Cant get rid of DRUSEARCH :(

Discussion in 'adware, spyware & hijack cleaning' started by Spaceboy79, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. Spaceboy79

    Spaceboy79 Registered Member

    Jul 11, 2004
    Tried to destroy it with hijackthis but Drueserch keeps reappearing every time i start i-net explorer. Here is the log of hijackthis :

    Logfile of HijackThis v1.97.7
    Scan saved at 4:42:27 PM, on 11/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\RamBooster\Rambooster.exe
    C:\Program Files\Washer\washer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
    C:\Documents and Settings\All Users\Application Data\Microsoft\PTF\system\ioFTPD.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\Overnet\overnet.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\xxxxxxxxxx\Desktop\HijackThis.exe
    C:\Documents and Settings\xxxxxxxxxx\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msaps.dll/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [AStart] C:\WINDOWS\AStart
    O4 - HKLM\..\Run: [avqtsvel] C:\WINDOWS\avqtsvel.exe
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
    O4 - HKLM\..\Run: [R] C:\documents and settings\xxxxxxxxxx\local settings\temp\R.exe
    O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
    O4 - HKLM\..\Run: [93A9BC3E] C:\WINDOWS\System32\nvldee.exe
    O4 - HKLM\..\Run: [Microsoft Update] iteamre.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Microsoft IT Update] wumgr.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] hce.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKLM\..\Run: [ist service uninstall x] C:\WINDOWS\simple1.exe /u
    O4 - HKLM\..\RunServices: [55A05BE0] C:\WINDOWS\System32\nvldee.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] iteamre.exe
    O4 - HKLM\..\RunServices: [Microsoft IT Update] wumgr.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] hce.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Microsoft Update] iteamre.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
    O4 - HKCU\..\Run: [Microsoft IT Update] wumgr.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] hce.exe
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "xxxxxxxxxx"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O15 - Trusted Zone:
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} -
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) -
    O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA4B13B-2798-4EF0-82B2-D84BE9949425}: NameServer =
    O19 - User stylesheet: C:\WINDOWS\color.css (file missing)
  2. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    HI Spaceboy79

    First update or download CWShredder to version 1.59.1
    CWShredder (
    Use the Fix button and follow the instructions you will receive.

    Download Ad-aware from here:
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.

    Spybot S&D
    The download for Spybot S&D is available here:

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here

    Enable System Restore.

    Pls. post another log. - but pls. save your HijackThis in its OWN folder - like C:\HijackThis.
Thread Status:
Not open for further replies.