Removing freeadsolutions spyware

Greetings, pmaurey !

You should not have posted the HijackThis log here.  Instead, run an an analysis at http://hijackthis.de  then save the result and post a link to the result here.  Here is a link to the analyzed log

http://hijackthis.de/logfiles/57f62514ce66ca6f5888d5dde90af5e9.html

Check the box next to the following items and have HijackThis "Fix Checked".

R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-066575FCE86C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)            
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B21AFD832919} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)          
O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-EF29DC8624A7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-20.exe            
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-2070825826.exe          
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt.exe reg_run
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchost.dll C:\WINDOWS\system32\taskmgr.dll

If you did not install the following items, have HJT remove them.

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab


Best wishes!

Hi,
You can upload hijackthis log to any sites you prefer or the best place is at EE-stuff.com

Go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
-----------------------------------------------------------------------------------------------------------

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\sys0370825826-20.exe  
C:\WINDOWS\sys11-2070825826.exe  
C:\WINDOWS\system32\dslbdt.exe
C:\WINDOWS\system32\VSL13.exe
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\system32\taskmgr.dll
C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe

----------------------------------------------------------------------------------------------------------
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Run Hijackthis again and put a check next to these entries and click "Fix Checked":
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-066575FCE86C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B21AFD832919} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
 O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-EF29DC8624A7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-20.exe  
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-2070825826.exe  
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe  
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt.exe reg_run
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchost.dll C:\WINDOWS\system32\taskmgr.dll

5. Please copy/paste the content of c:\avenger.txt into your reply.


Please also run these 2 tools to make sure that no files belonging to these infections are left in your pc.
1. Please download Qoofix by RubbeR DuckY
http://www.malwarebytes.org/Qoofix.zi
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Post the contents of the Qoofix logfile.


2. In add/remove programs look for any program belonging to OIN.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.

Post a fresh link to your Hikackthis log to make sure it's clean.


After that, you can also run your updated antivirus, or download and run download ewido anti-spyware
http://www.ewido.net/en/download/
Update first and run a scan in safe mode.

>>>Here is my hijack this profile:  (I ran this in safe mode)<<<
Hijackthis scan MUST be run in normal mode if possible so most nasties are showing in the log.
After you've done Avenger, can you please post a link to a new hijackthis log that is a result of a normal mode scan?

I am increasing the point value.  I have followed all of the directions above and am still getting popups.  I could not get logged into www.ee-stuff.com so I am posting the log here again.  This was ran in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:06 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\DIRECWAY\BIN\dpcnav.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
O2 - BHO: (no name) - {34F8A3F6-C9E7-41FA-8B65-25FE7DCA0680} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {4F2D01F4-87AC-45D6-B054-17ADB57DADEC} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {558B7AF3-5758-428C-8FEF-5B92FD1389FE} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {8D815C58-8377-4207-9C3D-464C846E6512} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {9D79B131-E2E9-43B0-BCFE-0334BB995A98} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {F75631F9-DCDF-4B00-83D4-E1BA38EDB007} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Navigator.lnk = C:\Program Files\DIRECWAY\BIN\dpcnav.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://*.update.windowsupdate.com
O15 - Trusted Zone: http://update.windowsupdate.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysavsht.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

So, you already ran Qoofix, and OIN Uninstaller right?
Can you please qoofix txt and Avenger txt?

Need to fix these:
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)  
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)  
O2 - BHO: (no name) - {34F8A3F6-C9E7-41FA-8B65-25FE7DCA0680} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {4F2D01F4-87AC-45D6-B054-17ADB57DADEC} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {558B7AF3-5758-428C-8FEF-5B92FD1389FE} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {8D815C58-8377-4207-9C3D-464C846E6512} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {9D79B131-E2E9-43B0-BCFE-0334BB995A98} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {F75631F9-DCDF-4B00-83D4-E1BA38EDB007} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysavsht.cab


C:\Program Files\ComPlus Applications <-- delete this folder.


Please run Silent Runners we'll see what comes up in the log. If you can't upload the logs at EE-stuff.com or somewhere else don't worry, I'll delete all the logs here after your problem is solved.

Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Here is the silentrunner link:
http://www.rafb.net/paste/results/HB48oJ34.html

Qoofix logifle:
Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/24/2006] at [6:20:49 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/24/2006] at [6:22:13 PM]

Note: Some registry keys may have been removed.


Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/24/2006] at [7:54:10 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/24/2006] at [7:55:34 PM]

Note: Some registry keys may have been removed.


Avenger.txt File:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqpbborw

*******************

Script file located at: \??\C:\Documents and Settings\fplceloq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\sys0370825826-20.exe not found!
Deletion of file C:\WINDOWS\sys0370825826-20.exe failed!

Could not process line:
C:\WINDOWS\sys0370825826-20.exe
Status: 0xc0000034



File C:\WINDOWS\sys11-2070825826.exe not found!
Deletion of file C:\WINDOWS\sys11-2070825826.exe failed!

Could not process line:
C:\WINDOWS\sys11-2070825826.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dslbdt.exe not found!
Deletion of file C:\WINDOWS\system32\dslbdt.exe failed!

Could not process line:
C:\WINDOWS\system32\dslbdt.exe
Status: 0xc0000034

File C:\WINDOWS\system32\VSL13.exe deleted successfully.


File C:\WINDOWS\system32\svchost.dll not found!
Deletion of file C:\WINDOWS\system32\svchost.dll failed!

Could not process line:
C:\WINDOWS\system32\svchost.dll
Status: 0xc0000034



File C:\WINDOWS\system32\taskmgr.dll not found!
Deletion of file C:\WINDOWS\system32\taskmgr.dll failed!

Could not process line:
C:\WINDOWS\system32\taskmgr.dll
Status: 0xc0000034



File C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe not found!
Deletion of file C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe failed!

Could not process line:
C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished!  Terminate.

I have also removed the entries listed with Hijackthis.

Thanks for your help.

pmaurey,

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/