Owned by Spyware!! Please Help?

[spyware_victim]

I kept trying to get in safe mode - on the 5th time, I just run ewido in normalk mode - i was informed that safe mode is the safest way, so presumed if safe mode wasnt working then I'd have to run it without it?

I rebooted again and managed to get into safe mode, which is when I run ewido again.

I took your instructions to paste that file and I did that.

When I downloaded fixwareout, I didn't see any concrete instructions on how to run it? so am not sure if i posted the full log?

I fixed all the hjt entries you told me but they still seemed to come back?

The 'last instructions' i referred to were

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal

The sticky on here is quite confusing to non techy people - it appears to consist of a lot of info, but doesn't give a definitive order to which these steps should be taken. It mentions hiding ops and enabling hidden files but doens't tell you exactly when you should do it? I'm probably wrong but thats the way it I'm reading it!

I'm just run http://virusscan.jotti.org/

Heres the info
Service load: 0% 100%

File: cseix.exe
Status: INFECTED/MALWARE
MD5 4ec349a0d45a6ee6b8c2e0dbd9b83886
Packers detected: PE-CRYPT.POLYCRYPTA
Scanner results
AntiVir Found Heuristic/Malware (probable variant)
ArcaVir Found nothing
Avast Found Win32:Agent-AVO
AVG Antivirus Found Downloader.Agent.FCQ
BitDefender Found Trojan.Downloader.Mohbpork.A
ClamAV Found Trojan.Downloader.Agent-657
Dr.Web Found Trojan.DnsChange
F-Prot Antivirus Found Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Fortinet Found W32/Agent.UJ!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.uj
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.10960


I'm sorry, I've had malware problems before but this one seems ridiculously complex, particularly as my pc wouldnt even allow me to run safe mode for so long. I appreciate what you're doing massively though.

Progress UPDATE - I ran fix although the only log that appears is yesterdays and i cant locate any more for fix?

I rebooted in safe mode then run ewido. It cleaned the agent uj trojan, here's the report;
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:32:10 09/08/2006

+ Scan result:



C:\WINNT\system32\cseix.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).


::Report end

I am now able to run adaware (which is clean) and the speed of my surfing has improved!

Well done you!

I have since trued that jotti scan and the CSEIX.EXE file you asked me to locate, cannot be found - i presume this is a good thing?

Do I run hjt in safe now? Im so damn confused! I'll await your instructions.

Thanks a million for your patience!

[jholland1964]

The sticky on here is quite confusing to non techy people - it appears to consist of a lot of info, but doesn't give a definitive order to which these steps should be taken. It mentions hiding ops and enabling hidden files but doens't tell you exactly when you should do it? I'm probably wrong but thats the way it I'm reading it!

Hey, don't panic. We both were confused for a while yesterday
First of all let me say, things ARE looking MUCH better.

Now I am going to walk you through the steps, in the order they should be performed, which IS in the exact order that PP gives, because I want you to follow all the steps again, just to be certain that your computer is clean.

READ ME Before Posting A Request For Assistance!

1. His first step asks you to familiarize yourself with three items...
You already know how to boot to safe mode so you do not need to read that one.
I DO want you to Enable Viewing of Hidden Files and Folders
So do that NOW.
Turning off System Restore only applies to Windows ME and XP so it does not apply to your system so just go forward.

2. Here he requests that you download five programs.
I know you have AdAwareSE and Ewido for sure. Update both of those programs but DO NOT RUN THEM YET.
I want you to download any of the other three you DO NOT have at this time. Download, install and update them but DO NOT RUN THEM YET.

3. You already have HiJackThis on your system so you do not need to download it again. But while we are on this step, go ahead and delete any of the old logs from HJT AND Ewido that you have remaining on your system. They are already posted here so if need be we can refer back to those so just delete them from your computer to avoid confusion. (you and I both have all ready had enough of that!)

4. Look in Add/Remove for any programs you don't recognize or didn't add yourself and if you find any either remove them or if you are not certain then leave them for now but make a note to ask about it LATER.

5. Be certain that you have Enabled the Viewing of Hidden Files and Folders.

6. Run the Microsoft® Windows® Malicious Software Removal Tool that you downloaded in step #2.

7. Run at least 2 of the online anti-virus scans that he lists in the sticky. I would recommend that you run Trend Micro
and Symantec
I want to add a third of my own choosing here that I also think you should run and that is Windows Security Trojan Scan
I would like you to run all three of those, in the order given. Have them remove everything found.
Make a note of everything found and fixed and the where it was located.

8. Disconnect completely from the internet. That means REMOVE THE INTERNET PLUG FROM YOUR COMPUTER ENTIRELY. Close all browsers and boot to SAFE MODE.

Do the following, and in this order;
A – Open and RUN CCleaner with the default options to clean out temporary files. Only use the Default Scan (Windows Tab) click the Analyze Button. It will scan your computer for unnecessary files. It will take a few minutes. When it is complete it will show you, in the window, what files are safe to remove Click the Run Cleaner button. Do not run any other options from other tabs.

B – Open SpyBotSD and Click “Check for Problems.” Allow SpyBot to fix what it finds.

C – Open Ad-Aware SE Personal and Click START > Check the Perform full system scan box > Click NEXT. Allow Ad-Aware to fix what it finds.

D – Open Microsoft® Windows Defender (Windows XP/2K/2003 users ONLY!) and Click the downward pointing arrow next to SCAN and Select Full Scan. Allow it to run and fix what it finds.

E – Last is EWIDO Anti-Spyware, please OPEN EWIDO and click Scanner > Complete System Scan.
Allow it to fix what it finds and click on Save Report. Save the log to your desktop and please attach it along with your HijackThis log when you post back.

Finally, once you have completed ALL of the above steps, in the EXACT ORDER GIVEN then Reboot the computer to NORMAL MODE.

Run a NEW HiJackThis scan, save the log to your desktop. Then post back here with the NEW HJT log and the Ewido Log.