Member Panel

cartandpeg · 11:41 AM

Hi again all,

I am looking at a friends system,which was full of trojans,ad-aware and spyware,
prior to posting these logs I ran Ewido,Norton,Ccleaner and pest patrol all of these scans found a lot of the above,which i have deleted.

I had to run these to basically try and get the system stable.

Now to my problems, on start up the following comes up:

Windows cannot find C:\PROGRA~1\SOFTWA~1\Soproc.exe make sure you have typed in name correctly.To search for file click start>search.

I can get rid of that box ok(though it appears each boot up.

Also this comes up when I click on most things to open, msntb_toolbar_full_name# is unable to load its config file.If prob persists reinstall msntb.

I have tried deleting the following from ADD/remove.. ninemsn search toolbar.. it tells me that this package cannot be opened.Verify patch exists and u can access it or contact the App vendor that this is a valid Windows installer patch.

Also when i go to C drive and programme files i try to remove these two.. msn toolbar suite and msn gaming zone i am told access is denied.

I also have been having the occasional pop up coming up(adverts)

Any help please with these?

As i said prior I deleted many spywares etc etc when I ran Ewido prior to doing prework.

When i run pest patrol this has come up a few times Trojan.Downloader.Win32.Swizzor.dv

Thankyou

Andy

Scan report_20060611.txt.txt

hijackthis.log

Hengis

You may have some infection in there buddy, let's see what the PC Security experts say when they come online

joe5

Hya Andy.

Lets see if we can clean that up.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove) (See quote below!)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully one nasty infection is gone.

When removing Lop.com from the Add/Remove screen it may not show up as Messenger Plus instead also look for these and remove them:

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1
Window Active

Finally there is a step in the removal process of Messneger Plus where the sponsor asks if you want to uninstall that aswell, You have to click YES to this part of the removal process

If you dont do this corretly then you will have no other choice but to reinstall Messenger Plus and then go through the whole removal process again from the start.

When done with that boot youre pc in safemode (hit f8 when booting up)

First have a look in add/remove programs for SoftwareOnline and uninstall it if present.

And then fix these with hjt:
(if still present)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj

And then manually delete this folder:

C:\Program Files\SoftwareOnline

Reboot to normal mode and post a new hjt log please.

cartandpeg · 05:22 AM

Hi Joe
I am not sure on how to paste quotes so i will copy and paste.

Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)
This was not in Add/Remove

When removing Lop.com from the Add/Remove screen it may not show up as Messenger Plus instead also look for these and remove them:

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1
Window Active

None of the above showed up in Add/Remove

Quote:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL
C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj

I was able to delete the above first two but I could not find the last one C:\PROGRA~1\SOFTA~1\soproc.exe-pack SoRefRegSoAlertWxLitenna.

Quote
And then manually delete this folder:

C:\Program Files\SoftwareOnline

I could not find this in programmes.

When I reboot the comp i no longer have the following appear on my screen....Windows cannot find C:\PROGRA~1\SOFTWA~1\Soproc.exe make sure you have typed in name correctly.To search for file click start>search.

Please find attached hjt log.

hijackthis.log # 1 This was done in normal mode
hijackthis 2.txt # 2 This was done in safe mode

Thankyou very much for your help Joe.

PS I still get some mobile phone ad pop up come up and some prestige casino ads popping up and my pest patrol running in the background tells me something called Swizzor is infecting my comp???

Regards Andy

joe5

Originally Posted by cartandpeg

Hi Joe
I am not sure on how to paste quotes so i will copy and paste.

Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)
This was not in Add/Remove

When removing Lop.com from the Add/Remove screen it may not show up as Messenger Plus instead also look for these and remove them:

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1
Window Active

None of the above showed up in Add/Remove

Then maybe messengerplus has already been uninstalled in the past , the best thing to do now is reinstall Messengerplus INCLUDING the sponsors option , and then follow the removal instructions above.

http://www.msgplus.net/

Quote:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL
C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj

I was able to delete the above first two but I could not find the last one C:\PROGRA~1\SOFTA~1\soproc.exe-pack SoRefRegSoAlertWxLitenna.

Thats OK , it where only two entrys. That is part of the second entry.

Quote
And then manually delete this folder:

C:\Program Files\SoftwareOnline

I could not find this in programmes.

Did you found an entry for it in add/remove programs? If yes , then it might already have been deleted. If not , did you had "hidden files" set to show? (As instructed in the "prework"?)

When I reboot the comp i no longer have the following appear on my screen....Windows cannot find C:\PROGRA~1\SOFTWA~1\Soproc.exe make sure you have typed in name correctly.To search for file click start>search.

Please find attached hjt log.

Attachment 2991 # 1 This was done in normal mode
Attachment 2993 # 2 This was done in safe mode

Thankyou very much for your help Joe.

PS I still get some mobile phone ad pop up come up and some prestige casino ads popping up and my pest patrol running in the background tells me something called Swizzor is infecting my comp???

Regards Andy

Those are probebly from the Lop.com (messengerplus) infection , see what happends after the reinstall , and then the proper uninstall of it.

When done , please post a new hjt log out of normal mode.

cartandpeg · 04:46 AM

Hi Joe,

Quote
Then maybe messengerplus has already been uninstalled in the past , the best thing to do now is reinstall Messengerplus INCLUDING the sponsors option , and then follow the removal instructions above

I downloaded messenger plus and deleted as per instruction.

Quote
Did you found an entry for it in add/remove programs? If yes , then it might already have been deleted. If not , did you had "hidden files" set to show? (As instructed in the "prework"?

I have show hidden files and folders checked.

Please find attached new HJT log in safe mode.

hijackthis.log

Joe,these are an indication of what Pest Patrol tells me with PP running in the background.
This showed up last night and this morn when i went onto the net, though since I have done as you asked,I have not yet cruised the net or anything to see if this reappears.
Not sure if it is relevant, just thought I would mention it.

A pest has been detected in memory:

Detection Summary
Process: rpjicerv.exe and also fqtjergq.exe (on second warning)
File: C:/DOCUME~1/Wendy/APPLIC~1/FLAPST~1/
PVT: -261720422
PEST- Trojan.Downloader.Win32.Swizzor.

PS Just done a scan with Pest Patrol and only two things came up:

PEST: Lop.com
File Info: HKEY_CURRENT_USER\software\microsoft\internet explorer\newwindows\allow|searchweb2.com

Pest info: Category Spyware C2 media ltd

This shows up twice both the same report.

Thankyou Kindly

Andy

joe5

Looks like that should be gone now , Its gone from youre hjt log anyway. That has now been removed by uninstalling messenger the proper way.

Boot in safemode again and fix this one with hjt:
(With all browser windows closed)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uqsjopthljaml.info/om3IpA...UrtkPDe2EU1pkT 3CM1k9uyz6vc76.html

Reboot , and post a new hjt log please.

Member Panel

Sponsors and Ads

Noticeboard