[Cmather]

Hi,

When I go online, I get up to three or more pop-ups, just on the home page. Any web page I visit also gets pop-ups, and the pop-up blocker on the internet explorer is not able to block them. Also, there is a blue search toolbar at the bottom of the page, and a few search options at the top. I have been unable to get rid of any of this.
I ran Ad-aware, which did nothing, then I used Microsoft Anti-spyware, which has always worked in the past. It picked up on a few spyware programs, and a trojan. I deleted these files, but it did not get rid of the toolbars or pop-ups. Also, I noticed my computer restarts for no reason, and usually without warning. These were a few things Microsoft Anti-Spyware found and treated:

-Threats
C2.Lop Spy ware (removed)
AdultLinks.QBar Browser Plug-in (removed)
WhenU.SaveNow Adware (removed)
Messenger Plus! Software Bundler (removed)
BearShare Software Bundler (removed)
NewDotNet Browser Plug-in (removed)
NCase Browser Modifier (removed)

Any help you could give would be greatly appreciated; I really hope to get rid of whatever is doing this to my computer.
Thank you!

HijackThis! Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:35:47 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\mcafee.com\Agent\mcagent.exe
c:\program files\mcafee.com\agent\mcupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\new\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0001.1004\en-xu\stmain.dll
O2 - BHO: (no name) - {ACAEDFBB-6278-1CA8-FC2F-6863F1397029} - C:\WINDOWS\System32\fwkxdkxp.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [dhbdeqha] C:\WINDOWS\idklvfqq.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [frccdczk] C:\WINDOWS\System32\rjjzpzml.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0001.1004\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [basebrowserdrhold] C:\Documents and Settings\All Users\Application Data\knobfastbasebrowse\media roam.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [nameford] C:\DOCUME~1\new\APPLIC~1\ABOUTA~1\PROC SLOW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.48/ttinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC4E2F2A-EA38-44B1-B119-986484BC2613}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

[Advertisements]

Hi Cmather, welcome to GeeksToGo,
Thank you for your patience.

You're currently running Hijackthis from the temp folder and it's not a safe place to be. Please move Hijackthis.exe into its own permanent folder like C:\HJT

You have a LOP infection caused most likely by Messenger Plus 3 when installed with it’s sponsors. Please uninstall Messenger Plus 3 completely by choosing to uninstall the ad components, and if you really want it you can then reinstall it but without it’s sponsors (by saying NO to sponsors when presented with EULA)
Reboot.

Run Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
O2 - BHO: (no name) - {ACAEDFBB-6278-1CA8-FC2F-6863F1397029} - C:\WINDOWS\System32\fwkxdkxp.dll
O4 - HKLM\..\Run: [dhbdeqha] C:\WINDOWS\idklvfqq.exe
O4 - HKLM\..\Run: [frccdczk] C:\WINDOWS\System32\rjjzpzml.exe
O4 - HKLM\..\Run: [basebrowserdrhold] C:\Documents and Settings\All Users\Application Data\knobfastbasebrowse\media roam.exe
O4 - HKCU\..\Run: [nameford] C:\DOCUME~1\new\APPLIC~1\ABOUTA~1\PROC SLOW.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe

Close all browsers and windows and click "Fix Checked" button.

You need to reconfigure Windows to show hidden files:
Doubleclick My Computer | Tools | Folder Options | View tab
Select “Show Hidden Files and Folders”
Uncheck “Hide extensions for known file types”
Uncheck “Hide protected operating system files” (Recommended)
Select Apply to All Folders | Yes | Apply | OK (Reverse this process after you've deleted the files)

Go to START > RUN > type in services.msc Hit OK
In the next window, look on the right hand side for this service
name --> MS Software Generic Host Process for Win32 Services
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type the following in bold into the Open field and hit OK
svchost.exe

Delete these folders\files using windows explorer ir present:
C:\WINDOWS\idklvfqq.exe
C:\WINDOWS\System32\rjjzpzml.exe
C:\Documents and Settings\All Users\Application Data\knobfastbasebrowse
C:\DOCUME~1\new\APPLIC~1\ABOUTA~1 <-- delete this folder that starts with letter "abouta" which "PROC SLOW.exe" is in.
C:\WINDOWS\SYSTEM\svchost.exe <-- not to be confused with the legit "svchost.exe" located in system32 folder.

Reboot your computer to normal mode and go here: to have a free online scan to remove what’s leftover of LOP. poat the log of the scan.

LOP infection often creates hidden jobs and we need to delete them if there are, so please do this:
Copy and paste the red text into Notepad.
Save this text as findjobs.bat Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "findjobs.bat" and post the contents of the notepad in your next reply, along with a new Hijackthis log.

dir %Windir%\tasks /a h > files.txt
notepad files.txt

[Emilita]

Hi Cmather, welcome to GeeksToGo,
Thank you for your patience.

You're currently running Hijackthis from the temp folder and it's not a safe place to be. Please move Hijackthis.exe into its own permanent folder like C:\HJT

You have a LOP infection caused most likely by Messenger Plus 3 when installed with it’s sponsors. Please uninstall Messenger Plus 3 completely by choosing to uninstall the ad components, and if you really want it you can then reinstall it but without it’s sponsors (by saying NO to sponsors when presented with EULA)
Reboot.

Run Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hbrpfdgsg...iaJsKfJ2TNq.asp
O2 - BHO: (no name) - {ACAEDFBB-6278-1CA8-FC2F-6863F1397029} - C:\WINDOWS\System32\fwkxdkxp.dll
O4 - HKLM\..\Run: [dhbdeqha] C:\WINDOWS\idklvfqq.exe
O4 - HKLM\..\Run: [frccdczk] C:\WINDOWS\System32\rjjzpzml.exe
O4 - HKLM\..\Run: [basebrowserdrhold] C:\Documents and Settings\All Users\Application Data\knobfastbasebrowse\media roam.exe
O4 - HKCU\..\Run: [nameford] C:\DOCUME~1\new\APPLIC~1\ABOUTA~1\PROC SLOW.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe

Close all browsers and windows and click "Fix Checked" button.

You need to reconfigure Windows to show hidden files:
Doubleclick My Computer | Tools | Folder Options | View tab
Select “Show Hidden Files and Folders”
Uncheck “Hide extensions for known file types”
Uncheck “Hide protected operating system files” (Recommended)
Select Apply to All Folders | Yes | Apply | OK (Reverse this process after you've deleted the files)

Go to START > RUN > type in services.msc Hit OK
In the next window, look on the right hand side for this service
name --> MS Software Generic Host Process for Win32 Services
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type the following in bold into the Open field and hit OK
svchost.exe

Delete these folders\files using windows explorer ir present:
C:\WINDOWS\idklvfqq.exe
C:\WINDOWS\System32\rjjzpzml.exe
C:\Documents and Settings\All Users\Application Data\knobfastbasebrowse
C:\DOCUME~1\new\APPLIC~1\ABOUTA~1 <-- delete this folder that starts with letter "abouta" which "PROC SLOW.exe" is in.
C:\WINDOWS\SYSTEM\svchost.exe <-- not to be confused with the legit "svchost.exe" located in system32 folder.

Reboot your computer to normal mode and go here: to have a free online scan to remove what’s leftover of LOP. poat the log of the scan.

LOP infection often creates hidden jobs and we need to delete them if there are, so please do this:
Copy and paste the red text into Notepad.
Save this text as findjobs.bat Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "findjobs.bat" and post the contents of the notepad in your next reply, along with a new Hijackthis log.

dir %Windir%\tasks /a h > files.txt
notepad files.txt