search engine malware trouble....

Welcome to MGs!

If you completed the READ ME and you still have problems, you should be following the instructions in the READ ME in steps 6 & 7. Three logs should be attached to your message. BitDefender, PandActiveScan, and HijackThis.

 

Please follow the directions in step 7 of the READ ME completely. You did not follow all of them. If you did you would not be using a very old version of HijackThis. Please get the proper version in out steps installed but before posting a new log, run the steps below which may solve your inability to download updates.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now get the new HJT log and attach it.

 

Okay now that you have the correct version of HJT, you need to install it properly as in the directions. Your old version was installed properly. Now you are running it from the ZIP file:

C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Please install properly before continuing. Failure to do so, will prevent you from getting backups created of things HJT removes.

You have a Wareout infection!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O17 - HKLM\System\CCS\Services\Tcpip\..\{41E96930-F95B-467E-BA89-E395B1A1BB32}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{611B483C-D087-4AAE-89B9-94BDC2CB580B}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{C30375CC-50EA-4E88-AF6D-82EE9471293C}: NameServer = 85.255.116.150,85.255.112.202

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

Yes that is better!

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [dmvsx.exe] C:\WINDOWS\system32\dmvsx.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\dmvsx.exe
C:\WINDOWS\SYSTEM32\CSCHY.EXE
C:\WINDOWS\SYSTEM32\DMBGN.EXE

Tell me what you find and do not find!

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

If all went as planned you should be clean and working okay now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I still see the below in your log:

O4 - HKLM\..\Run: [dmvsx.exe] C:\WINDOWS\system32\dmvsx.exe

Did it come back or did your forget to click Fix checked?

Try again! Also make sure the file does not exist.

Let me know.

 

So fix it again and then immediately check you HJT log to see if it is fixed.

Then reboot and see if still fixed.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely.