WinFixer-Trafficexplorer etc pop-ups.

Please follow the steps below exactly as written:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Are the below Proxy settings required for your network:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.12.52:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.1.201; 172.16.*.*;<local>

You have a Virtumundo problem Vundo.B). We are seeing a bunch of these again lately.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will be restarting HJT in a few lines.


Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of tusqn.dll once and then click the kill button. After you have killed all of the tusqn.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of tusqn.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\tusqn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O20 - Winlogon Notify: tusqn - C:\WINDOWS\system32\tusqn.dll
O20 - Winlogon Notify: tuvww - C:\WINDOWS\system32\tuvww.dll (file missing)


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\nqsut.ini
C:\WINDOWS\system32\nqsut.ini2
C:\WINDOWS\system32\nqsut.bak
C:\WINDOWS\system32\nqsut.bak2
C:\WINDOWS\system32\nqsut.tmp
C:\WINDOWS\system32\tusqn.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Yes run thru the procedure again. Take care to run exactly as written. It is crucial to locate the items using process explorer. It woud not hurt to do it with the network disconnected. This same procedure has fixed a bunch of these so it should work unless more items are hidden. Make sure you tell me of anything you cannot find or if a step gets any error messages. If you want to use a Network Analyzer to capture and analyze what is going on, be my guest. More information can always be useful.

CWShredder itself is valid but it should not and does not need to be running as a service. I'm not sure how you got that line for it. But I have installed (there really is no install) CWShredder and dozens of my own (and work PCs) and never has it shown as a service. I would like to know how that happened because it should not.

 

You know you had another DLL file listed that said it was missing. Maybe it is not!!! When doing the procedure with Process Explorer to kill the DLL also repeat the process for winlogon.exe and explorer.exe with tuvww.dll

Hope you understand what I mean.

Have a nice holiday!

 

You may want to post another HJT log so we can be sure everything is gone.

To some extent, the amount of resources being used my these antispyware applications is critical in how good a job it can do. There is as of yet no single tool that really does even close to a perfect job. If there was, this forum would not exist. We recommend multiple items. All covered in the below (which you need to work thru anyway now that you are clean):

How to Protect yourself from malware!

If you are thinking that SpySweeper is slowing you down too much. You could try MS Antispyware or Ewido Security Suite. But you should also make sure you use SpywareBlaster (set it and forget it except to do updates). It uses no resources. And also use Spybot S&D but only the SDhelper application (do not use Teatimer) and also make sure you use Immunize. Set this way Spybot uses very little system resources and you also have the secondary scanning features it provides.

 

All clear but if you are no longer on that customer's network, you should not need these proxy server lines and should remove them.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.12.52:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.1.201; 172.16.*.*;<local>

 

You're welcome!

But note, HJT does have a Backup and Restore feature (part of the reason we insist on it being installed properly). You can actually restore things like this easily from HJT's Backups too. Just an FYI.