LandzDown Forum

Hi, ScottishThistle.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please note that it is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Just as well that everything stalled.  You have a nasty rogue installed on your computer.  The instructions are complicated but since they are so nicely illustrated at Bleeping Computer, I am asking that you carefully follow the instructions there:  http://www.bleepingcomputer.com/virus-removal/remove-thinkpoint

Please post the MBAM log here as a reply.  It is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Next, Please download random's system information tool (RSIT):

• Download RSIT by random/random from here and save it to your desktop.
  Note:  If you have a 64-bit OS, please download random's system information tool (RSIT)from
• Double-click RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

I hope this is what you are needing. 

Thanks!
Kris (scottishthistle)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4938

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/24/2010 6:13:43 PM
mbam-log-2010-10-24 (18-13-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 260568
Time elapsed: 1 hour(s), 4 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 25

Memory Processes Infected:
C:\Program Files\Adparatus\Adparatus.exe (Adware.Adparatus) -> Unloaded
process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{d0b60438-57e7-44de-8f8e-6c3bf305d430}
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b2c7c9d-716d-4e9e-9358-b9c80a81b7ed}
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a4bca928-b566-49c6-aef1-50bf8673f5cf}
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{8b
2c7c9d-716d-4e9e-9358-b9c80a81b7ed} (Adware.Adparatus) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b2c7
c9d-716d-4e9e-9358-b9c80a81b7ed} (Adware.Adparatus) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adpar
atus (Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\space
query (Adware.SpaceQuery) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\Software\MarketPrecision
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MarketPrecision\Adparatus (Adware.Adparatus) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MarketPrecision\DuhikiToolbar (Malware.Trace) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MarketPrecision\Adparatus (Adware.Adparatus) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\Adparatus
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SpaceQuery (Adware.SpaceQuery) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPACEQUERY_SERV
ICE (Adware.SpaceQuery) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpaceQuery Service
(Adware.SpaceQuery) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adparatus
(Adware.Adparatus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) ->
Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SpaceQuery
(Adware.SpaceQuery) -> Quarantined and deleted successfully.
C:\Program Files\Adparatus (Adware.Adparatus) -> Quarantined and deleted
successfully.
C:\Program Files\Adparatus\FF (Adware.Adparatus) -> Quarantined and deleted
successfully.
C:\Program Files\Adparatus\FF\2594 (Adware.Adparatus) -> Quarantined and
deleted successfully.
C:\Program Files\Adparatus\FF\2594\components (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9} (Adware.Agent) ->
Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\chrome
(Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\defaults
(Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\defaults\preferenc
es (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\SpaceQuery (Adware.SpaceQuery) -> Quarantined and deleted
successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Adparatus
(Adware.Adparatus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Adparatus\Adparatus.exe (Adware.Adparatus) -> Quarantined
and deleted successfully.
C:\Documents and Settings\All Users\Application
Data\SpaceQuery\spacequery135.exe (Adware.SpaceQuery) -> Quarantined and
deleted successfully.
C:\Program Files\Adparatus\AdparatusResources.dll (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Program Files\Adparatus\Uninstall.exe (Adware.Adparatus) -> Quarantined
and deleted successfully.
C:\Program Files\Adparatus\FF\2594\components\Adparatus2594.dll
(Adware.Adparatus) -> Quarantined and deleted successfully.
C:\Program Files\SpaceQuery\spacequery.exe (Adware.SpaceQuery) ->
Quarantined and deleted successfully.
C:\System Volume
Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1310\A0365865.d
ll (Adware.Adparatus) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\SPA1F.tmp\upgrade.exe (Adware.Dropper.Gen) -> Quarantined
and deleted successfully.
C:\WINDOWS\temp\SPA4.tmp\upgrade.exe (Adware.Zwangi) -> Quarantined and
deleted successfully.
C:\WINDOWS\temp\SPA5.tmp\upgrade.exe (Adware.Dropper.Gen) -> Quarantined and
deleted successfully.
C:\WINDOWS\temp\SPA7.tmp\upgrade.exe (Adware.Dropper.Gen) -> Quarantined and
deleted successfully.
C:\WINDOWS\temp\SPA9.tmp\upgrade.exe (Adware.Dropper.Gen) -> Quarantined and
deleted successfully.
C:\WINDOWS\temp\SPAE.tmp\upgrade.exe (Adware.Dropper.Gen) -> Quarantined and
deleted successfully.
C:\Program Files\Adparatus\Adparatus.ico (Adware.Adparatus) -> Quarantined
and deleted successfully.
C:\Program Files\Adparatus\Support.url (Adware.Adparatus) -> Quarantined and
deleted successfully.
C:\Program Files\Adparatus\FF\2594\chrome.manifest (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Program Files\Adparatus\FF\2594\install.rdf (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\chrome.manifest
(Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\install.rdf
(Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\chrome\spacequery.
jar (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla
Firefox\extensions\{0A328249-98DF-476C-9D25-3853C961DAB9}\defaults\preferenc
es\prefs.js (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\SpaceQuery\uninstall.exe (Adware.SpaceQuery) -> Quarantined
and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start
Menu\Programs\Adparatus\About Adparatus.lnk (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start
Menu\Programs\Adparatus\Adparatus Support.lnk (Adware.Adparatus) ->
Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start
Menu\Programs\Adparatus\Uninstall Adparatus.lnk (Adware.Adparatus) ->
Quarantined and deleted successfully.

Ok, that will take me a while, but I'll get back with it. 

Thanks!!!
Kris

Hi, Kris.

I'm a bit confused.  When you posted the MBAM log, I was of the understanding (misunderstanding?) that you had gone through the instructions at Bleeping Computer already.

So we can see where things stand, please download random's system information tool (RSIT):

• Download RSIT by random/random from here and save it to your desktop.
  Note:  For users with 64-bit systems, please download RSIT from here
• Double-click RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

One question. . . . . I've downloaded RSIT to a flashdrive because my computer stalls after just a few minutes.  Should I run RSIT on my computer in safe mode?

Have you restarted the computer since receiving the above error message?  Yes, I have a couple of times.  And I have just restarted it.  This time I got a window saying that CHKDSK is verifying files.  Then the computer started.  I got the THINKPOINT screen up again.  So I am following those directions once again. 

Do you get your regular desktop or is hotfix.exe running? I don't think it's hotfix.exe since I'm having to follow those directions again. 

Hi, Kris.

Ok, let's use the MBAM command lines to update and scan:

Click Start, Type Run.  In the run box, enter the following (note the space before the backslash):  mbam.exe /update
Following the update, open the run box again and enter the following:  mbam.exe /update

Note:  If you ended restarting the computer, just run RKill again.