Spyware, Adware and Virus Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BabyJ_1590, Mar 11, 2006.

  1. BabyJ_1590

    BabyJ_1590 Private E-2

    I went to college and returned home to find the Computer in serious trouble. There are several visiable problems - redirecting after clicking a link, random programs that cannot be uninstalled, pop-ups, not being allowed to print or install a printer, not being allowed to update windows, no longer being recognized as an administrator and the list goes on. I have done all of the steps on the before you post this page.

    The systems is Microsoft Windows XP Professional Version 2002. The computer has 512 MB of RAM. The computer would not let me do a Panda Virus Scan, but I did everything else I could do.

    Attached is a Hijack this, Counter Spy, and Bit Defender logs.

    Any help you can provide would be great. Thank you.
     

    Attached Files:

    BabyJ_1590, Mar 11, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks.

    Please go back to step 7 of the READ & RUN ME and follow the directions to properly install and run HijackThis. You are running it exactly where and how we specify that it should not be run. That is from the ZIP file and from C:\Documents and Settings.

    Did you have a problem trying to use Microsoft Windows Defender? If so, it is because of the below !!!!

    Your OS and IE versions are way out of date and represent a major security risk to you. You MUST get updated once we remove all malware issues.
     
    chaslang, Mar 12, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay after getting HJT installed properly, continue with the below.

    Empty your Norton NPROTECT folder and also your Microsoft AntiSpyware Quarantine folder!

    You have a few infections. One of them is a Wareout infection and another is a Look 2 Me infection. We may need some steps after the below to remove some of these.

    Look in Add/Remove programs for UnSpyPC and uninstall if found.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:
    R3 - URLSearchHook: (no name) - _{21F746AD-1806-3B74-8545-A012D89080B7} - (no file)
    R3 - URLSearchHook: (no name) - {83534AF7-0588-458B-C998-62A87F8B7186} - dePloy.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: (no name) - {77FE52DD-A3E8-A13B-CCBE-685170ABFAF0} - (no file)
    O2 - BHO: (no name) - {A865C54F-2717-A84C-2C64-CCCC092DD965} - (no file)
    O2 - BHO: (no name) - {E6A923C7-6658-048E-5AB7-0335F62ACC87} - (no file)
    O4 - HKLM\..\Run: [progmen] zxc.exe
    O4 - HKLM\..\Run: [prcmon] ERTYDF.exe
    O4 - HKLM\..\Run: [links] links.exe
    O4 - HKLM\..\Run: [dmbqd.exe] C:\WINDOWS\System32\dmbqd.exe
    O4 - HKCU\..\Run: [SpyElim] StatusCheck.exe
    O4 - HKCU\..\Run: [abrek] SysSupport.exe
    O4 - HKCU\..\Run: [SYSTRAV] ssweeper.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20DDAEE7-0580-4951-9BEB-3CD338CAE8B4}: NameServer = 85.255.113.142,85.255.112.155
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E21C1480-DC08-4B7A-82C8-907543A33563}: NameServer = 85.255.113.142,85.255.112.155
    O17 - HKLM\System\CS1\Services\Tcpip\..\{20DDAEE7-0580-4951-9BEB-3CD338CAE8B4}: NameServer = 85.255.113.142,85.255.112.155
    O17 - HKLM\System\CS2\Services\Tcpip\..\{20DDAEE7-0580-4951-9BEB-3CD338CAE8B4}: NameServer = 85.255.113.142,85.255.112.155
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\gci32.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\WINDOWS\System32\dePloy.dll
    C:\WINDOWS\System32\zxc.exe
    C:\WINDOWS\System32\ERTYDF.exe
    C:\WINDOWS\System32\links.exe
    C:\WINDOWS\System32\dmbqd.exe
    C:\WINDOWS\System32\StatusCheck.exe
    C:\WINDOWS\System32\SysSupport.exe
    C:\WINDOWS\System32\ssweeper.exe
    C:\WINDOWS\system32\gci32.dll
    c:\windows\system32\guard.tmp
    c:\windows\system32\winupdt.001
    c:\windows\cfgmgr52.ini
    c:\windows\rdt.ini
    C:\Program Files\AIM\Sysfiles\AIMWDInstall.exe
    C:\Program Files\UnSpyPC <--- delete the whole folder if found

    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log. And tell me how things are working now!!!
     
    chaslang, Mar 12, 2006
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds