Trying to get rid of ps1.exe and potentially boodhound.W32.EP

I doubt you tried everything on this website. In fact I would bet you did not run the below two tools:

Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later in safe mode.

- Now reboot into safe mode and run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You must use only one antivirus application. Pick the one you prefer and uninstall the others.

You have a load of problems and you need some Windows Updates too.

This is going to require a few steps and a couple other tools to locate some hidden files. I'll post some starting fixes in this message and in my next message I'll give you some other tools to run and post logs from.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\System32\thesnap.exe
C:\WINNT\System32\soranui2.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.maxifiles.com/toolbar/sidebar.php?tid=%toolbar_id&aid=%AffiliateID
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: SDWin32 Class - {BA0D16D9-150B-4CEE-B810-9205EA40090E} - C:\WINNT\System32\vsdpc.dll
O4 - HKLM\..\Run: [PS1] C:\WINNT\System32\ps1.exe
O4 - HKLM\..\Run: [xujpigl] c:\winnt\system32\xujpigl.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\urpvml.exe reg_run
O4 - HKLM\..\Run: [o8EX37e] thesnap.exe
O4 - HKCU\..\Run: [Zzx7RXKmV] soranui2.exe
O4 - Global Startup: rdin.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\System32\thesnap.exe
C:\WINNT\System32\soranui2.exe
C:\WINNT\cfgmgr52.dll
C:\WINNT\System32\vsdpc.dll
C:\WINNT\System32\ps1.exe
c:\winnt\system32\xujpigl.exe
C:\WINNT\VCMnet11.exe
C:\WINNT\System32\urpvml.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdin.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Sometimes HJT is able to delete problem files and sometimes not. When it does delete them you will not find them to delete yourself. The steps are still provided to be sure that the files are deleted (sort of a backup step since we cannot be sure what HJT will delete).

No, you do not have about:blank problems. And now your home page is set to Majorgeeks.


I mentioned before that additional problems would require a couple other scans so we can locate some hidden files.

The HijackThis line with KavSvc is an indicator of Ad-behavior problems.

Please follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, doubleClick Find-Qoologic.bat to run the tool. It should produce a log. Please attach this log to your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, please boot to SAFE MODE and doubleClick rkfiles.bat to run the tool. Allow it sufficient time to run and when it finishes, it will create a log file named C:\Log.txt Please attach that log.

After doing these scans and posting the logs, it is critical that you do not power down or reboot your system. Otherwise files could change names making the fix that will follow ineffective. For security, you can always unplug your cable to the internet.

 

Okay! Just post the logs when you complete the steps and remember to not power down or reboot after posting.

 

Yes you needed to boot into safe mode for RKfiles and then reboot to normal to post logs. After that, no reboots. Sounds like you did it correctly.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to hripyap Now right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

hripyap

After doing that exit HijackThis. We will be restarting HJT in a couple of lines though.

Now please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (These probably will not show since they did not in your last HJT log).
C:\WINNT\System32\urpvml.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdin.exe
C:\WINNT\system32\hripyap.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: SDWin32 Class - {BA0D16D9-150B-4CEE-B810-9205EA40090E} - C:\WINNT\System32\vsdpc.dll (file missing)
O2 - BHO: (no name) - {} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\urpvml.exe reg_run
O4 - Global Startup: rdin.exe
O23 - Service: hripyap - Unknown owner - C:\WINNT\system32\hripyap.exe

After clicking Fix, exit HJT.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINNT\SYSTEM32\mc-58-12-0000079.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\WQKPB.DAT into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\urpvml.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\system32\hripyap.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdin.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

 

That error is related to your screen blanker item that was selected. I doubt there is any relationship. Try a different screen blanker to see if it does the same thing.

You one item in your HJT log that seems to be refusing to go away. Are you sure your have NO BROWSERs running when you use HijackThis to fix items?

Also you have a few new problems that sprung up.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u C:\WINNT\System32\vsdpc.dll

then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, just OK it and continue.

Run HijackThis do a scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: SDWin32 Class - {BA0D16D9-150B-4CEE-B810-9205EA40090E} - C:\WINNT\System32\vsdpc.dll (file missing)
O4 - HKLM\..\Run: [vsdpcc] C:\WINNT\System32\vsdpcc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINNT\System32\guarnset.exe

After clicking Fix, exit HJT.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINNT\System32\vsdpc.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\vsdpcc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\guarnset.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

 

Okay! Now you are clean. It is time to complete the steps in the below thread. The first step in that thread is to get your Windows Update.

How to Protect yourself from malware!

 

You're welcome! Complete those other steps ASAP.