1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help! Freeing computer of adware/spyware to stop pop-ups!

Discussion in 'Virus & Other Malware Removal' started by Trtlgrl2_78, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Trtlgrl2_78

    Trtlgrl2_78 Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    334
    I've been through this once before for my pc, and I don't know where the thread is. My hubby is having the same issues so I was wondering if someone could walk us throught the steps to rid his pc of all this stuff. I know it had something to do with adware 6 and hijack this. A bunch of steps involved, but would really appriciate some direction. Thanks.
     
  2. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Download & instal Adaware from http://majorgeeks.com/download.php?det=506
    & update it B4 scanning.
    In settings under 'scanning,' have it set to
    'scan within archives,'
    'scan active processes,'
    'scan registry,'
    'deepscan registry'
    'scan my IE Favourites for banned URL's,'
    'scan my host's file.'
    Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
    Remove what it finds by placing a check in the box to the left of the object.
    Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning.
    After the scan is complete, have spybot fix everything marked RED.
    On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.

    Download HijackThis from http://209.133.47.200/~merijn/files/HijackThis.exe & unzip it into it's own, permanent folder, not a temporary one. Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file & paste it into the body of your post. DO NOT FIX ANYTHING YET.
     
  3. graydevil

    graydevil

    Joined:
    Feb 25, 2004
    Messages:
    38
    this is trtlgrl hubby and this is my hijack list log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:28:07 PM, on 4/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\robert\Application Data\trnu.exe
    C:\WINDOWS\System32\wnsintsv.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
    C:\WINDOWS\webshots.scr
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\Documents and Settings\robert\Local Settings\Temporary Internet Files\Content.IE5\IVYDQP8P\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webshots.com/homepage.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1CF44FAE-F44C-CCBE-50E8-29FFA084EF13} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: ping copy flag - {AF604C6B-370E-B55F-394A-AD714D6B6A17} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [FIRST CLOSE] C:\PROGRA~1\DASHSI~1\Option1.exe
    O4 - HKLM\..\Run: [4WZ87TL3N6SQNR] C:\WINDOWS\System32\Nalqrg9.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NRluKU8gd] C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Ssee] C:\Documents and Settings\robert\Application Data\trnu.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.506875
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
     
  4. Trtlgrl2_78

    Trtlgrl2_78 Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    334
    How often should you run Hijack this and post log file?
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download CWShredder:
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    Unzip, run and hit the ->fix tab to fix all found problems

    CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update.


    Then repost a fresh Hijack this log .

    Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I see you are running Hijack This from a temp folder now. This is a bad idea because it cannot create and restore backups from there. Before you download the new version create a new folder in My Documents and name it Hijack This. Now click on the link I posted above and when the box pops up asking you to Open or Save choose Save and save it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.

    Go to Add/Remove programs and uninstall VirtualBouncer

    Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

    O2 - BHO: (no name) - {1CF44FAE-F44C-CCBE-50E8-29FFA084EF13} - C:\PROGRA~1\LITEDR~1\SOAPDRIVE.dll (file missing)

    O4 - HKLM\..\Run: [FIRST CLOSE] C:\PROGRA~1\DASHSI~1\Option1.exe

    O4 - HKLM\..\Run: [4WZ87TL3N6SQNR] C:\WINDOWS\System32\Nalqrg9.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKLM\..\Run: [NRluKU8gd] C:\documents and settings\robert\local settings\temp\NRluKU8gd.exe

    O4 - HKCU\..\Run: [Ssee] C:\Documents and Settings\robert\Application Data\trnu.exe

    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

    O16 - DPF: Win32 Classes -


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\Program Files\AutoUpdate folder
    The C:\Program Files\DASHSI~1 folder (See *Note below)
    The C:\Program Files\LITEDR~1 folder (See *Note below)
    The C:\Program Files\VBouncer folder
    The C:\Program Files\Common Files\Dpi folder
    The C:\WINDOWS\System32\Nalqrg9.exe file
    The C:\WINDOWS\system32\pcs folder
    The C:\WINDOWS\System32\wnsintsv.exe file
    The C:\Documents and Settings\robert\Application Data\trnu.exe file

    Also Navigate to the C:\documents and settings\robert\local settings\temp folder. Open the temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the folder.

    *Note: I have now way of knowing the exact names of these folders but the first six letters in each one will be DASHSI and LITEDR
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Prosearching isn't a CWS hijack. CWShredder won't remove it.
     
  8. Trtlgrl2_78

    Trtlgrl2_78 Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    334
    So do not dl the cwshredder?
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Right! (y)
     
  10. Trtlgrl2_78

    Trtlgrl2_78 Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    334
    Okay, we are working on getting hijack in it's own folder and running it again, be back soon.
     
  11. Trtlgrl2_78

    Trtlgrl2_78 Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    334
    Since I have you here, any idea why my computer will not run disk cleanup?? I try to run it, it gets to three little bars on the bar, and doesn't go any further??
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218900

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice