please help. strange probs.

Reboot into Safe Mode, run Wareout fix and then reboot into safe mode after you run wareout fix, run HJT and if those entries are still there have HJT fix them in safe mode.

After you do this, reboot a few times then attach a fresh HJT log with the fix wareout log.

 

ok i really have to go out now. i'll follow your instructions as soon as i get back. thanks again for your help and time. back on later.

 

Okay, the longer it stays, it may mutate so...I'll check back later.

 

ok i did what you said, i rebooted three times, each time i connected to the internet and opened my homepage. after 3 times i did a log and the 017 werent there. they had gone. i then connected to internet and selected this site from my favorites and ran another log, they were back.

are they hiding in my favorites box?

 

hello again, ive had a go on the net and it seems to be working fine. is it possible that its fixed and the 017's are harmless or are they just waiting for a chance to reinfect.

i'm not going to reeboot until youve viewed my log and given me your feedback anyway, just incase. look forward to your reply.

 

Download WinPFind

• Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
• Once it is launched, click on the Configure Scan Options button. And to the right side in the white box below the Run Addons checkbox, select the Qoologic.def and WareOut.def check boxes. Then click Apply.
• Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
• When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.

 

ok heres my log, not sure which one you need.

 

We just updated out instructions on running WinPFind, so please follow my previous (Post 56) post and attach the log once more.

 

ok, this is what your looking for i think

 

Now a fresh HJT log.

 

htj log

 

Follow this post as it is...

Please locate your download of FixWareout and INSTALL it.

• Be sure that Run fixit is checked.
• Click Finish to begin the fix.
• Follow the prompts and Reboot when asked to do so.
• Upon Reboot, follow the prompts and HijackThis should open.

After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:

After you complete the above, reboot a few times and attach a fresh HJT log.

 

this fix wareout, when i run the ystem it comes up with a black page that has text in and says press any key to continue, theres no boxes to be checked.
am i doing something wrong?

 

Download it again...

http://swandog46.geekstogo.com/Fixwareout.exe

 

no, still the same thing, no boxes to check.

 

Download, Install, at the end of the INSTALL is where you check the box "run fixit"

 

wareout log

 

the 017 go untill i reconnct to the internet an then there back.

 

Scan with HijackThis and Check the Boxes for the following:

R3 - URLSearchHook: (no name) - {11119E57-4C35-9BDA-5F44-C53291EC74D3} - sysconf16.dll (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.163 85.255.112.179
O17 - HKLM\System\CS1\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.163 85.255.112.179

Make sure All Browser Windows are Closed when you Click FIX.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SYSTEM32\CSXXM.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, run Ewido but first get any updates. Afterwards attach a fresh HJT log with the Ewido log.

 

same thing comes back as soon as i connect to the internet.

 

did you run ewido? if so attach the log.

Do this, get a fresh download of Wareout Fix. Reboot to Safe Mode, physically disconnect from the internet (pull the cable) and run the wareout fix utility, then have HJT fix those 2 O17 entires.

After complete the above, reboot to normal mode, reconnect to the internet and attach a fresh HJT log.

I havn't ever seen this be so diffiucult to remove.

 

ewido log

 

ok did that. heres my logs i'll give you one before i connected and one straight after.

 

second hjt

 

it wont let me but there back anyway.

 

run the scan, nothing was found but i didnt get a log? or do you mean hjt ?

stil seems to be working anyway.

it wont be hiding in the favorites list will it?

 

Download AproposFix by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.


After you complete the above, please download Rootkit Revealer 1.56

Once download is complete, run the utility and click SCAN to begin scanning your system.

If you need any help with this utility please see the site below...
http://www.sysinternals.com/Utilities/RootkitRevealer.html

After you complete a scan, attach the log to your next post.

 

ok heres the log.

 

hjt log

 

done the rootkit scan, nothing found and no log given.

 

my computer is starting to run slowly today. not sure if its all the software ive downloaded or the spyware/malware.

 

Do you have multiple user accounts on this computer?

 

hello. no i just have the 1 user account.

 

Okay, lets get a few things straight. You say the infection goes away until re-connect the internet, correct?

What sites are you visiting after you re-connect to the internet??

Also, attach a current HJT log.

 

hello again. been off for a few days.

this was the only site i was visiting at the time, but it was before i actually opened the internet browser that they came back.
i ran a hjt evry step to see when exactly they came back and it was when i made the internet connection. before i even opened the home page.
hope this helps.

 

First, please uninstall Ewido and then procede with the rest of this.

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Please download DelDomains and unzip it to your desktop. Do not run it yet.

• Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Download a fresh copy of FixWareout by Lonny and save it to your Desktop.

Please locate your download of FixWareout and INSTALL it.

• Be sure that Run fixit is checked.
• Click Finish to begin the fix.
• Follow the prompts and Reboot when asked to do so.
• Upon Reboot, follow the prompts and HijackThis should open.

After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:

Now, run CCleaner, Be sure you only run the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.

Next, I would like you to reset your DNS servers

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. Right-click the network connection that you want to configure, and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4.Click Obtain DNS server address automatically. (Recommended)

After you complete the above instructions, please download and install Spybot S&D. After install get any updates, Immunize and then run a full system scan.

Next, you need to install a firewall. I recommend ZoneAlarm Free Edition. See the thread below to pick one.

How to Protect yourself from malware!

After you complete the above, before attaching the logs, reboot a few times then attach the log from wareoutfix along with the new HJT log.

 

hello again.
i followed all the instructions but the deldomains wasnt working for me, when i open the file its just text.

anyway did the rest and heres my logs, the 017 are still there.

when i followed the instructions for dns servers it looked like the numbers in the box were the same as in 017?? but i checked the automatic box anyway?

heres the logs to look at.
thanks again.

 

Those entries in your HJT log, the O17 look like your ISP's.

Are you having any current problems?