hi folks,

i have followed all instructions on stickies, read several archives and had a crack at cleaning out, but here i am - still with bl***dy casino pops ups - time to act, i think> several users on the machine, but i am the osrt of administrator - can i clean up from my login or do i have go to administrator (if so how)

can you help?

HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:42:04, on 02/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
Q:\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\IM Names\IM-svr.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
Q:\iTunes\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary\My Documents\Spyware etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {026839F5-D08A-235E-A7F4-14434AAFFF80} - C:\DOCUME~1\Louise\APPLIC~1\DALEFI~1\typestop.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\Gary\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\Gary\LOCALS~1\Temp\.\V205Res 13
O4 - HKLM\..\Run: [BT Broadband] D:\bin\IBISCont.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "Q:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IMprocess] C:\Program Files\IM Names\IM-svr.EXE
O4 - HKLM\..\Run: [2Search] C:\Program Files\2search\main.exe
O4 - HKLM\..\Run: [refdashroamgrim] C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\LINKKEEP.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - Q:\iTunes\iPod\bin\iPodService.exe
O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe

Panda virus check:

Incident Status Location

Adware:adware/2search Not disinfected c:\windows\system32\feeds
Potentially unwanted tool:application/winspy.a Not disinfected c:\program files\Winspy
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\cast bind.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\LINKKEEP.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\loudtype.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\MetaRoam.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\Scrooze.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\sectintra.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Gary\Cookies\gary@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Gary\Cookies\gary@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gary\Cookies\gary@ad.yieldmanager[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Gary\Cookies\gary@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gary\Cookies\gary@advertising[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Gary\Cookies\gary@cassava[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Gary\Cookies\gary@offeroptimizer[1].txt
Spyware:Cookie/Reliablestats



THANKS - I 'LL FOLLOW THIS POST UP BUT DO A LOT OF TRAVELLING IN EUROPE SO MAYBE A COUPLE OF DAYS BETWEEN MY POSTS.

thanks guys!

hi folks,

i have followed all instructions on stickies,

Not quite. :p

BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Please do not post hjt logs in the Spybot forum (http://forums.spybot.info/showthread.php?t=1266) ;)

Hi Tashi,

great to get a fast response, and....

"give me a hint ???"

- no problem in topic title?

- do i need to run more than one virus checker?

- was i not supposed to post HJT log without being asked?

- for clarity, it is a home computer: members of family use it so i am only home administrator, nothing to do with a commercial set up?

- or did i post thread in wrong forum? if so, sorry for dumbness!

let me know thanks and i'll fix!

cheers

Hello
Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: C:\Program Files\IM Names\IM-svr.EXE
O4 - HKLM\..\Run: [2Search] C:\Program Files\2search\main.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please Download NoLop to your desktop from one of the links below...
Link 1 (www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16)
Link 3 (http://www.greyknight17.com/spy/NoLop.exe)

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it

Carefully type this series of characters into the lower text area labelled Insert CLSID Here:
[i]026839F5-D08A-235E-A7F4-14434AAFFF80

Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program. --

Hi Lonny

very excited about this! thanks for getting back so quickly - you could make my family very happy!!

all went as planned which is the first success!!

ok so here's my NoLop.log


NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Gary\My Documents\Spyware etc
05/07/2006
19:41:57

---Infection Files Found/Removed---
C:\Documents and Settings\Laura\Application Data\funklessbib\TWO GRAM FLAP.exe
C:\Documents and Settings\Louise\Application Data\funklessbib\TWO GRAM FLAP.exe
C:\Documents and Settings\Stephanie\Application Data\funklessbib\TWO GRAM FLAP.exe
C:\Documents and Settings\Laura\Application Data\dale film\typestop.exe
C:\Documents and Settings\Laura\Application Data\funklessbib\THISBINDSETUPFORK.exe
C:\Documents and Settings\Laura\Local Settings\Temp\4aa5a9cd.exe
C:\Documents and Settings\Louise\Application Data\funklessbib\THISBINDSETUPFORK.exe
C:\Documents and Settings\Louise\Local Settings\Temp\4abf0cfa.exe
C:\Documents and Settings\Stephanie\Application Data\funklessbib\THISBINDSETUPFORK.exe
C:\Documents and Settings\Stephanie\Local Settings\Temp\4aada9e3.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\cast bind.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\LINKKEEP.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\loudtype.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\MetaRoam.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\Scrooze.exe
C:\Documents and Settings\All Users\Application Data\Move Draw Ref Dash\sectintra.exe
C:\Documents and Settings\Laura\Application Data\funklessbib\juhzrkqk.exe
C:\Documents and Settings\Louise\Application Data\funklessbib\qritjruf.exe
C:\Documents and Settings\Louise\Application Data\funklessbib\rxpmssyf.exe
C:\Documents and Settings\Stephanie\Application Data\funklessbib\mrtlpwbm.exe
C:\Documents and Settings\Stephanie\Application Data\funklessbib\opvagpik.exe
C:\Documents and Settings\Stephanie\Application Data\funklessbib\vdknugmu.exe

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

i'll send the HJT log in next e-mail.

great stuff!!

hiya

so here's the HJT log


"Logfile of HijackThis v1.99.1
Scan saved at 19:56:40, on 05/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
Q:\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\wscntfy.exe
Q:\iTunes\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary\My Documents\Spyware etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {026839F5-D08A-235E-A7F4-14434AAFFF80} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\Gary\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\Gary\LOCALS~1\Temp\.\V205Res 13
O4 - HKLM\..\Run: [BT Broadband] D:\bin\IBISCont.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "Q:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: NoLop!.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - Q:\iTunes\iPod\bin\iPodService.exe


look forward to hearing next steps

thanks!

Looks much better
Fix these items using Hijackthis
O2 - BHO: (no name) - {026839F5-D08A-235E-A7F4-14434AAFFF80} - (no file)
O2 - BHO: (no name) - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - (no file)
===============
Post back with another log in a few days or sooner if there are problems

In the meantime

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

WOW, THIS IS GREAT!

Lonny, everyone in the family is delighted there are no more pop - ups. Thanks so much. You guys are the best!

i will do the next set of HJT fixes and follow the Prevention advice and post back to let you know success or not (either way)

do you have an anti virus that you recommend?

thanks a lot

AVG Free or if possible AVG pro :)

As the problem appears to be resolved this topic will be archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Glad we could help. :)

Hi Lonny,

i promised to post back on my nolop problem from last week

.,...all is well.

i have installed the hosts, extra spyware, firewalls and new AV as per your prevention note.

your support is much appreciated by all our family

thanks