Have spyware

Discussion in 'Malware Help (A Specialist Will Reply)' started by broker, Jan 24, 2006.

  1. broker

    broker Private E-2

    Hello, I am new here though I have lurked around for a bit. Nice site I must say! A lot of usefull information here.

    I believe my computer has a lot of spyware/adware/malware on it so I decided to ask for your help. I keep getting popups. Also one of the programs below caught and removed the swizzor virus.

    I followed your instructions and ran Ccleaner then Microsoft Malicious Software Removal Tool then ran Ad-Aware SE, then ran Spybot Seek and Destroy, then Microsoft Anti-Spyware. I then ran Bit Defender and lastly Panda Active Scan. Also I have ran CW Shredder.
    All of these scans were done in Safe Mode and all programs were up to date.
    The following 3 .txt logs are from Bit Defender, Panda Active Scan and lastly Hijack This.
    Any help would be appreciated regarding cleaning my computer up.
    Thanks in advance!!!

    Broker
     

    Attached Files:

    broker, Jan 24, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post your HJT log from normal boot mode.

    You have a Wareout infection along with some other problems.

    Also note that your BitDefender log is not a complete log. It does not show what was infected.
     
    chaslang, Jan 24, 2006
    #2
  3. broker

    broker Private E-2

    OK here is the new Hijack This Log
     

    Attached Files:

    broker, Jan 24, 2006
    #3
  4. broker

    broker Private E-2

    So Do I rerun Bit Defender in Safe mode? How do I properly post those results then?

    Thanks!
     
    broker, Jan 24, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Didn't you save the log per the directions indicated the first time? If you did, it would not look like what you posted?

    Don't worry about it now if you do not have it. Let me look at your HJT log and we'll work up a fix for your problems. Give me 10 to 15 minutes.

    In the meantime, Please install HJT per step 7of the READ ME.
    You have it here: C:\Documents and Settings\Ben\Desktop\HijackThis.exe
     
    chaslang, Jan 24, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below is? It looks like malware to me:

    O4 - HKCU\..\Run: [Trayblah] C:\DOCUME~1\Ben\APPLIC~1\procroam\cityplusexit.exe

    And what about this one:

    O4 - HKLM\..\Run: [MCCInstall] E:\Intro\AA\MCCInstall\English\MCCInstall.exe -Step=11
     
    chaslang, Jan 24, 2006
    #6
  7. broker

    broker Private E-2

    I don't know what those are either.
     
    broker, Jan 24, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Look in Add/Remove programs for UnSpyPC and uninstall if found.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {F94DCEB1-FEBE-D4A2-BC3F-531A3C934B96} - C:\DOCUME~1\Ben\APPLIC~1\FastWma\Gpl Bits.exe
    O4 - HKLM\..\Run: [MCCInstall] E:\Intro\AA\MCCInstall\English\MCCInstall.exe -Step=11
    O4 - HKLM\..\Run: [cool chic window knob] C:\Documents and Settings\All Users\Application Data\Mapi Soft Cool Chic\SECT STOP.exe
    O4 - HKCU\..\Run: [Trayblah] C:\DOCUME~1\Ben\APPLIC~1\procroam\cityplusexit.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD932DA-2451-41F4-85A6-D849A46E48A6}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{183C1891-048C-4DBE-B866-062634BFD3CB}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1FDBBF86-7030-43BF-AD52-DDE983739897}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A079EBC-656A-4A0C-BBD7-8AB93335A428}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB01F85-9D88-4EA1-A395-4AB423B55781}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE1A87D2-0C96-48BF-9747-E196A68AA3A2}: NameServer = 85.255.113.114,85.255.112.60
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD932DA-2451-41F4-85A6-D849A46E48A6}: NameServer = 85.255.113.114,85.255.112.60


    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\Program Files\UnSpyPC <--- delete the whole folder if found
    C:\Documents and Settings\Ben\Application Data\FastWma <--- the whole folder
    C:\Documents and Settings\All Users\Application Data\Mapi Soft Cool Chic <--- the whole folder
    C:\Documents and Settings\Ben\APPLIC~1\procroam <--- the whole folder
    C:\Documents and Settings\Ben\Local Settings\Temp <--- delete ALL files in this temp folder but leave the folder

    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log.
     
    chaslang, Jan 24, 2006
    #8
  9. broker

    broker Private E-2

    OK, I believe I have done what you had asked. Attached is the report.txt after it was run and fixed up. Next is the latest Hijack this .txt file

    Thanks again!
     

    Attached Files:

    broker, Jan 24, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You never installed HijackThis properly!!!! To late now. Your log is clean. How are things working?
     
    chaslang, Jan 24, 2006
    #10
  11. broker

    broker Private E-2

    Everything seems to be just fine now. No pop-ups or anything out of the ordinary. Don't know how I installed Hijack This the wrong way.

    Thank you very much for the help you have provided.

    Regards,

    Broker
     
    broker, Jan 24, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Since you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 24, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds