Something is using my Internet :|

Welcome to Majorgeeks!

Please refer to the READ ME again. You have Spybot's Teatimer running and should not.

Now Disable Spybot's TeaTimer

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Also you installed HijackThis exactly where step 7 specifies not to install it.

Please correct this now before continuing.


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\winucity.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - (no file)
O3 - Toolbar: (no name) - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - (no file)
O4 - HKLM\..\Run: [Windows Workstation Service [5.1-2600]] windrm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\W
O4 - HKLM\..\Run: [SYSTEM] winucity.exe
O4 - HKLM\..\Run: [Windows Security] C:\Program Files\Common Files\Microsoft Shared\Help\1031\msxml32.bat
O4 - HKLM\..\RunServices: [Windows Workstation Service [5.1-2600]] windrm.exe
O4 - HKLM\..\RunServices: [SYSTEM] winucity.exe
O4 - HKCU\..\Run: [Windows Workstation Service [5.1-2600]] windrm.exe
O4 - HKCU\..\Run: [SYSTEM] winucity.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service [5.1-2600]] windrm.exe
O4 - HKCU\..\RunServices: [SYSTEM] winucity.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\W or C:\w.exe or C:\W.Bat or C:\W.com
C:\WINDOWS\System32\windrm.exe
C:\WINDOWS\System32\winucity.exe
C:\Program Files\Common Files\Microsoft Shared\Help\1031\msxml32.bat

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You still have not install HijackThis correctly. You have it running like this:

C:\Documents and Settings\Danuka\Local Settings\Temp\HijackThis.exe

If I had given you some other typical cleaning procedures that we often use, the program would have been deleted from your PC. YOU MUST install it properly. We have more work to do.

Please follow the directions in step 7 and install HijackThis so it runs from C:\Program Files\HJT\HijackThis.exe

Then attach a new HJT log. Once you get this correct, we can continue.

 

Okay! That's better. Now uninstall Counter Spy and also disable any other active protection from things like CA Safe. You still have some of the same problems as before. Make sure you locate these files and delete them.

Make sure viewing of hidden files is enabled (per step 2 of the READ & RUN ME).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\winucity.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SYSTEM] winucity.exe
O4 - HKLM\..\RunServices: [Windows Workstation Service [5.1-2600]] windrm.exe
O4 - HKLM\..\RunServices: [SYSTEM] winucity.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) -

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\W or C:\w.exe or C:\W.Bat or C:\W.com <--- are there any files that just have w.xxx where xxx is anything.
C:\WINDOWS\System32\windrm.exe
C:\WINDOWS\System32\winucity.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

?????? Take another look! It is still there.

Fix the two below lines and then attach another new log.

O4 - HKLM\..\Run: [SYSTEM] winucity.exe
O4 - HKLM\..\RunServices: [SYSTEM] winucity.exe

If this does not go away, we will have to use different steps because it would seem to indicate that you are not finding the files when they to exist.

 

Yes but now you have picked up a new problem.

O4 - HKLM\..\Run: [Win32 USB] C:\WINDOWS\System32\wns.exe
O4 - HKLM\..\RunServices: [Win32 USB] C:\WINDOWS\System32\wns.exe

Where have you been surfing?

Perhaps we need to dump your CA Isafe as it is not doing to good a job. Also you need a firewall and a new version of Sun Java.

FIx the above lines and delete the file in safe mode.

 

P2P applications are one of the biggest spreaders of malware! Shut it down and keep it shut down.

Your last log is clean. You need to QUICKLY follow thru with ALL of the below. Make sure you get one of the firewalls mentioned installed.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!