Pipas.a

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

It can often be better to leave a PC on afterwards since many malware infections spread or mutate during shutdown or reboot. If leaving your PC is not an option right now, then run the procedure, post the logs and shutdown. If it is an issue because of the infection types that you have, we will then tell you later to not reboot or shutdown unless told to do so.

 

Did you run Windows Defender in normal boot mode?

You did not run PandaActiveScan in step 6 of the READ & RUN ME. Please run it and attach the log so we can look for other issues. I will give you a prelim fix below for your main problem which is a WareOut infection.

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E92EF58-4F26-4576-BCB8-30A42E99A183}: NameServer = 85.255.116.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{140D30E2-B38D-4431-A2B9-E5872D2DE21B}: NameServer = 85.255.116.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{1574FE33-A4CF-4517-AAE9-D1363A53E9E9}: NameServer = 85.255.116.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{1872EBEB-738F-4322-B0F2-F6E2EE970A1B}: NameServer = 85.255.116.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E92EF58-4F26-4576-BCB8-30A42E99A183}: NameServer = 85.255.116.46
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

Okay! Wareout appears to be gone now.

But I would like to know what the below is:
C:\PROGRA~1\LAUNCH~1\CPLBY25.EXE

This is C:\Program Files the Launch~1 you will have to figure out what the fullname really is. I don't like the looks of this, but it could be just for your PC. Is your PC an Acer?.

I would like to get some more info on the C:\PROGRA~1\LAUNCH~1\CPLBY25.EXE file. Locate it using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.


How is your PC working right now?

 

When exactly does this "pop" sound occur?
Do you have browsers opened when it occurs?
Does it only occur when connected to the internet and when connected to certain sites?
Does it occur when you are not doing anything on your PC and all browsers are closed?
Does it occur if you shut down the real time protection of Windows Defender?
Does it occur in safe mode?

Just for a backup, do the following:

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Okay let's do a few things!

1. Run this Running Spy Sweeper and attach the SpySweeper.txt log
2. Run the below procedure and attach the runkeys.txt log.
   • Using GetRunKey
3. downloadHOSTERand then follow the below steps.
   • Unzip Hoster to a convenient folder such as C:\Hoster
   • Run Hoster.exe, click Restore Original Hosts and then click OK.
   • Click the X to exit the program

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

You're welcome! I don't know what to make of the sounds. It could just be related to sites you are connecting to and cookies being written or updated on your PC.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

My mistake! I forgot to edit my boilerplate message for the fact that you were using Win2k. There is no system restore in Win2K.

According to your logs no. Which MSN URL are you referring to? And do you mean you cannot get to the URL or do you mean you cannot login to something?

 

Is that the only place you have the problem? Are there other sites where you need to login like that and use IE without problems?

Note: This does not appear to be a malware issue.

 

You're welcome.

Then if hotmail.com is the only location you are having a problem with, perhaps you have inadvertantly added it to the Restricted Zone or are blocking it with a firewall. At anyrate, it is not a malware problem.

I wonder if this would fix it: http://www.msgshit.com/downloads/456/Hotmail-login-fixer.html