Lop Removal Difficulties - Basics Done

Discussion in 'Malware Help (A Specialist Will Reply)' started by kenikin, Apr 27, 2005.

  1. kenikin

    kenikin Private E-2

    I unfortunately downloaded Lop as part of a bundled program. I have been trying to remove it for several days without sucess. I came here looking for help.

    I first tried the Sticky thread "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal". I followed the steps all the way and thought i had solved the problem. I used the Trend Online Scan, Symantic security scan, put it safe mode and ran the first round of scans and then the second. When i rebooted to normal mode and turned on system restore i ran a Adaware Scan which revealed only 1 problem: Lop.

    Following this i looked around the support forum and found several Lop removal threads. I have now downloaded HijackThis and performed a first scan. I hope i have attached the log file in the correct way. Unfortunatley despite reading the "NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting" thread there are some returns in my logfile that i do not understand.

    If anyone can help me understand these entries i would be most greatful.

    R1 ..... proxyoverride

    O4 .... blueamok

    O9 .... (no name) extra button

    I'm pretty sure i understand the rest of it so i just need a little help with these.

    Btw I'm running an uptodate XP SP2 comp with NAV. If you want to ask any questions fire away.
     

    Attached Files:

    kenikin, Apr 27, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Add/Remove Programs and uninstall the root problem which is: MessengerPlus3

    Note: please read the announcement at the top of the page. Please do not post HJT logs unless requested.

    Note: You never ran the TrendMicro online scanner. Is there a reason why?

    You may want to uninstall this Logitech Desktop Messenger. It seems to add lots of lines to the registry. Fix the lines below using HJT:

    O15 - Trusted Zone: *.westlaw.com
    O18 - Protocol: bw+0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {583FF994-640F-4EFB-9D4D-4B71AB7D76C3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    Now attach a new HJT log so we can fix anything else that remains.
     
    chaslang, Apr 27, 2005
    #2
  3. kenikin

    kenikin Private E-2

    Thanks for your time. I have unistalled Messenger Plus 3 and it is not in the Program List of Add/Remove Programs. I did run the Trend Micro Online Scan. Sorry about posting the previous log. Here is the second one following most of your recomendations. westlaw.com is a site i have trusted. Thanks for your help
     

    Attached Files:

    kenikin, Apr 27, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    99.9 % of the time there is no reason to have anything in the Trusted Zone. You should not put anything in there unless something you need to run will not work without it. I doubt you need it. Adding items to the Trusted Zone just makes it too easy for baddies to hide themselves that way too.

    Internet Explore must not be running when you use HijackThis. I see two of them in your log:

    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe

    Where you running two IE sessions?
     
    chaslang, Apr 27, 2005
    #4
  5. kenikin

    kenikin Private E-2

    I'm pretty sure that i had to add westlaw.com to get past its authentication process. I can double check but i think its safe. I was not running any IE windows during the scan. Only the HijackThis screen was open. I can run another scan if you want, closing the program down and then re-opening it.
     
    kenikin, Apr 27, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [InfoClockEncCash] C:\Documents and Settings\All Users.WINNT\Application Data\Play bike info clock\antehtm.exe


    Also fix any of the below that you do not recognize as valid.
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/193b2f317b79f5b6aa02/netzip/RdxIE6.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Documents and Settings\All Users.WINNT\Application Data\Play bike info clock <--- the whole folder


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log (make sure no browsers that you have opened are running). And tell us how things are working.
     
    chaslang, Apr 27, 2005
    #6
  7. kenikin

    kenikin Private E-2

    Could I have the list of processes pls.
     
    kenikin, Apr 27, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What list of processes?
     
    chaslang, Apr 27, 2005
    #8
  9. kenikin

    kenikin Private E-2

    What and where is c:\windows\prefetch? I cannot find it on my c:
     
    kenikin, Apr 27, 2005
    #9
  10. kenikin

    kenikin Private E-2

    Couldn't find the c:windows\prefetch file but followed the other instructions. Have posted my 3rd log file. I think i am still infected. Are there any sugesstions? I had NO windows open. I am accessing your help through a laptop, connected wirelessly.
     

    Attached Files:

    kenikin, Apr 27, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry! That's because you used WINNT instead of Windows for you default windows install folder. Your prefetch is: c:\winnt\prefetch
     
    chaslang, Apr 27, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    c:\progra~1\intern~1\iexplore.exe


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lrmxnmdmvhqkepggcr.com/fDWwcvULa87comTKakQ91d4xQS6RoFp677cqRxUDcst3XquCrFZVKXNUzKaksrCf.html
    O4 - HKCU\..\Run: [blueamok] C:\DOCUME~1\EDSTEW~1\APPLIC~1\HOLDPA~1\Funk axis spam.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    c:\progra~1\intern~1\iexplore.exe
    C:\DOCUME~1\EDSTEW~1\APPLIC~1\HOLDPA~1 <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\winnt\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 27, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Earlier you said:

    I still see no evidence of it in your HJT this log. Did you run the regular version with IE or did you run the Java version.
     
    chaslang, Apr 27, 2005
    #13
  14. kenikin

    kenikin Private E-2

    The process you listed is not present in the list. The only explorer process listess is C:\WINNT\explorer.exe

    I ran the java version
     
    kenikin, Apr 27, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure? Look at your last HijackThis log. It was shown in your log. When you close all of your browser sessions, does it show in an HJT log right now?

    Did you complete the other steps?


    That explains it.
     
    chaslang, Apr 27, 2005
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds