Hey all, I've been looking around the site and seen some excellent assistance here. I've been helping and assisting people in removing spyware from their machines for a while now and this problem is the first one that has completely stumped me. I have a feeling I'm just being stupid... :)

A colleague has recently found that when she hovers her mouse (doesn't click either right or left) over a button (for example, the 'To...' button on an email in Outlook) instead of a ToolTip showing up an annoying 'Context Menu' kind of thing turns up with links to Yahoo and a variety of other websites (CNN, MapQuest, nothing pornographic, surprisingly!). This menu will not seem to go away (ie stays on screen until you actually click on one of the menu items) and it happens on any button that she hovers over (including menu bars, and cells in excel as well). Annoying to say the least.

Please see the HijackThis log below. I've checked it through myself and not found anything really bad. She does have a fair amount of rubbish installed, but I think that most of it is legit...

---------------------------------------------8<------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 11:54:23, on 29/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Secway\SimpLite-MSN 2.0\SimpLite-MSN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spoke Client\SpokeSysTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pumatech\Intellisync Lite for NEC 616\Intellisync For NEC.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\********\****'s Documents\****'s Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://viewpoint.********.com/**
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ****'s Internet Explorer!
O2 - BHO: (no name) - {7C6B6610-6203-49B8-9952-5D2A85B6D179} - C:\Program Files\Spoke Client\SpokeToolBand.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\QuickLink Desktop\QLIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Spoke - {4FC00340-F75E-4EB5-880C-651A8A76965F} - C:\Program Files\Spoke Client\SpokeToolBand.dll
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.0\SimpLite-MSN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpokeSysTray] "C:\Program Files\Spoke Client\SpokeSysTray.exe" -w
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ?
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {98A52828-A5D6-11D3-82B8-00104B39A31D} (Onyx Masked Edit Control Class) - http://oep.********.com/onyx/OnyxMaskEdit2Dual.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7991.3297337963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - https://www.partners.extranet.microsoft.com...ch/rootinst.dll
O16 - DPF: {B25BC1C3-8A1B-459C-92E2-2D21025AD7CF} (Installer Class) - http://center.spoke.com/shared/download/SpokeClient.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://********.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.********.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.********.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.********.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.********.com

-------------------------------------------8<---------------------------------------

Oh, Spybot and adaware has been performed, she also contracted the netsearch a while back, but I managed to kill that one. Also, fully up to date McAfee is installed and updates and runs on logon every morning, so I'm fairly sure that she is virus and trojan claen.

I've asterisked out some of the identifiable information, so where you see stars (!) that's just me being paranoid...

Any help greatly appreciated.

SBM

That looks like a clean log.

There are two unknown BHOs there that may be the cause of the annoyance. You may want to check these out and see if it isn't some program she uses that just has an annoying feature in it.

O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\QuickLink Desktop\QLIEHelper.dll

O2 - BHO: (no name) - {7C6B6610-6203-49B8-9952-5D2A85B6D179} - C:\Program Files\Spoke Client\SpokeToolBand.dll

O3 - Toolbar: Spoke - {4FC00340-F75E-4EB5-880C-651A8A76965F} - C:\Program Files\Spoke Client\SpokeToolBand.dll

O4 - HKCU\..\Run: [SpokeSysTray] "C:\Program Files\Spoke Client\SpokeSysTray.exe" -w

However, I do see MessengerPlus running? Be aware that it comes bundled with the LOP parasite and we recommend removal of it (use something spyware-free like Trillian or just Messenger). If she does not, next time she updates it she will receive the LOP hijacker all over again.

Thanks for the swift response. :)

Spoke is a contact management system kind of thing. I've checked it out and although it annoys the hell out of me (uninstalled it after 20 minutes) it looks fairly benign.

The Quick Link Desktop is part of a scanner pen thing. It's a pen for scanning in lines of text for translation and the like...again...looks legit.

The LOP parasite in Messenger Plus? Is that even if you refuse to install the sponsor?

Have had some folks here with MessengerPlus get a notice to update and BOOM - they get the LOP hijack. I'll see if I can find a link of a recent thread where you can see that happening. Is it really worth keeping if she is a risky user? Just a recommendation, since there are spywarefree alternatives

I figured those other programs were legit, too - and again - I don't see anything infectious on there. That drop down menu must be part of one of them I suppose and something she will have to live with if she's using those tools.

Here is the recent thread of a MessengerPlus user who got the update and then had LOP

Help me Help me
mysearch and stuff
http://forum.gladiator-antivirus.com/index...l=messengerplus

We've seen it most often in threads complaining of a hijack to Netsearchsoft lately and it is the LOP parasite (can only be removed in safe mode - very tricky for the average user) - and most often they had MessebgerPlus installed.

That's cool...thanks for the linkage...

Since I was last here I found a nasty keylogger (lodis) that somehow got on her system before the most recent DAT updated the checks (2 morning download failures and a vacation didn't help). I'm putting a few wheels in motion to ascertain where this came from and how it got on her system as she isn't a 'random double-clicker'.

Slightly OT...I agree with you on the upgrade of Messenger Plus. From what I can tell there was a sudden update to the 'sponsor' which made it suddenly more noticable (and nasty!). If your first install didn't take the sponsor then (I believe) the upgrade wouldn't either (it hasn't for any of my colleagues/friends)...however, if you did the first time then the upgrade of messenger plus would update the sponsor as well making it suddenly VERY noticable... Of course, I could be wrong...it has been known in the past ;)

I've now seen this 'sponsor' at work first hand (not in the particular case above), but can vouch for the fact that it is a pretty nasty piece of software. I'm a compulsive 'custom installer' so I suppose I manage to spot (and avoid) things fairly quickly.

Anyways, thanks for your help, I'll keep looking to see if I can find the cause of this mouse-over stuff...

SBM