ahh -pleese help

something has taken over my internet! I can open certain sites like this one luckily, but if i try to open something like google, the right address stay in the address bar but "opening page bxnu.com" appears at the bottom of the window frame. The site that opens is always the same but has a random name at the top left like mysterysea.com followed by "find something different". Its basicaly a blue & white screen with various search catagories listed.
I have run AVG antivirus a few times and its found trojan horse downloaderZlob.FJT. I also ran the microsoft protection scan & that deleted some dodgy stuff, but the problem is still there.
This is really annoying cos i cant get to the sites i really need to use.
i don't know what to do now
Any help appreciated

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I ran spywaredoctor and it came up with Wareout so i used FixWareout by LonnyRJones, and i think its done the job so i'm most gratefull.
what concerns me now is how it got on my pc. -The description spyware gives of wareout says it is a rogue antispyware programme, I use Lavasoft Adware SE and SpywareBlaster as I thought they were reputable.
should i delete them and use something else?

 

Usually when wareout is present there are others so I would recommend running my previous post and attach the logs however it's up to you.

 

You're absolutly right, there was some other stuff showed up, i just havn't had the time to do everything yet but will do as soon as poss.

 

Okay, just post your logs when ready.

 

CounterSpy log
BitDefender log
PandaActiveScan. log

 

GetRunKey
ShowNew


did all the scans listed, don't know if getrunkey & shownew worked as only the notepad files had anything in them.
i'v still got trojans showing so i'll do the hijackthis scan & post it.

 

Yeah, I will need a fresh HJT log to continue.

 

hijackthis log

 

First thing I notice is that your running Norton and AVG, you need to pick one antivirus and uninstall the other as running more than one will cause conflicts.

After you complete this see the thread below and run this thread once more.

WareOut Removal

Once you complete the thread above, fix the below entries with HJT. Once completed reboot and attach a fresh HJT log.

 

the norton is a firewall that came with the pc, not that i use it, the antivirus is already uninstalled. have run the fixwareout again but Spyware doctor is still showing wareout and Trojan.DNS changer, don't know what to try next?

 

hijackthis log after reboot

 

Your HJT log looks good, can you attach the log from Spyware Doctor?

 

WareOut
C:\System Volume Information\_restore{0C83D441-BF52-4044-A4FD-E3966F45DDBF}\RP409\A0036477.exe risk: High

Trojan.DNS Changer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion##dpid risk: High

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{29CA183A-5D1E-4402-8733-393CB3B4690D}##DhcpNameServer risk: High

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2F9C50AF-7A57-447F-A0C9-0C41A391287A}##DhcpNameServer risk: high

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3F73E448-A0E7-4551-842F-86C2727A6E8B}##DhcpNameServer risk: High

-----------------------
thats the spywaredoctor log.


What does the 'ISSUES' tool in ccleaner do? I did a scan & it shows loads of "unused file extensions", "activeX/Com issues", "open with application issues" & "installer reference issues". -should i let it fix these issues?
I have also noticed that in my c:windows folder, there are about 100 folders named $NtUninstallKB810217$ & about the same amount of logs named KB810243.log. they are microsoft but i havn't noticed them before.

 

Can you attach the log so I can get the entire exact registry keys? I don't want to make a mistake as the registry can be very dangerous if managed wrong.

I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above attach the entire log if possible.

 

i havn't got the spywaredoctor registered so thats all the information i can get from it. The good news is i disabled the system restore & did fixwareout again and now there are no signs of wareout, only the Trojan.DNS changers show up which it says "change the dns values of the tcp/ip settings". None of the earlier scans i did showed anything though.
My pc is definitly a lot cleaner now anyway, thanks for all your guidance so far.

 

If you're absolutely positive those are the EXACT registry entries being detected then follow this simple procedure.

1. Download Erunt 1.1j, save to your desktop and install once complete.
   
   
2. As a precaution backup your entire registry.
   
   
3. Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
   
4. Once you complete the above, reboot and run another scan, let me know if they return.

 

hello, been away for a while but back now and hav installed Erunt, backed up & optimized the registry. I copied the quote to notepad & saved as fixme.reg, but when i double click it nothing happens? right click gives me the option to 'merge' but no 'Add to registry'?
I'v run spyware doctor again and I also hav a Dialer infection now -grrrrr
here's the log;



SexVideoPro Dialer.
Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com
Risk High

SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com## Risk High

SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com##* Risk High

SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www Risk High

SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www## Risk High

SexVideoPro Dialer HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\1987324.com\www##* Risk High

Trojan.DNS Changer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion##dpid
Risk High

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{29CA183A-5D1E-4402-8733-393CB3B4690D}##DhcpNameServer
Risk High

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2F9C50AF-7A57-447F-A0C9-0C41A391287A}##DhcpNameServer
Risk High

Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3F73E448-A0E7-4551-842F-86C2727A6E8B}##DhcpNameServer
Risk High

 

ps. avg antivirus isnt finding it.

 

Is there anyway you can attach the log instead of copying and pasting?

 

I havn't got the registered spyware doctor so unfortunately it wont let me. Of all the different scans i'v done only spydoc finds these problems.

 

I am able to save as the whole page but its the same thing isn't it?

 

heres a new log, don't know if u need a hjt report?
Also I noticed an application called UNWISE.EXE in c: - should that be there?

 

all i can tell about it is that it is an uninstaller (i think it's from one of the antispyware progs i installed following the 'READ ME'steps.
i opened it & got the 'Wise Instillation Wizzard'(welcome to the installation
uninstall program)? which uninstalls
C:/WINDOWS/system32\atl.dll
C:/WINDOWS/ActiveSkin.INI
C:/WINDOWS/system32\ActiveSkin.ocx

The site you listed notes that "unwise.exe is a process belonging to an
advertising program. This process monitors your browsing habits and also
prompts advertising popups. This process is a security risk and should
be removed from your system."
But it also says it shouldn't be terminated unless suspected of causing problems, So I don't know?confused



I did uninstall Norton antivirus from the pc but havn't deleted the
Norton symantec firewall, even tho it's not actually installed, - does
that need to be deleted aswell then?


Spyware Doctor isn't the full program does block popups & stops known
dodgy sites from opening & won't allow things to be added to startup
without asking me, so it is usefull.


the attatchment is what a full scan shows now.

I havn't seen any evidence of my browser being interfered with though
so maybe i shud just ignore it.

 

ok, I uninstalled the firewall & deleted anything norton symantic. Attatched are the new logs from GetRunKey, ShowNew and HJT (I ran HJT first -hope thats not wrong). I must have done something wrong last time because GetRunKey & ShowNew did work this time.
I'll try to find other programs to replace Spyware Doctor. As for the registry keys it found, if you think it's best to leave them i'm happy with that.

 

ok, did everything in order.

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

this didn't show up in the HJT list.


Everything seems to be running fine. Why did i remove Windows Messenger? and can I re install it?

I will go through How to Protect yourself from malware! next.

many thanks.