Cleaning another computer

This PC has a bunch of problems but first a couple comments/observations!

This PC is being run without any of the below:
- antivirus
- antispyware (it now has Windows Defender but I assume that was just added)
- no real firewall

That is very bad idea!

Now onto the fixes!

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You also have a Wareout infection along with several other malware components!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [trycrt] sysconf16.exe
O4 - HKLM\..\Run: [msag] ssweeper.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [dmgco.exe] C:\WINDOWS\system32\dmgco.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://bb.coe.ksu.edu:8011/webapps/collabserver/client-lib/6.0.11.74/j2re-1_4_1-win.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp.coupons.com/v3123/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EE62D69-980A-4B34-A822-8074B822E185}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{944728BD-7A8E-48D3-B7E8-175EAEAEA3F1}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24ECC50-EB50-4B9A-8B6E-916ECCEDBDE0}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\UnSpyPC <--- delete the whole folder if found
C:\documents and settings\all users\favorites\Download Free Spyware Remover.url
C:\Program Files\Rewards Network\brntray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\dmgco.exe
C:\WINDOWS\system32\msawindows.exe
C:\WINDOWS\system32\soundcontrl.exe
C:\WINDOWS\system32\sysconf16.exe
C:\WINDOWS\system32\ssweeper.exe
c:\windows\rdt.ini
c:\windows\STWSI

Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s f3initialsetup1.0.0.6.inf
del f3initialsetup1.0.0.6.inf
exit

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

Then you did not save it exactly as instructed. It must be save to a file that ends with a .reg extension. You must be sure that it is not saving as fixme.reg.txt

This is whay showing hidden files and extensions is important. Without enabling viewing of extensions for know file types, the fixme.reg.txt file would show as fixme.reg

If the file extension is not the problem then you just did not save it properly. You must make sure that REGEDIT4 is the first line of the file. If you have a blank line above it, it will not work. There should only be two lines in the file.

 

You still have the Wareout infection but the other problems are gone. We a are going to repeat the steps (slightly modified to fit your current problems).

O17 - HKLM\System\CCS\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. (If it does not launch, run it yourself). Please click Scan, and check the following items if they still exist:

O17 - HKLM\System\CCS\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{332F8E86-626A-43F8-B273-D2A550DAA0A5}: NameServer = 85.255.115.83 85.255.112.206

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\SYSTEM32\CSVTP.EXE
C:\WINDOWS\SYSTEM32\DMGCO.EXE
C:\WINDOWS\SYSTEM32\DMIXI.EXE

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

If you wait too long to do the fixes and the PC is getting used, you stand the chance of spreading and mutating the infection and the fix will not work.

 

Your HJT log is clean now but we have a couple files to delete.

Make sure viewing of hidden files is enabled (per the tutorial).

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM32\CSVTP.EXE
C:\WINDOWS\SYSTEM32\DMIXI.EXE

Reboot in normal mode and tell me how things are working now.

 

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!