[Trtlgrl2_78]

I've been through this once before for my pc, and I don't know where the thread is. My hubby is having the same issues so I was wondering if someone could walk us throught the steps to rid his pc of all this stuff. I know it had something to do with adware 6 and hijack this. A bunch of steps involved, but would really appriciate some direction. Thanks.

 

[stillearning]

Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
Remove what it finds by placing a check in the box to the left of the object.
Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.

Download HijackThis from http://209.133.47.200/~merijn/files/HijackThis.exe & unzip it into it's own, permanent folder, not a temporary one. Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file & paste it into the body of your post. DO NOT FIX ANYTHING YET.

 

[graydevil]

this is trtlgrl hubby and this is my hijack list log file:
Logfile of HijackThis v1.97.7
Scan saved at 11:28:07 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\robert\Application Data\trnu.exe
C:\WINDOWS\System32\wnsintsv.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\WINDOWS\webshots.scr
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SysAI\SysAI.exe
C:\Documents and Settings\robert\Local Settings\Temporary Internet Files\Content.IE5\IVYDQP8P\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webshots.com/homepage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CF44FAE-F44C-CCBE-50E8-29FFA084EF13} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ping copy flag - {AF604C6B-370E-B55F-394A-AD714D6B6A17} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FIRST CLOSE] C:\PROGRA~1\DASHSI~1\Option1.exe
O4 - HKLM\..\Run: [4WZ87TL3N6SQNR] C:\WINDOWS\System32\Nalqrg9.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NRluKU8gd] C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Ssee] C:\Documents and Settings\robert\Application Data\trnu.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.506875
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

 

[Trtlgrl2_78]

How often should you run Hijack this and post log file?

 

[mobo]

Download CWShredder:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Unzip, run and hit the ->fix tab to fix all found problems

CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update.

Then repost a fresh Hijack this log .

Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

 

[Flrman1]

I see you are running Hijack This from a temp folder now. This is a bad idea because it cannot create and restore backups from there. Before you download the new version create a new folder in My Documents and name it Hijack This. Now click on the link I posted above and when the box pops up asking you to Open or Save choose Save and save it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.

Go to Add/Remove programs and uninstall VirtualBouncer

Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {1CF44FAE-F44C-CCBE-50E8-29FFA084EF13} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)

O4 - HKLM\..\Run: [FIRST CLOSE] C:\PROGRA~1\DASHSI~1\Option1.exe

O4 - HKLM\..\Run: [4WZ87TL3N6SQNR] C:\WINDOWS\System32\Nalqrg9.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [NRluKU8gd] C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe

O4 - HKCU\..\Run: [Ssee] C:\Documents and Settings\robert\Application Data\trnu.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O16 - DPF: Win32 Classes -

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\Program Files\AutoUpdate folder
The C:\Program Files\DASHSI~1 folder (See *Note below)
The C:\Program Files\LITEDR~1 folder (See *Note below)
The C:\Program Files\VBouncer folder
The C:\Program Files\Common Files\Dpi folder
The C:\WINDOWS\System32\Nalqrg9.exe file
The C:\WINDOWS\system32\pcs folder
The C:\WINDOWS\System32\wnsintsv.exe file
The C:\Documents and Settings\robert\Application Data\trnu.exe file

Also Navigate to the C:\documents and settings\robert\local settings\temp folder. Open the temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the folder.

*Note: I have now way of knowing the exact names of these folders but the first six letters in each one will be DASHSI and LITEDR

 

[Flrman1]

Prosearching isn't a CWS hijack. CWShredder won't remove it.

 

[Trtlgrl2_78]

So do not dl the cwshredder?

 

[Flrman1]

So do not dl the cwshredder?

Right! :up:

 

[Trtlgrl2_78]

Okay, we are working on getting hijack in it's own folder and running it again, be back soon.

 

[Trtlgrl2_78]

Since I have you here, any idea why my computer will not run disk cleanup?? I try to run it, it gets to three little bars on the bar, and doesn't go any further??

 

[Flrman1]

Have a look here for help with the Disk Cleanup problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;823302