Please Help!! Adware Problems

Hit CTRL-ALT-DEL to bring up Task Manager. The click Processes. Look to see if there is a netspry.exe running. If so, end it.

Then please try following all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

If the previous instructions do not help. Try this:
Kill this running processes with Task Manager:
netspry.exe

Remove these registry items (if present) with RegEdit:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\minigolf\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\minigolf\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\williamhung\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\williamhung\uninstallstring
HKEY_LOCAL_MACHINE\software\minigolf\install_dir

Remove these files (if present) with Windows Explorer:
c:\documents and settings\administrator\desktop\crispy.lnk
c:\documents and settings\administrator\desktop\janet.lnk
c:\documents and settings\administrator\desktop\whereismychange.lnk
c:\windows\prefetch\crispy.exe-266d75b2.pf
c:\windows\prefetch\golfregister.exe-3ad80f63.pf
c:\windows\prefetch\janet.exe-3a8f1879.pf
c:\windows\prefetch\janet[1].exe-12c7caeb.pf
c:\windows\prefetch\updatestats.exe-31afb730.pf
c:\windows\prefetch\whereismychange.exe-1a6f8e41.pf
c:\windows\prefetch\wmplayer.exe-18ddef9c.pf
janet.wmv <--- search for it
netspry.exe <--- search for it
netspry.txt <--- search for it

 

Please install this update for Spybot: Spybot - Search and Destroy DSO Exploit Fix

Make sure you have run everything in < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus

Then make sure you have HijackThis version 1.98.2 and you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or from a sub-folder of C:\Documents and Settings, or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You did not run all of the steps in the READ ME FIRST. I do not see evidence of the online scans being run. Why did you skip these and did you skip anything else?

And you have no idea what the Xerox stuff is for?

 

Uninstall SpyHunter it is on a list of rogue/suspect spyware removers. The free version is not useful anyway since it cannot remove anything and it shows lots of false positives.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
capesnpn.exe
bidispl3.exe
hclo.exe
l?gonui.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
O2 - BHO: (no name) - {6DAF612E-B046-76CF-8256-66550AF62F1C} - C:\WINDOWS\System32\ingi.dll
O4 - HKLM\..\Run: [dd288fc3d452] C:\WINDOWS\System32\capesnpn.exe
O4 - HKLM\..\Run: [a3a8cc88339e] C:\WINDOWS\System32\bidispl3.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe <--- if still here after uninstall
O4 - HKCU\..\Run: [Sswo] C:\Documents and Settings\Clay\Application Data\hclo.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=30d91cc1bdb16834245062ef23b052b1598d18295386660c76c35098ec24b33133827de778e9019183a390af5f36ce16d55432c9:4afe3b21b3c7669f1101679687fb4dc5


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\capesnpn.exe
C:\WINDOWS\System32\bidispl3.exe
C:\Documents and Settings\Clay\Application Data\hclo.exe
C:\WINDOWS\system32\l?gonui.exe
C:\WINDOWS\System32\ingi.dll

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! It looks like we got all the bad stuff cleaned up. You HJT log is okay now.
Any more problems with home page hijacks?

I assume you mean you saw $NTUninstallxxxxxxx (where the xxxxxxx are things like Q322011$ and more like that) and you saw them in the C:\Windows directory. These are from undates to windows perform via Windows update. They are not problems.

The other files in the Xerox folder like crash.txt, you should look at with notepad to see what is in it.

Look at the pollog.txt & pollst.txt files too using notepad (where were they). They most likely are for ATI video card drivers. They enable hotkeys to quickly change your display settings.

 

You're welcome.