Spyware & Hi Jack Help

Hello,
I have had some endless problems with a spyware (I think its spyware) of lop.com where I have endlessly tried to delete it off through the Norton instructions and other things.... I have had NO success. I also have Adware SE which doesn't seem to be able to recognize the key registry to get rid of the advertisments, search thing that shows up at the bottom of the screen, along with pop up ads. I finally got fed up and just blocked the lop.com url with my firewall, but that still leaves me problems with pop up and the fact its living on my computer.

A friend has referred me to run the Highjack This however I am not sure what to delete or where to go after I delete keys off what it detects to try and rid of the Lop.com and anything else it probably installed. So below is a copy of my file off the Highjack This:

--------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 2:02:59 AM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\MySoftware\MyInvoices\tracker.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\BRMFRSMG.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Moosie Girl\My Documents\download\northwoodcabin\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countryprimitivestop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {98AC4B11-875C-7D83-E150-7E17FCAA553A} - C:\DOCUME~1\Mooselyn\APPLIC~1\MP3HOL~1\amok close.exe
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500 "
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [grimmemorulemeta] C:\Documents and Settings\All Users\Application Data\pingthunkgrimmemo\openplan.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://bmt.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://bmt.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://bmt.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab30149.cab

--------------------------------------------------------------------------
Any help and suggestions are very appreciated as I am tired of this Lop.com living on my computer.

Thank you and have a great day,
Mooselyn
P.S. Is the file (CTHELPER.EXE-0F3039D9.pf) normal to have on your computer????

 

Hello Mouselyn,
Without really going over your log I see immediately that you are using an older versioned hijackthis. Please see these and use the applicable links and sublinks:
If a virus infection has been confirmed found or strongly suspected this was a recent reply I had posted to suggest a "rule of thumb" routine for cleaning. Meant to be a helpful guideline. Ignore the parts referring to the user's virus program or comments meant for him specifically. (Be aware that disabling/enabling "system restore ", removes all but a newly made recent restore point. Desirable since restore points can hold/harbor infection.)
http://www.windowsbbs.com/showpost.php?p=215409&postcount=4

This is the stickie found tacked at the top of forum:
http://www.windowsbbs.com/showthread.php?t=37074

Other virus forum stickies of interest:
http://www.windowsbbs.com/showthread.php?t=31695

http://www.windowsbbs.com/showthread.php?t=31535

Links to the most most recent versions of lavasoft, spybot and hijackthis as well as the more popular free online scanner sites, are either on the forum stickie list (tacked to the top of the forum) or within members signatures.

And last but least, this is handy to have as precaution (only to used if needed). While cleaning critters sometimes the unforeseen can happen. While most boo-boos encountered after an adware cleaning, if allowed to be backed up, can be reversed from within the program used, if it happens to involve winsock or isp connection, this fix is more desirable to try first:
lspfix.exe
http://cexx.org/lspfix.htm

Another handy dandy specialist I wouldn't do without, as I find it soothing to have the added peace of mind when I run it. It may be considered overkill by some but I am one of those people, that when killing a bug, will jump on with both feet and keep stomping untill it is dead way beyond recognition or reincarnation.
http://vil.nai.com/vil/stinger/

Useful for those who wish to venture into learning how to run these cleanups themselves (while the latest hijackthis has a good help file for reference when trying to figure out if you should select an item for fixing this can also be informative):
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

-----personal comment-----
Not knowing where you fall in the following synopsis, you may find much of this information redundant but many, in a panic or merely frustrated beyond human tollerance, forget about these stickies or fail to use them at all. They're treasure chests, either as yet undiscovered or forgotten, but should be opened frequently just to remind ones self of how truly rich they are (referring to the stickies).

 

Thanks...

Hi,
Well I see that going to stickies might help those that might know directly what they are seeking or doing, me on the other hand is totally up in ends with my computer and the endless pop up ads that neither spyware or norton is detecting spyware or viruses. Considering the fact i don't have a lot of experience what is appropriate to delete in the registry keys or even through the C drive, only risking myself to make matters worse and not knowing how to undo them.

I read the stickies but like I said, without knowing what Im dealing with or where to search, it is looking like I am going to need to reformat the computer and just start from scratch again, which I really wish I didn't need to do.

Now my windows is popping up error messages and again I don't know how to fix it or why it's doing it, my spybot and search won't work, have uninstalled reinstalled two times still same error, so again I am getting no where close to solving the problems.

Anyhow thanks for the legnthy post, I hope that it helps others in the long run.

I did however, go to safe mode and clean out temp files, that didnt seem to make a difference though.

 

Hang in there Mooselyn,
I in no way meant to discourage you enough to abandon ship and opt for a format/install. The information was meant as that. Purely guide lines or "informational reading for the curious" to be taken and used or not used based on your experience level and abilities. You do need to download and use the current version of hijackthis, per the forum stickie, though. The stickie How-To's are quite easy to follow are even numbered in sequential steps or in the order in which to do them. (We don't expect you to use every online scanner but have given you list to choose from).
Here's Stickie link again:
http://www.windowsbbs.com/showthread.php?t=37074

You have at least two problems that I can see right away and one that is questionable.

1]Your lop.com problem is from bundled adware that came with your messenger plus program:
http://www.windowsbbs.com/showthread.php?t=37666&highlight=lop.com

2]and you have a trojan running: (the C:\WINNT\system32\RUNDLL32.exe combined with O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C)
See:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BRDUPDATE.D&VSect=T

3]O2 - BHO: (no name) - {98AC4B11-875C-7D83-E150-7E17FCAA553A} - C:\DOCUME~1\Mooselyn\APPLIC~1\MP3HOL~1\amok close.exe

You may have more problems but these stand out.

Minor startup application capable of producing headaches:
cthelper.exe (Creative Plugin Helper) - Details
cthelper.exe is a utility program that is used as an interface by third party software vendors and manufacturers to integrate their software with Creative soundcards and drivers. Normally this process would be left alone, however it has been reported to consume 100% CPU time and cause other system problems. It should be removed from your system, unless you find that doing so causes further problems.

Again.. a minor problem and usually left to the users preference but you also have a few auto updaters running. This may be no problem but has the potential to bog down a web connection and surfing and strain the cpu resources of a less capable machine. Generally you can opt to disable this type of behavior within the programs options and choose to check for updates when you desire rather than allowing these to run rampant.

One of the forum experts will be along to help guide you on the proper steps needed to be taken for your cleaning process. While removing your Cmedia lop.com critter may be as easy as the "past post link" I gave you reported, this particular critter can be tricky. I think you need one of the more experienced Virus Guru (Angels) Members to step in here. Sorry for any misunderstanding my previous post may have had. I never intended for you to assume that you were to be left fending for yourself.

 

Informtion overload meybe.

Start by getting the latest version of Hijackthis (quicklinks in my signature) and doing a fresh scan then post that result.