Browser Hijack

Please follow the directions in step 7 of the READ ME and get the proper version of HijackThis installed. Then continue with the below.

You have a Wareout infection!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O17 - HKLM\System\CCS\Services\Tcpip\..\{374C6A90-D4A7-49F5-9847-168B5D4D6EAE}: NameServer = 85.255.113.133 85.255.112.17


After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

All clean! So how are things working now?

 

I don't understand what you mean. Look at your last HijackThis log you attached. It was not there.

Attach a new one. Did you follow the steps for running FixWareOut exactly as written? Run it again and attach a new log too.

 

Check your firewall settings and make sure incoming and outgoing (from/to) those IP address are blocked. The actually IP range for this bad site and who it belongs to is below:

You should try to setup your firewall to block that whole range of IP addesses!

After doing that, continue with below!

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Click Start, Run, and enter ipconfig /flushdns and click OK! This will flush your DNS cache (a command prompt window will just open and quickly close).

Locate the below files with Windows Explorer and delete them:
C:\WINDOWS\SYSTEM32\wp.bmp
C:\WINDOWS\system32\LogFiles\DA7021900.so
C:\eied_s7.cab
C:\info6_s.cab
C:\TEMP\FLEOK <--- the whole folder
C:\Emailstuff\backup-20040913-082042-180.inf

If any of these do not delete, try at some point later after a boot into safe mode.

Then run FixWareOut again and attach the new log. Reboot a couple times afterwards to make sure and then attach a new HJT log and let's see where things stand.

If still having problems at this point, run the below and attach the Ewido log.

Running Ewido Anti-Malware

Also please run the steps in the below link and attach the runkeys.txt log.

Using GetRunKey