Bad spyware problem.

What process or processes are using all of the CPU time?

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

I repeat my question:

You have no visible malware problems shown in your HJT log. You problems may be more of an issue for the Software Forum. You could have a corrupt installation or other driver problems.

 

You know something. I did not even notice that process up early in the process list. I think I just looked right past it thinking it was part of Webroot SpySweeper (which I do not believe it is).

C:\WINDOWS\System32\wksadmoe.exe

Also nothing seems to be apparently loading it. No I do not know what it is.

I would like to get some more info on the wksadmoe.exe file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

Also do the below:

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

This is not an about:blank hijacker and you show no signs whatsoever of having one.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\System32\wksadmoe.exe

After killing all the above processes, exit HijackThis.

Now open Windows Explorer and locate the C:\WINDOWS\System32\wksadmoe.exe file and rename it to wksadmoe.xxx

This will prevent it from being able to run. I'm not sure where it is loading though.

Now reboot your PC and note two things:
- do you get any error messages on next boot about anything not being able to load or run
- look in the process list of HJT and make sure that the C:\WINDOWS\System32\wksadmoe.exe process is not shown as running.

 

That is a baddie that you do not want. You must have some hidden stuff on your PC.

Follow the steps below.

- First run CCleaner before doing the below.


- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

 

Okay that fixed some of what I thought would be there (that is: Qoologic). Now let's do a couple other things to make sure nothing else is hiding:

Please download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log. Based on the log, we will determine the next steps.

Also do the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments. This will require two messages.

 

Okay we have some more to do.

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

Please don't run any other files in the L2MFix folder.

 

After completing the steps in my previous message, continue with the below:

- Download Pocket KillBox

Extract Killbox to its own folder - somewhere that you will be able to locate it later. Do not run it yet.

Reboot in Safe Mode (do not open any other processes)


Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\System32\DSJDFFS.DLL
C:\WINDOWS\System32\DATADX.DLL
C:\WINDOWS\System32\CONRES.CPL

When it reboot, please boot back to safe mode again.

Once in safe mode run KILLBOX again and Run those files through Killbox once more to be sure nothing survived. But this time place a tick by any of these selections if available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Sometimes these files can be stubborn to remove so I just want to run thru this twice.

After reboot this time, boot to normal mode and let me know how things are working. Also attach a new HJT log.

 

Your error message is more than likely not a malware related problem. It may have been cause initially by malware. What I'm suspecting is a possible corruption in your installation somewhere.

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. Enter the below command follow by the enter key and describe what happens.

sfc /scannow

 

Find your CD! As I suspected, this is not a malware problem. Sounds like you are missing some required system files.

What exactly is stated in the messages (word for word)? But note that I am probably going to be suggesting that you continue this in the Software Forum.

 

Okay! That's your choice but getting error messages is normally a sign of missing files. You could find in the long run that you run into other issues due to it.