Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Task Manager is locked ny the admin after spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Task Manager is locked ny the admin after spyaxe

Unread postby Rip » January 2nd, 2006, 10:02 am

I have got the spyaxe to stop but it has disabled my taskmanager can anyone help? Thanks in advance


Logfile of HijackThis v1.99.1
Scan saved at 6:56:06 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\PA\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp5A93.tmp (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ
Advertisement
Register to Remove

Unread postby Kimberly » January 4th, 2006, 1:37 pm

Hello Rip,

Your DNS servers have been Hijacked and you probably have Wareout installed. Winpfind will list the keys to change for the TaskManager, we will fix that.

Please download FixWareout from
http://swandog46.geekstogo.com/Fixwareout.exe

Note: Leave your internet connection running, the fixwareout may prompt you to download BFU from merijn.

Save it to your Desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch.

Put a check in the box on the left side of the following items if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp5A93.tmp (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129

Close ALL windows and browsers except HijackThis and click Fix Checked

At the end of the fix, you may need to restart your computer again. A log will be created, C:\fixwareout\report.txt, I will need that file later on.

If present, delete the folder C:\Program Files\WareOut
______________________________

Reset your DNS servers
  1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
  2. Right-click the network connection that you want to configure, and then click Properties.
  3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
  4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically. (Recommended)
  5. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.
Reboot your PC
______________________________

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

Please post :
  1. C:\fixwareout\report.txt
  2. If you still have the log from smitrem fix I would like to see it --> c:\smitfiles.txt
  3. If you still have the Ewido log, please post it
  4. Kaspersky results
  5. C:\WinPFind\WinPFind.txt
  6. a new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Thank you

Unread postby Rip » January 5th, 2006, 10:41 am

I got it fixed and everything is working great! Thanks again
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Kimberly » January 5th, 2006, 10:44 am

I would like to see the requested logs please.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Rip » January 5th, 2006, 11:43 am

Logfile of HijackThis v1.99.1
Scan saved at 8:42:31 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\PA\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dmozv.exe] C:\WINDOWS\system32\dmozv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Kimberly » January 6th, 2006, 11:01 am

You still have several nasties on board and I would like to see the following logs please :

Please post :
  1. C:\fixwareout\report.txt
  2. If you still have the log from smitrem fix I would like to see it --> c:\smitfiles.txt
  3. If you still have the Ewido log, please post it
  4. Kaspersky results
  5. C:\WinPFind\WinPFind.txt
Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Rip » January 6th, 2006, 11:59 am

~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 768 'explorer.exe'
Killing PID 768 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Rip » January 6th, 2006, 12:06 pm

---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 9:05:45 AM, 1/6/2006
+ Report-Checksum: CD61F5F6

0: System Process
4: System Process
296: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
620: \SystemRoot\System32\smss.exe
684: \??\C:\WINDOWS\system32\csrss.exe
708: \??\C:\WINDOWS\system32\winlogon.exe
752: C:\WINDOWS\system32\services.exe
764: C:\WINDOWS\system32\lsass.exe
928: C:\WINDOWS\system32\svchost.exe
1008: C:\WINDOWS\system32\svchost.exe
1096: C:\WINDOWS\System32\svchost.exe
1184: C:\WINDOWS\system32\svchost.exe
1252: C:\WINDOWS\system32\svchost.exe
1388: C:\WINDOWS\system32\spoolsv.exe
1516: C:\Program Files\ewido anti-malware\SecuritySuite.exe
1532: C:\WINDOWS\System32\alg.exe
1748: C:\WINDOWS\Explorer.EXE
1788: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
1820: C:\Program Files\ewido anti-malware\ewidoctrl.exe
1844: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
1936: C:\WINDOWS\system32\nvsvc32.exe
1976: C:\WINDOWS\system32\svchost.exe
1996: C:\WINDOWS\system32\wdfmgr.exe
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Rip » January 6th, 2006, 12:11 pm

---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 9:05:45 AM, 1/6/2006
+ Report-Checksum: CD61F5F6

0: System Process
4: System Process
296: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
620: \SystemRoot\System32\smss.exe
684: \??\C:\WINDOWS\system32\csrss.exe
708: \??\C:\WINDOWS\system32\winlogon.exe
752: C:\WINDOWS\system32\services.exe
764: C:\WINDOWS\system32\lsass.exe
928: C:\WINDOWS\system32\svchost.exe
1008: C:\WINDOWS\system32\svchost.exe
1096: C:\WINDOWS\System32\svchost.exe
1184: C:\WINDOWS\system32\svchost.exe
1252: C:\WINDOWS\system32\svchost.exe
1388: C:\WINDOWS\system32\spoolsv.exe
1516: C:\Program Files\ewido anti-malware\SecuritySuite.exe
1532: C:\WINDOWS\System32\alg.exe
1748: C:\WINDOWS\Explorer.EXE
1788: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
1820: C:\Program Files\ewido anti-malware\ewidoctrl.exe
1844: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
1936: C:\WINDOWS\system32\nvsvc32.exe
1976: C:\WINDOWS\system32\svchost.exe
1996: C:\WINDOWS\system32\wdfmgr.exe


I hope I am doing this right I sure thank you for helping me. I don't know a whole lot about computers and this is my first experience with a forum. Thank you again,Rip
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Rip » January 6th, 2006, 12:17 pm

I don't have the

Kaspersky results

C:\WinPFind\WinPFind.txt

or the first one that you asked for. Thanks Kim
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Kimberly » January 6th, 2006, 12:47 pm

Hello rip,

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. Post all the logs I request please.

Disable Microsoft AntiSpyware
  1. Open Microsoft AntiSpyware.
  2. Click on Options, Settings.
  3. In the left pane, click on Real-time Protection.
  4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
  7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Please download FixWareout from
http://swandog46.geekstogo.com/Fixwareout.exe

Note: Leave your internet connection running, the fixwareout may prompt you to download BFU from merijn.

Save it to your Desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch.

Put a check in the box on the left side of the following items if still present:

O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129

Close ALL windows and browsers except HijackThis and click Fix Checked

At the end of the fix, you may need to restart your computer again. A log will be created, C:\fixwareout\report.txt, I will need that file later on.

If present, delete the folder C:\Program Files\WareOut
______________________________

Reset your DNS servers
  1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
  2. Right-click the network connection that you want to configure, and then click Properties.
  3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
  4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically. (Recommended)
  5. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.
Reboot your PC
______________________________

Start Ewido and update to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

UnSpyPC : please see
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

UnSpyPC

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [dmozv.exe] C:\WINDOWS\system32\dmozv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe

Close ALL windows and browsers except HijackThis and click Fix Checked.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\SpyAxe
C:\Program Files\UnSpyPC
C:\Program Files\WareOut <--- if not yet done

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\dmozv.exe
C:\WINDOWS\system32\idemlog.exe
C:\WINDOWS\system32\per.exe

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and reboot in Normal Mode.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please post :
  1. C:\fixwareout\report.txt
  2. Ewido log
  3. Kaspersky results
  4. C:\WinPFind\WinPFind.txt
  5. a new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Rip » January 6th, 2006, 2:23 pm

OK it theres a problem with the first site you told me to go to to dl fix something I dont remember the exact address but it does not work.

My computer seems to be working good right now what do I have that is still bad? The problem I see is I have to dl all these other programs that I dont know if I really need. I just hate piling more crap on my computer and who to say some of these other programs don't have there own tracking cookies? Hate to sound parnoid but come on this is America land of greed, I do appriecate your help,R
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby Kimberly » January 6th, 2006, 6:06 pm

Hello Rip,

Let try to clarify things ... and why you need to follow my instructions and download the programs I did request to clean up your PC.

Right now, your DNS servers are NOT yours, they point to DNS servers in Russia and not to the DNS servers of your ISP. This means that each address you request on Internet is not resolved by your trustworthy ISP but by a bunch of hackers and they might redirect you to another page instead of the one you did ask for. They may have access to your computer, change things, download programs without your knowlegde, use your computer to perform illegal things against other computers and steal your personal information.

This situation will turn worse if you don't follow exactly the directions I did post for you. The programs I asked you to download and run are from wellknown anti-malware fighters sources, if one had turned naughty to use a cookie for tracking we would know about it because we don't tolerate that and if that would happen, we would not ask you to install or use such a program.

Please follow all the steps I did post, in the exact order to clean up your PC, because you already have malware that loads at startup. HijackThis does not show all the nasties on your computer, that's why we need Ewido and Kaspersky. Winpfind will show entries in the registry that have been modified by the malware without your knowlegde. The only thing we wish is to prevent that your computer get's pilled up with junk, crap, etc .... something that will happen if you don't follow my instructions as quick as possible.

If you have a problem with a part of the fix, write it down on a piece of paper, write down the error message if you get one, note down the file that caused download trouble and post all those details back in your reply.

Can we start to desinfect your computer now please ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Rip » January 6th, 2006, 7:28 pm

for starters the addy http://swandog46.geekstogo.com/Fixwareout.exe does not work so I can't dl the fixwareout.exe ?
Rip
Regular Member
 
Posts: 21
Joined: December 31st, 2005, 10:13 am
Location: Lake Havasu,AZ

Unread postby ChrisRLG » January 6th, 2006, 7:31 pm

it does for me.

do you have any popup blocking software running - as that could interfer with the download
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware