Problem, a Major Problem

You must run and follow ALL the instructions in this Sticky thread READ & RUN ME FIRST Before Asking for Support Make sure you run everything and do them in the order indicated. Make sure you check against our version numbers and get all updates.

 

Can't you download files onto your PC and copy them to CD or flashdrive etc and then copy to the infected PC?

If you cannot do anything to help get the procedure started, we cannot help you. We need alot more information and it would take you along time to write it down and then type it into a message. What tools and version numbers are already on the PC?

 

I guess you did not run step 6 of the READ ME???

You have a Wareout infection and more.

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html
R3 - URLSearchHook: (no name) - {8BEC06FB-14CC-8782-74BA-6E2D048B7196} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [trycrt] xwiz.exe
O4 - HKLM\..\Run: [ParisM] ParisM.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [browsebar] Brong32.exe
O4 - HKCU\..\Run: [media64] driver64.exe
O4 - HKCU\..\Run: [prgsys0984] mozilla-text.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{11058CD5-5A74-405A-8C9E-B26B21E238EB}: NameServer = 85.255.113.195,85.255.112.223
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDC2FD8E-C7EE-4D60-8B78-E0E27CA62052}: NameServer = 85.255.113.195,85.255.112.223
O17 - HKLM\System\CS1\Services\Tcpip\..\{11058CD5-5A74-405A-8C9E-B26B21E238EB}: NameServer = 85.255.113.195,85.255.112.223

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\system32\msblank.html
C:\WINDOWS\system32\xwiz.exe
C:\WINDOWS\system32\ParisM.exe
C:\WINDOWS\system32\Brong32.exe
C:\WINDOWS\system32\driver64.exe
C:\WINDOWS\system32\mozilla-text.exe
C:\Program Files\UnSpyPC <--- delete the whole folder

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

Also attach a new HijackThis log.

 

You're welcome! I would like you to run step 6 of the READ ME and attach the logs but before doing that a few steps will help to make those scans go faster and keep the logs smaller.

1) run Ccleaner on all user accounts to clean up all the cookies and temp files
2) empty the Recycle Bin
3) Also since you use Norton N-Protect to protect the Recycle Bin you must empty it. See this: Emptying the Norton Protected Recycle Bin
4) Empty any quarantine folders for your virus scanner

Now immediately after doing the above, run step 6 of the READ ME and attach the logs.

Also tell me if things are running any better. If not please describe the exact problems your are having in more detail.

 

You did not do what I requested in my last message. Look at the BitDefender log. You still have items in the Quarantine folder and in Recycle and the Norton N-Protect.

Please follow those directions.

Also delete the below files:
C:\WINDOWS\SYSTEM32\howiper.exe
C:\WINDOWS\cpbrkpie.ocx
C:\Downloads\SinglesMSetup-dm[1].exe

 

Okay! One file is still left: C:\WINDOWS\cpbrkpie.ocx

Did you miss that one?

Try again. Afterwards it is time to complete step 1 of the READ & RUN ME to dump all bad System Restore points. And then you should move on to the below:

How to Protect yourself from malware!

 

Thanks PP! I forgot about adding those to my list in message # 10.

I wonder why they have not made the script smart enough to nor show ipsec6.exe yet.

 

You're welcome. Surf safely!