I am sorry, bear with me here....You have me VERY confused.....I really think you have only completed parts of various items, and have done them "out of sync"
In post #3 you say this;
Which tells me that you cannot do anything in safe mode.OK, I've tried numerous times to reboot into safe mode but when windows starts up in safe mode the screen freezes and doesn't allow me to open anything. I had to restart with alt and f4 and try again with no luck. I followed your instructions and downloaded ewido which deleted everything found apart from downloader agent uj - Googling tells me ewido won't be able to remove this?
Also in that very same post is your Ewido log. Which, because you said that you could not get into safe mode I assumed was run in Normal Mode.
Then in post #4 you tell me about finding the link for and running FixWareout but the only thing you post is this;
I then gave you instructions on how to look for the replacement of that file...did you look and replace it or just ignore my instruction?Check for missing files
.....
C:\WINNT\system32\AUTOEXEC.NT not there
.....
End check for missing files
What you DID NOT post was the FULL FixWareout log. I am not even certain that you had run the program at that time at all.
In post #5 I told you to run HJT again and fix these entries;
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [internat.exe] internat.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
I also asked you to try to run Ewido again in Safe Mode.
You post back in #6 and say this....
But you DO post what you say is a new HJT log and some of the fixes I requested seem to have been applied but these remain in the new log;I still can't do anything whilst in safe mode - I have to ctrl alt & del and even then I get an error message saying internet explorer isn't responding. I dont understand this as I hadn't even opened internet explorer?
So edwido hasnt been run in safe.
So I asked you in #7 if you had applied the fixes in HJT I requested and also ask if you still cannot go into safe mode. I also told you to check task manager to be certain it says ieexplore.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
In post #8 you say...
In post #9 I tell you to try to go to safe mode by using a step by step method and I note you have not posted the full FixWareout log.I can get it in safe mode by pressing f8 at menu, but when i login after it starts up, the desktop freezes not allowing me to click anything.
I fixed the entries you told me to yes.
In post #10 you say...
Honesly, I have no idea at this point what "last instructions" you are referring to...You then post the full FixWareout log along with another HJT log. Which still contains the two entries I note above.Apologies, it was explorer.exe
For some reason it allowed me to run ewido in safe mode (after about 6 attempts) I rebooted and followed your last instructions
This is where it really gets confusing to me...
Was this log the automatic log which was supposed to run immediately after the FixWareout was run as noted in the link that you cited or is this a log you have run yourself manually? AND if this was the automatic log why didn't you try to fix those two remaining entries?
Also, did you complete the instructions given on the link for using FixWareout?
That is the uploading (by copy/pasting the file path into the box and hitting submit) C:\WINNT\System32\CSEIX.EXE noted in the FixWareout scan to http://virusscan.jotti.org/
to have it checked out?
If you DID complete this step, why haven't you posted that information here?
Also then why did you post the OLD Ewido scan when the link clearly states to run the Ewido scan, in safe mode AFTER using FixWareout. That is the Ewido scan I expected to see not one run BEFORE using FixWareout. The reason for running one AFTER FixWareout is that Ewido should be able to fix the problem then. The one before the fix identifies what cannot be fixed so that additional steps can be applied before running Ewido again.
This is why, when removing malware, viruses, trojans, spyware, etc., each and every step must be followed exactly. Patience is the KEY. These are often very time consuming processes that need to be followed slowly and correctly. Steps cannot be skipped or done out of order. There is truly a reason the steps must be followed in order. If they are not they may not work at all. If a step cannot be completed then you should stop the process and that information should be posted and then you wait while a search is done for a new step to be tried. By using part of the information from that link and following part of the steps given by me and part of the steps from PP's link I honestly have no idea where we stand for sure or exactly what you have completed and when.
I need you to please upload that information to the link above and get the log from them. Save it. Don't post it here yet.
I now need you to reboot to safe mode and run Ewido again. Let it fix whatever is found and please save that log.
Reboot to normal mode. Run HJT again and fix those two entries, IF they remain that I have noted above. Reboot. Run it again, save the log and post THAT last HJT log, the Ewido log and the log from Virusscan here. Do NOTHING else.
If you have already done something else then DON'T follow these instructions yet...post back to me what you HAVE done and in what order. Don't post any old logs, just new ones.
Judy
