540.filost.com

Did you run the online scans in normal boot mode? If not, please do so. And if they find anything they cannot fix, post their logs.

Then follow the steps below.

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Reboot into safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please attach this log to your next reply.

If still having problems at this point, follow the steps below.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

No! It is a bug in vB that sometime occurs when using IE. You can use another browser like FireFox or you can do the below:
- click the Quick Links hot key towards the top right
- select Edit Options
- in the next windows scroll to the bottom of the window and change the Message Editor to Standard

That may work.

 

Okay! You may be experiencing another possible bug with vB that I have seen. Sometime certain content in the file has cause problems. Try putting your HJT log into a ZIP file and upload the ZIP file. If you cannot do this (don't know how) then try putting your log into a Word Document and upload it (Note: it must be smaller than 96 k to upload)

 

Did you have both a command prompt window open and an ftp session running when getting your HJT log? I see these two processes:
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\FTP.EXE


Look in Add/Remove programs and uninstall WareOut if found!! You have a bunch of trojans, most due to Wareout!



If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - {AE37A2C3-108B-9709-A719-F3CBC6A791C2} - wormexe.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O4 - HKLM\..\Run: [syspanel] iehelper.exe
O4 - HKLM\..\Run: [abrek] Dest068.exe
O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\Run: [Microsoftf DDEs Control] w33s.exe
O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] w33s.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [KeywordFinder] startman.exe
O4 - HKCU\..\Run: [WTFCTF] LOPTCON.exe
O4 - HKCU\..\Run: [new32] defect08.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINNT\system32\LogFiles\NS6281400.so
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\system32\vbsys2.dll


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WareOut <--- the whole folder
C:\WINNT\system32\LogFiles\NS6281400.so
C:\WINNT\system32\taskopen.exe
C:\WINNT\system32\iehelper.exe
C:\WINNT\system32\Dest068.exe
C:\WINNT\system32\w33s.exe
C:\WINNT\system32\winpadg.exe
C:\WINNT\system32\startman.exe
C:\WINNT\system32\LOPTCON.exe
C:\WINNT\system32\defect08.exe
c:\ied_s7.cab
c:\x.cab
c:\wx.cab
c:\eied_s7.cab
c:\ex.cab
C:\WINNT\system32\vbsys2.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

They are valid windows processes as long as the are running from the system32 folder.

You still have one problem left.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now check to make sure those O15 lines with frame.crazywinnings.com are gone from you HJT log. Let me know.

 

You're welcome. Now that we have you cleaned up, let's try to keep it that way. See the below:

How to Protect yourself from malware!