Worm & Malware- Need Support

Welcome to MGs!

Where is your Bitdefender log? You have a ton of problems. You appear to be a spyware collector.

 

Is your McAfee program expired or not up to date?

 

Have you done a full system scan with McAfee recently?

Compress your BitDefender log into a ZIP file and upload it.

 

Look in Add/Remove Programs and Uninstall the below if found:
AlfaCleaner
CAS
FCHelp
UnSpyPC


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmehuk.dll
O2 - BHO: (no name) - {E0C5598C-02EF-E204-48A4-36E8887DFC9B} - C:\WINDOWS\Wasnseyc.dll (file missing)
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\System32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Search - {CB30F462-2570-9C58-A780-1A193B115050} - C:\WINDOWS\Wasnseyc.dll (file missing)
O4 - HKLM\..\Run: [bhoserv] ATLIEHELPER.exe
O4 - HKLM\..\Run: [newbreed] TorontoMail.exe
O4 - HKLM\..\Run: [dmvgs.exe] C:\WINDOWS\System32\dmvgs.exe
O4 - HKLM\..\Run: [7B7D818082838888] 24262A292B2C31.exe
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe
O4 - HKLM\..\Run: [Ddsynf] C:\Program Files\Splledx\Htbf.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [10010] XTermInit.exe
O4 - HKCU\..\Run: [ActionScr] RtlFindVal.exe
O4 - HKCU\..\Run: [mozilla-text] utsgmon.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins008.exe
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_52.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEAC9430-9C39-457E-9051-2DD2B83A4FF9}: NameServer = 85.255.115.54,85.255.112.10

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\Splledx <--- delete the whole folder if found
C:\Program Files\AlfaCleaner <--- delete the whole folder if found
C:\Program Files\UnSpyPC <--- delete the whole folder if found
C:\Program Files\System Files <--- delete the whole folder if found
C:\Program Files\apsi <--- delete the whole folder if found
C:\Program Files\FCHelp <--- delete the whole folder if found
C:\Program Files\Common Files\VCClient <--- delete the whole folder if found
C:\Program Files\EQArticle <--- delete the whole folder if found

C:\WINDOWS\System32\irsmehuk.dll
C:\WINDOWS\System32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
C:\WINDOWS\Wasnseyc.dll
C:\WINDOWS\System32\ATLIEHELPER.exe
C:\WINDOWS\System32\TorontoMail.exe
C:\WINDOWS\System32\dmvgs.exe
C:\WINDOWS\System32\24262A292B2C31.exe
C:\WINDOWS\System32\aupdate.exe
C:\WINDOWS\System32\XTermInit.exe
C:\WINDOWS\System32\RtlFindVal.exe
C:\WINDOWS\System32\utsgmon.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
C:\WINDOWS\System32\irssyncd.exe
C:\WINDOWS\System\svwhost.exe
C:\WINDOWS\SYS99.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\sachosts.exe


Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

Delete the below files:

C:\WINDOWS\SYSTEM32\VXGAME~3.EXE
C:\WINDOWS\SYSTEM32\VXGAME~4.EXE

Now tell me how things are working!

 

You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!