TechSpot

ive picked up something called Hope That.exe

By philphil
Feb 14, 2007
  1. Ive picked up something called hope that exe. its in my registry where it keeps coming back to life even after ive removed it. in my windows task manager theres usually 2-3 iexplore.exe 's running. when i kill them they come back to life. also IE7 keeps opening up and showing whole page ads.is there anyway to remove it. or is it a new windows xp install. ive run ewido.nod32,counter spy. spysweeper and spyware doctor and they have all missed this.. many thanks phil
     
  2. tomrca

    tomrca TS Rookie Posts: 1,000

    hi philphil. welcome to techspot. seeing that you have problem would you GO HERE and follow all the instructions. this will be the first step to put right your pc. remember to rename hijack this to analyse this, and that it is within its own folder in prog files. see you soon:wave:

    post your log as an attachment
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Before doing anything else, go and read this thread HERE and post a HJT log as an attachment into this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of philphil only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. philphil

    philphil TS Rookie Topic Starter

    add on to ' infected with hope that. exe

    Hi Howard. i followed instruction's on seaching for adaware and spyware.i still have the hope that.exe in my registry, i get fewer instances of ie opening up,
    the hope that exe doesnt show up on the hijack this log. but its still here.. what can i do next.. thanks phil...
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I can see nothing nasty in your HJT log. However, something`s not right.

    I`ve got a feeling that the Hope That.exe file is probably related to the lop trojan.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log.

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Then, go HERE and follow the instructions for AVG Antispyware and Combofix.

    Post the C:\NoLop.log as well as Combofix, AVG antispyware and HJT logs.

    Regards Howard :)

    This thread is for the use of philphil only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. philphil

    philphil TS Rookie Topic Starter

    Hi Howard thanks for your advice,That nolop worked it found something. avg too 2 trojans out. but as u see hope that is still hiding in my registry.. though the constant popups of IE seemed to of slowed down. heres the logs u asked for.. i tried on combifix but i got a message from that website saying it had been compromised and not to use it.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I really need to see a Combofix log. Please run the programme and post the log in your next reply.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Port_RockXP_v5.exe
    HOPE THAT.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [pile flag] C:\DOCUME~1\USER\APPLIC~1\CHICCO~1\HOPE THAT.exe

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\USER\APPLIC~1\CHICCO~1<Delete the entire folder
    C:\Documents and Settings\USER\My Documents\My Music\Make Windows 100% Genuine in 2 Seconds<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as the Combofix log.

    Regards Howard :)

    This thread is for the use of philphil only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. philphil

    philphil TS Rookie Topic Starter

    ive tried to get combofix twice. but i get this text ..(The tool, ComboFix has been temporarily withdrawn.

    The author discovered a rootkit infection that will intefere with ComboFix's running.

    This will cause Combofix to be UNSAFE FOR USE on your machine.

    Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

    Apologies for any inconvenience caused

    is there anything else to use that can take combofixs place

    phil..
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m sorry, I wasn`t aware of the Combofix problem. I have just downloaded and tried to run it myself and I got exactly the same results as you did.

    I have therefore withdrawn the Combofix instructions from my thread HERE. Thanks for the info. Hopefully, this issue will be resolved soon.

    Unfortunately, I don`t know of any other application like Combofix, so we`ll just have to continue without it.

    Please post a fresh HJT log after following the instructions(minus Combofix) and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of philphil only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. philphil

    philphil TS Rookie Topic Starter

    that seems to of done the trick....

    Hi Howard...
    I managed to find (hope that.exe),C:\Documents and Settings\USER\My Documents\My Music\Make Windows 100% and 2 other nasties .they've been bleached .I did what you said in hijack this. and those 4 line's have been deleted.
    I have no signs of iexplore.exe in my processes list on task manager. thanks again for your help.. it seems my pc is clean..just have to watch what i download..
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all you old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of philphil only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...