Hi and Welcome to TSF
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.
Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.
Go to Start->Run and type Services.msc then hit Ok
Scroll down and find the service called: RA Server (Slave)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = p1.tibsystems.com:80
O17 - HKLM\System\CCS\Services\Tcpip\..\{609A5C0B-F840-4E1E-8CEE-1B01E08AA857}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{609A5C0B-F840-4E1E-8CEE-1B01E08AA857}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINDOWS\Slave.exe (file missing)
C:\WINDOWS\Slave.exe <--delete that file
Now click start...run...type in CMD
Now type sc delete slave and hit enter.
Close/Exit the box
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Once back to normal windows....
Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with another hijackthis log.
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
- Ad-Aware® SE Personal Edition
*Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
- Spybot Search & Destroy
- CWShredder
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.
Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.
Go to Start->Run and type Services.msc then hit Ok
Scroll down and find the service called: RA Server (Slave)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = p1.tibsystems.com:80
O17 - HKLM\System\CCS\Services\Tcpip\..\{609A5C0B-F840-4E1E-8CEE-1B01E08AA857}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{609A5C0B-F840-4E1E-8CEE-1B01E08AA857}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINDOWS\Slave.exe (file missing)
C:\WINDOWS\Slave.exe <--delete that file
Now click start...run...type in CMD
Now type sc delete slave and hit enter.
Close/Exit the box
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option) - Cleanup! All Users
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Once back to normal windows....
Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with another hijackthis log.
