Ewido

Download, install and run BlackLight by F-Secure. Post the log once finished.

 

That is not the full path to the files. Always post complete info. Are they all in C:\windows\system32 Some of these are definitely WareOut related.

 

Is this the same PC as you were working on in the below threads?

http://forums.majorgeeks.com/showthread.php?t=81239

and here:

http://forums.majorgeeks.com/showthread.php?t=80083

 

I don't think so. Look again. This wbemtest.exe is probably the one in C:\windows\system32\WBEM

 

I assume you have HijackThis on your PC but do not post a log. Before we look at HJT logs the READ & RUN ME must be followed.

Don't worry about it right now. I want to run something.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please just close HJT.
• Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

 

And just as a double check, continue here.

Please download Pocket KillBox by Option^Explicit

Extract the files from it to its own folder someplace you can find it to run.

Run KillBox.exe. Then on killbox top bar press tools and then "Delete Temp Files" then "OK".

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\csius.exe
C:\WINDOWS\SYSTEM32\dmktu.exe
C:\WINDOWS\SYSTEM32\encodex.exe
C:\WINDOWS\SYSTEM32\favset.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If you get a Pending Operations message just reboot yourself.

If your computer does not restart automatically, please restart it manually.

Let me know how these steps go. Rerun Blacklight and see if it finds anything. Note that wbemtest.exe is okay.

 

Okay as a double check, make sure you have viewing of hidden and system files enable and use Windows Explorer to make sure the below do not exist:
C:\WINDOWS\SYSTEM32\CSIUS.EXE
C:\WINDOWS\SYSTEM32\ENCODEX.EXE
C:\WINDOWS\SYSTEM32\DMKTU.EXE

How are things working now? Is Ewido still reporting problems?

If all clean, and you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Delete the below files:

C:\WINDOWS\SYSTEM32\paytime.exe
C:\WINDOWS\country.exe
C:\WINDOWS\tool2.exe

Then you should make sure you have finished working thru the How to protect thread.

 

You're welcome. Surf safely.