Hello rip,
Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. Post all the logs I request please.
Disable Microsoft AntiSpyware
- Open Microsoft AntiSpyware.
- Click on Options, Settings.
- In the left pane, click on Real-time Protection.
- Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
- After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.
______________________________
Make sure that you can see hidden files.- Click Start.
- Click My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Uncheck the Hide file extensions for known file types.
- Click OK.
______________________________
Please download FixWareout from
http://swandog46.geekstogo.com/Fixwareout.exeNote: Leave your internet connection running, the fixwareout may prompt you to download BFU from merijn.
Save it to your Desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch.
Put a
check in the box on the left side of the following items if still present:
O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{11DB6F72-0BCA-4684-BC97-44A51066608D}: NameServer = 85.255.115.109,85.255.112.129
Close
ALL windows and browsers
except HijackThis and click
Fix CheckedAt the end of the fix, you may need to restart your computer again. A log will be created,
C:\fixwareout\report.txt, I will need that file later on.
If present, delete the folder C:\Program Files\
WareOut______________________________
Reset your DNS servers
- Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
- Right-click the network connection that you want to configure, and then click Properties.
- On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
- If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically. (Recommended)
- If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.
Reboot your PC
______________________________
Start Ewido and update to the latest definition files.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________
UnSpyPC : please see
http://www.spywarewarrior.com/rogue_anti-spyware.htmClick on
Start,
Control Panel, click on
Add/Remove ProgramsLook through the installed programs for the following items and remove them if present:
UnSpyPCDuring the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________
Reboot your computer in
Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
______________________________
Run HijackThis, click on
None of the above, just start the program, click on
Scan. Put a
check in the box on the left side of the following items if still present.
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [dmozv.exe] C:\WINDOWS\system32\dmozv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
Close
ALL windows and browsers
except HijackThis and click
Fix Checked.
______________________________
Using
Windows Explorer,
Search and
Delete these
Folders if listed:
C:\Program Files\
SpyAxeC:\Program Files\
UnSpyPCC:\Program Files\
WareOut <--- if not yet done
Using
Windows Explorer,
Search and
Delete these
Files if listed:
C:\WINDOWS\system32\
dmozv.exeC:\WINDOWS\system32\
idemlog.exeC:\WINDOWS\system32\
per.exeIf you get an error when deleting a file,
right click on the file and check to see if the
read only attribute is checked. If it is
uncheck it and try again.
______________________________
Navigate to
C:\Windows\PrefetchClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Windows\TempClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\TempClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your
Temporary Internet files. Procede like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Next Click
Start, click
Control Panel and then double-click
Display. Click on the
Desktop tab, then click the
Customize Desktop button. Click on the
Web tab. Under
Web Pages you should see an checked entry called
Security info or something similar. If it is there, select that entry and click the
Delete button. Click
Ok then
Apply and
Ok.
Empty the Recycle Bin by right-clicking the
Recycle Bin icon on your Desktop, and then clicking
Empty Recycle Bin.
______________________________
Close
ALL open Windows / Programs / Folders. Please start
Ewido Security Suite, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says
Perform action on all infections, then choose clean and click Ok.
Once the scan has completed, there will be a button located on the bottom of the screen named
Save Report.
- Click Save Report button
- Save the report to your Desktop
Close Ewido and reboot in Normal Mode.
______________________________
Please do an online scan with
Kaspersky Online ScannerClick on
Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click
Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
______________________________
Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.phpExtract it to your
C:\ folder. This will create a folder called
WinPFind in the C:\ folder.
Open the
C:\WinPFind folder and double-click on
WinPFind.exe.
Click on the
Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named
C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________
Please post :
- C:\fixwareout\report.txt
- Ewido log
- Kaspersky results
- C:\WinPFind\WinPFind.txt
- a new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Kim