Can someone please help review my logfile?

Well I was ignorant, and installed MessengerPlus (lop.com). Since then, I've noticed some issues. Any help is appreciated (^_^)

I was supposed to upload the logfile as an attachment right? Well, here it is.

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

i dont mean to sound rude, but can someone please help me out?

 

Thanks for getting back to me Mjr Attitude I really appreciate it.

Well I did do an amatuer analysis of my logfile recently. I have "fixed" unwanted items. (not to mention i have updated versions of Norton/Adaware/spybot SD, they do not display any dangerous files anymore)

Yet my problems still persist.

my CPU usage is unusually high (ever since i installed that lop.com stuff) There is a "system idle process" which is always using 90-98 CPU. I hear this is normal, but before i ignorantly installed that adware, I never saw such a high usage of resources happening. Ever since that lop.com stuff got on my system, my average CPU usage (in the process manager) is 20%-40% even when no other programs are open. Before, my normal CPU usage was about 3%-7%. I am convinced there is something persisting on my computer, which somehow manages to dodge updated versions of Adaware/HJT/Spybot SD/and Norton Antivirus.

Furthermore, in Msconfig under start-up, there is a blank process with no command line or no start-up item name. All it displays is this location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I have checked about blank processes online, and it doenst sound good. Although, there is very very little info about this sort of thing. So naturally im concerned.

Is this blank process a trojan? is it the cause of my boosted CPU usage, and the system hogging Sys.Idle Process?

 

MaliceMizer661,

Make sure you run the online scans listed in the READ ME. After you complete the online scans post a fresh HJT log and I will have a look. If your log shows nothing then we will dig deeper.

 

Oh sorry, I guess I missed those instructions! Well I am trying to follow all of the listed steps, one at a time. I completed Bitdefender's online scan (which deleted 2 trojans from my system .) Then I made my way to RavAntiVirus site for an online scan. It seems they no longer provide the service of doing a complete scan, and now only will scan singular files one by one for people.

"GeCAD Software SRL is currently engaged in a strategic reorganization of its operations, which includes scaling down and discontinuation of its anti-virus related business. More details at:
http://www.ravantivirus.com/pages/shownews.php?i=153 ."

So my question is, should I just skip that step and do all the rest? I want to continue this "extermination" exactly as your directions state, so is it ok to just continue regardless of not being able to use rav's scan?

Or is it possible I am missing something/doing something wrong on Rav? I looked all over for "auto clean" and "scan my PC" to no avail.

Thanks.

 

Try the link below for the RAV online scan.

http://www.ravantivirus.com/scan/indexie.php

Click next to where it says "To continue without subscribing click here. "

 

Ok I am able to get to that page, but is there a way to scan my entire CPU instead of just one file at a time? It is only letting me "upload" one file to be scanned, instead of letting me chose an entire drive to scan.

Is there an activex/popup window im missing that has the full hard-drive scan in it?

jeez sorry, i know im making this alot more difficult than it should be but i appreciate all the help so far.

 

Just skip this scan to make it easier. Procede with the READ ME and then attach HJT log.

 

Ok I've completed the steps. Here is my most current logfile in an attachment.

My prevailant problems are still just slowed system performance. Mainly, "System Idle Process" still using 90+ CPU all the time. (And I am sure the slowed performance is not due to low virtual memory, or low HD space or anything like that)

Also, I ran HSRemove a few days ago and upon scan completion "8 items were removed". Then I ran the scan the again last night in Safe-mode (with system restore off this time), and "8 items were removed"...again. So this was concerning because now it seems that whatever problem it removed is just re-spawning itself after deletion.

Should I proceed with the additional scans listed in the readme?

Thanks alot

 

Download Spy Sweeper 4.0.3.363 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and attach a fresh HJT log!

 

OK I installed and ran SpySweeper, no bad items were
detected (a "clean-sweep" , heh.)

A recent concern of mine is that last night, Norton informed me of a "recent trojan attempt" on my system. It says it blocked the attack, but isnt it true trojans cannot make attempts on a system that isnt already infected with its software?

When I got this warning last night, my system was also being very wierd. In the Task Manager, normal processes which would usually run with about 3,000 K Mem Usage, were using 20,000-40,000 K! All of the processes had unsually high mem usage. I googled for others who may have had the same issue, but info on it was very scarce and non conclusive. Is this, and the blocked trojan attack, common occurances?

Anyway here is a current HJT logfile.
Also, thank you for your help (^_^)

 

Scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Make sure All Browser Windows are Closed when you Click FIX.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections reboot and let me know how things are running.

 

TrojanHunter found no infections (^_^)

Things now seem to be running normal for the CPU usage (back within 1-8% when no programs are open.)

The thing that still confuses me is the System Idle Process, which still takes 80-99 CPU all the time.

Also, I have two printer processes upon startup :
-LEXBCES.EXE
-LEXPPS.EXE

I rarely use my printer, so I dont need these processes to be open. When I close them, they always start up again within minutes. They are not listed in msconfig/startup so I cannot disable them. Is there a way to permanantly disable procceses like this, and "spoolsv"?

My Norton keeps doing wierd things with spoolsv, like showing a "Rules automatically created for spool service" bubble over and over for about 5 minutes. Could it be an infected process?

Thanks to all of your help everything is back to normal though, I just can't shake the feeling that something is still wrong with my system when things like I stated above keep happening.

Anyway youve been so helpful and i am very grateful (^_^),thank you

 

The file spoolsv.exe is part of Microsoft's Printer Spooler Service. However it is known for this to be replaced by the Backdoor.Ciadoor.B Trojan. In your case you should be ok if nothing is detecting it as the trojan.

You should see this article on How to Protect yourself from malware!

 

Well I am pretty positive my comp. is now problem free! Thank you so much!

Just one LAST question (i promise) :
Am I running the defective version of Java, or do I have Sun's Java?

 

I'm back with more issues, all I can say is sorry!

Well i have read "how to protect yourself from Malware" and I am currently taking all procedures to do so.

Everything appeared to be running smoothly and problem free for a while...

I currently ran HSRemove, and again "8 items were removed"
Also, last night I ran Trend Micro's online scan. It removed a spyware item which was apparantly from lop.com (which was my original problem)

This sucker just won't die!

Is there any method to permanantly eridicate this lop.com stuff from my system?

(btw, ive been doing all my scans with system restore off. would it help to run all my scanning software in safe mode again?)

Thanks.

 

HSRemove has a bug that does this, it will detect 8 item everytime. You shouldnt be running HSRemove unless your having problems with the HSA Infection which you dont seem to be having.

Attach a current HJT log from normal mode.

 

oh, just a bug. I see. *wipes sweat from forehead*
Here is the most current logfile.
youre help is truly appreciated.

 

First, download and install SpyWare Blaster, get all updates and then procede with the below.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Thank you for the detailed instructions on the next steps I should take. Im having yet another stupid problem though, Im sorry!

I did everything up until the Ewido update. I installed and opened the program. I click update, and it says "An automatic update is currently in progress. Please try again later."

This is very wierd because on one hand, it is telling me the update is in progress. Yet on the other, the update is not installing (nor is there any sign it is in the process of initiating the update download.) I even tried uninstalling/reinstalling Ewido. My connection is stable as well, I have no trouble updating with other programs.

I really cant explain why I keep having such ridiculous problems with basic stuff. All i can say is sorry, and i hope I am not taking too much of your time with all of this.

 

Download the updates manually...

Ewido Signatures

 

I got the Ewido signatures, loaded them, ran the scan (the 1st scan I did, not the next one in safe mode.) It picked up some wierd spyware item (not lop.com) which is listed in "scan report 1.txt"
Its called something like Spyware.BingoFun. Is this something completely seperate from lop.com, and how does this one in particular get onto a system?

After, i booted into safe mode according to your instructions. Ran the "scan every file", and all the following steps. No items were found this time though. So the report was blank. So im sure posting that report would not be of any use (?).

Then I rebooted into normal, and did the HTJ logfile you requested.

My main concerns are:
-Lop.com disappearing and reappearing periodically during various scans.
-This new spyware.bingofun, I have taken all procedues to avoid new spyware. I use Mozilla. As a matter of fact I have not downloaded one thing since this lop.com thing happened so im not sure how this one got on my system.
-I am so determined to make my system infectant free because i am starting college next week. This is the PC i will need to use for that. I dont want to boot up and have my homework deleted or altered.

Anyways, i am so grateful for the help you are providing. Without this site my PC would be completely immaciated.

Thank you.

 

Scan with HJT and have it fix these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After you complete the above, your log will be clean. I dont see anything relating to LOP toolbar or anything malicious.

One thing I would recommend doing is going into Windows Updates and getting all critical updates because there are 3 new WORMS that are spreading quickly so be sure you have the patches installed.

Reboot a few times after you have updated your computer and see if the problem re-occurs.

 

I fixed those items in HJT that you mentioned.

I also get the most recent updates from Microsoft everyday with auto-update.

you said:
"Reboot a few times after you have updated your computer and see if the problem re-occurs."

well ironically enough (annoyingly enough, for you at least...sorry), after a few boots i got a Trojan attack notification from Norton again.

"Security Alert: High Risk
A remote computer attempted to connect to your computer on a port commonly used by remote access Trojan Horse. The attempt was blocked."

Is it normal to get these notifications once in a while like this?

Thank you.

 

Ok and i also booted up today to get another attack notification. I keep trying to go into the Norton Log Viewer to see what it was, but everytime i open the "alerts" tab the log viewer completely freezes.

 

Thats one reason I got rid of norton, personally I would recommend AVG for antivirus and ZoneAlarm for a firewall. Both are free and do a wonderful job.

It's most likely just norton being itself.

 

i will look into those programs, thanks for the recommendations.

i figured Norton was slightly "buggy" like that. I suspect the program does those things by default, so the user thinks the program is doing alot of good.

So i just want to say Thank you for all the help you, and others have provided me on this site. HJT is one great f***ing program.

i will let you know if any new issues arise, which im hoping (and i know you are too) doesnt happen for a very long time.

btw i have supported and recommened this site 100% to all my friends who have spyware/adware on their CPU.

Thanks again.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

Ive returned with another request for help. So here is my new logfile. There have been many unfamiliar processes running that i have noticed lately. Also multiple pop-up boxes asking me about installing "aimwdinstallstripped.exe" or something like that (?) and these random "nst.tmp" files everywhere. I have looked into what these could be and I am lead to beleive they are WildTangent (?) Any help would be greatly appreciated ^_^

 

Download CCleaner, reboot into Safe Mode and run CCleaner. Afterwards reboot back into normal mode, Run CCleaner again then attach a fresh HJT log.

 

i appreciate the quick response man. ok ran CCcleaner in safe and normal modes. I still am having 5 install boxes trying to install "AIM web driver install setup"
:
"Error opening file for writing C:\DOCUME~1\scott\Temp\AIMWDInstallStripped.exe
Hit abort to abort installation, retry to retry writing the file, or ignore to skip this file"

I am afraid to click anything, something tells me even if i click ignore something treacherous will happen. These things keep popping up. btw how do i uninstall viewmanager/viewpoint stuff? it seems to causing some unauthorized access problems, and i theorize its the cause of all this.

thanks.

 

im sorry if this sounds impatient but.....anyone?

 

Using Add or Remove Programs uninstall anything From Viewpoint and Wild Tangent.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following:

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto C:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.