HIJACK This log file: experiencing Morwill

Welcome to MGs. You have a Wareout infection and a bunch of other problems, but you need to complete the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support before posting HJT logs. And when you do post any logs, they must be attachments. There are two other logs that must be posted when you complete step 6 of the READ & RUN ME. At that point we will be able to address all your problems including Wareout.

Also goto Add/Remove programs and uninstall the below:
UnSpyPC
Spyware Cleaner


Make sure when you finish doing ALL of the READ & RUN ME that you attach 3 logs:
- BitDefender
- PandaActiveScan
- a new HJT log from normal boot mode that is run after all of the READ ME is completed.

 

Look in Add/Remove programs for the below and uninstall and uninstall if found:
Spyware Cleaner
Superspider
UnSpyPC
WeatherBug

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R3 - URLSearchHook: (no name) - {9274979A-23F9-4D43-07EF-DAFAACEB7474} - backd.dll (file missing)
O2 - BHO: (no name) - {f0720279-5bc3-4ed3-bf04-65733e2504e8} - C:\WINDOWS\system32\hhplxiyd.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O17 - HKLM\System\CCS\Services\Tcpip\..\{4637010D-EDB3-4D0F-B69B-968B9387529B}: NameServer = 85.255.115.94,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F0F2EF-7D55-4817-89AD-56073A4C1A34}: NameServer = 85.255.115.94,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2113E1C-3D6C-4A06-AF2D-04A2EFEC2C6E}: NameServer = 85.255.115.94,85.255.112.66
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll (file missing)

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:

C:\Program Files\UnSpyPC <--- delete the whole folder if found
C:\Program Files\Spyware Cleaner <--- delete the whole folder if found
C:\Program Files\AWS <--- delete the whole folder if found
C:\WINDOWS\SYSTEM32\idesk.conf
C:\WINDOWS\rdt.ini
C:\WINDOWS\system32\dmfhw.exe
C:\WINDOWS\system32\backd.dll
C:\WINDOWS\system32\hhplxiyd.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.dat
C:\WINDOWS\system32\ttvwa.tmp


Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log. Make sure you tell me how things are working now.

 

You're welcome. But please attach the follow up HJT log I requested too so we can make sure the log is clean.

 

That's not a HijackThis log. That is the report from FixWareout already posted. And please don't post any logs inline

Please ATTACH a new HijackThis log.

By the way, did you notice that your PC is not on the correct Date. You show 12/5/2005.

 

Just fix the below line using HJT:

O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll (file missing)

Make sure it stays gone after a reboot. Let me know. Other than that, your log is clean. How are things working?