Ive picked up something called hope that exe. its in my registry where it keeps coming back to life even after ive removed it. in my windows task manager theres usually 2-3 iexplore.exe 's running. when i kill them they come back to life. also IE7 keeps opening up and showing whole page ads.is there anyway to remove it. or is it a new windows xp install. ive run ewido.nod32,counter spy. spysweeper and spyware doctor and they have all missed this.. many thanks phil

hi philphil. welcome to techspot. seeing that you have problem would you GO HERE and follow all the instructions. this will be the first step to put right your pc. remember to rename hijack this to analyse this, and that it is within its own folder in prog files. see you soon

post your log as an attachment

[B]Hello and welcome to Techspot.[/B]

Before doing anything else, go and read this thread [URL="http://www.techspot.com/vb/topic19133.html"]HERE[/URL] and post a HJT log as an attachment into this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] philphil [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

Hi Howard. i followed instruction's on seaching for adaware and spyware.i still have the hope that.exe in my registry, i get fewer instances of ie opening up,
the hope that exe doesnt show up on the hijack this log. but its still here.. what can i do next.. thanks phil...

Attached Files

hijackthis log 15.feb.txt (10.7 KB, 3 views)

I can see nothing nasty in your HJT log. However, something`s not right.

I`ve got a feeling that the Hope That.exe file is probably related to the lop trojan.

Please Download NoLop to your desktop from one of the links below...
[url]http://www.spywareedge.net/nolop/NoLop.exe[/url]
[url]http://www.thespykiller.co.uk/forum/...pmod;dl=item16[/url]

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- [url]http://www.boletrice.com/downloads/mscomctl.ocx[/url]

Then, go [URL="http://www.techspot.com/vb/topic58138.html"]HERE[/URL] and follow the instructions for AVG Antispyware and Combofix.

Post the C:\NoLop.log as well as Combofix, AVG antispyware and HJT logs.

Regards Howard

[color=red][b]This thread is for the use of[/color] philphil [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

Hi Howard thanks for your advice,That nolop worked it found something. avg too 2 trojans out. but as u see hope that is still hiding in my registry.. though the constant popups of IE seemed to of slowed down. heres the logs u asked for.. i tried on combifix but i got a message from that website saying it had been compromised and not to use it.

Attached Files

	Report-Scan-20070215-183456 avg spyware.txt (1.5 KB, 1 views)
	hijackthis 15 feb. 6 pm.txt (11.2 KB, 1 views)
	NoLop log..15.feb.txt (4.4 KB, 1 views)

I really need to see a Combofix log. Please run the programme and post the log in your next reply.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Port_RockXP_v5.exe
HOPE THAT.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [pile flag] C:\DOCUME~1\USER\APPLIC~1\CHICCO~1\HOPE THAT.exe

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or directories(if there).

C:\DOCUME~1\USER\APPLIC~1\[b]CHICCO~1[/b]<Delete the entire folder
C:\Documents and Settings\USER\My Documents\My Music\[b]Make Windows 100% Genuine in 2 Seconds[/b]<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as the Combofix log.

Regards Howard

[color=red][b]This thread is for the use of[/color] philphil [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

ive tried to get combofix twice. but i get this text ..(The tool, ComboFix has been temporarily withdrawn.

The author discovered a rootkit infection that will intefere with ComboFix's running.

This will cause Combofix to be UNSAFE FOR USE on your machine.

Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

Apologies for any inconvenience caused

is there anything else to use that can take combofixs place

phil..

I`m sorry, I wasn`t aware of the Combofix problem. I have just downloaded and tried to run it myself and I got exactly the same results as you did.

I have therefore withdrawn the Combofix instructions from my thread [URL="http://www.techspot.com/vb/topic58138.html"]HERE[/URL]. Thanks for the info. Hopefully, this issue will be resolved soon.

Unfortunately, I don`t know of any other application like Combofix, so we`ll just have to continue without it.

Please post a fresh HJT log after following the instructions(minus Combofix) and let me know how your system is running.

Regards Howard

[color=red][b]This thread is for the use of[/color] philphil [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

Hi Howard...
I managed to find (hope that.exe),C:\Documents and Settings\USER\My Documents\My Music\Make Windows 100% and 2 other nasties .they've been bleached .I did what you said in hijack this. and those 4 line's have been deleted.
I have no signs of iexplore.exe in my processes list on task manager. thanks again for your help.. it seems my pc is clean..just have to watch what i download..

Attached Files

hijackthis log 8 .20 pm.txt (10.7 KB, 1 views)

Your HJT log is now clean.

[b]Turn off system restore.(XP/ME only)[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial56.html"]HERE[/URL].

Now, turn system restore back on. This will have deleted all you old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] philphil [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]