious file obviously, but how LOP disguises itself is by adding some random word or words in front of Wipe.exe, like Pile Wipe.exe or Dog Wipe.exe and the Defy debug axis.exe. axis.exe is malicious and the Defy debug is the disguise, it could have been Heart beat axis.exe or any other random name. So when you see an unknown 04 entry in HJT with "Some Stupid Name.exe" then that is usually the culprit. Delete that and it's folder (which will also be some random name)

**evilfantasy** · #20 20th Mar 2008, 19:29

Also if this wasn't done on purpose then you can have HJT fix them as well. This is restricting administrator privileges to control panel and a few more admin settings as well. Some security software will do that but malware will also to make it harder to remove the malware. They are normally not there.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Iexplore.exe back / Popups	xalice15x	Virus, Spyware & Security	8	1st Dec 2008 13:54
CiD popups	lazj	Virus, Spyware & Security	8	15th Oct 2008 10:31
Ton of popups from downloading this Ftp manager	jaein0793	Virus, Spyware & Security	1	6th Feb 2008 18:12
Sqmdata.sqm - PopUps, Background changes, virus?	ct122592	Virus, Spyware & Security	88	2nd Feb 2008 22:02
Popups	shig	Virus, Spyware & Security	1	18th Dec 2007 08:42