1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Lop won't go away even after Ad-aware/Spybot

Discussion in 'Virus & Other Malware Removal' started by Insomniduck, Jun 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Insomniduck

    Insomniduck Thread Starter

    Joined:
    Jun 17, 2003
    Messages:
    5
    This is getting ridiculous! I've already gotten rid of the mysearch and whazit toolbars last night but there don't seem to be any easy solutions to fixing this one. And, I do NOT have this "round icon in the taskbar" that I can supposedly right click on to uninstall. All of the ones there are completely familiar. Spybot and Ad-aware detected parts of it at first, then I guess cleaned up those parts, but the toolbar is still working after reboot. They aren't detecting anything now (Ad-Aware keeps crashing, however, so it hasn't finished a complete scan yet.)

    -The affected browser is IE 6.0.28
    -This toolbar is apparently called aieepdnzfnu.
    -I'm running XP Home...I'm going to try a System Restore but I'm not sure that will fix this problem.

    Also, does anyone know if Opera7 is vulnerable to this? I've been using it since to search for help, which often leads me to pages that Spybot warns me (when I'm using IE at least) are trying to install "c2.lop."
     
  2. Insomniduck

    Insomniduck Thread Starter

    Joined:
    Jun 17, 2003
    Messages:
    5
    Well, after reading about Hijack this for the first time tonight I did a scan...I don't know if this will help but it did locate one of the DLLs that Spybot warned me about last night (fstxptees.dll) so I guess it fixed that at least. I'm the sole user and have admin rights on my main account (which I hear may not have been the greatest idea, but oh well) so I'm not sure what contentwatch.com is doing in there.

    Logfile of HijackThis v1.94.0
    Scan saved at 1:19:38 AM, on 6/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=203
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=203
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://education.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://education.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=203
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=203
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=203
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINDOWS\newones.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {54a978ff-a1f5-4bd7-baa3-696d4fc010fd} - C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: aieepdznfru - {3b42202d-3607-4d0d-93b0-00f09a36cb4c} - C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\DRIVERS\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Messenger\ypager.exe -quiet
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37510.8980324074
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://bins.whazit.com/trinsic/downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = H13990.tjem.com
    O17 - HKLM\Software\..\Telephony: DomainName = H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{239D8871-4581-4FAE-B24F-38D16441432E}: Domain = H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3DDDE-3417-4890-9729-A68DC9648323}: Domain = H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD3437D-E477-45ED-88C1-A5570D928A0B}: Domain = H13990.tjem.com
     
  3. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,259
    Make sure all! Internet Explorer windows are closed (and any other browser - you may wish to check your running tasks) - run HijackThis and place a check beside the following items in bold and use the FIX button - reboot.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=203
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=203
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=203
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=203
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=203
    O2 - BHO: (no name) - {54a978ff-a1f5-4bd7-baa3-696d4fc010fd} - C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    O3 - Toolbar: aieepdznfru - {3b42202d-3607-4d0d-93b0-00f09a36cb4c} -
    C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http//bins.whazit.com/trinsic/downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = H13990.tjem.com
    O17 - HKLM\Software\..\Telephony: DomainName = H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{239D8871-4581-4FAE-B24F-38D16441432E}: Domain =
    H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3DDDE-3417-4890-9729-A68DC9648323}: Domain =
    H13990.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD3437D-E477-45ED-88C1-A5570D928A0B}: Domain =
    H13990.tjem.com


    I don't know what these are, and if you don't either, then check them for deletion also. They are very suspicious.
    O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINDOWS\newones.dll
    O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

    *************************
    For info, this is LOP (along with the O17's
    O2 - BHO: (no name) - {54a978ff-a1f5-4bd7-baa3-696d4fc010fd} - C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    O3 - Toolbar: aieepdznfru - {3b42202d-3607-4d0d-93b0-00f09a36cb4c} - C:\DOCUME~1\HJ\APPLIC~1\fstxptees.dll
    (here's some info on it - slightly out of date)
    http://www.doxdesk.com/parasite/lop.html
     
  4. Insomniduck

    Insomniduck Thread Starter

    Joined:
    Jun 17, 2003
    Messages:
    5
    Thank you IMM!

    Still, I gotta hand it to Microsoft...I think they may have finally done something right. (You know the world is coming to an end when...) It seems that System Restore cleaned everything up, no hassle.

    This is the newest scan...if anyone sees anything that it might've missed please let me know. Also, is it to get rid of all of this stuff, or is that dangerous? I mostly just want to get rid of the MoneySide and Real.com buttons but just for future reference. Thanks!

    Logfile of HijackThis v1.94.0
    Scan saved at 1:53:04 AM, on 6/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://education.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://education.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\DRIVERS\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37510.8980324074
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,259
    This looks pretty strange

    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe

    Had a recent virus scan?? Perhaps damage to the registry?
    I'd get rid of it anyway.

    Don't get rid of all this stuff - a lot of it is necessary!!
    Still - you should be ok killing those buttons. If you haven't noticed - in HJT the config button > Backups will lead you to a restore removed line type function.
    With internet related stuff the browser should always be closed first before deleting any of these registry entries using HJT.
     
  6. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,788
  7. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,259
    ???????\
    That's a hell of a path to the file!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/140353

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice