FAO Mule re: Hijack this PM

[lombie]

deleted

[Mule]

Uninstall winfixer and make sure that the installer for it is not in your startup folder, if it is then check where the target file is, delete the shortcut in the startup folder and the target file itself.

If it's not then go Start>Run type 'MSconfig' and press return. Click the startup tab and see if the installer for it is listed there, if it is then uncheck it and look to see where it's installed, go to that directory and delete the file.

Run HJT and have it kill these;

C:\Program Files\etea\rpen.exe
O4 - HKLM\..\RunServices: [Microsoft Crs Fix Serv] wincrs.exe
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe

Reboot into safe mode, run a full AVG scan and a full MS antispyware scan.

If you're still having problems after that post another HJT log.


EDIT: It may go under the name of "UWFX5LP_0001_0614NetInstaller" if it's in the msconfig startup list.

[lombie]

deleted

[Mule]

Is winfixer still there?

[lombie]

Is winfixer still there?

Nope - that appears to have gone.

I think i may have made an error though so am just going back through your processes again.

where i was so used to pressing 'block' on the adwatch thingy i've just seen that one of the requests was for permission to delete the etea thing from the registry and me being a halfwit and not reading just keep pressing block, block, block and therefore keeping the bastard file there:whistle .

I'll try again and hopefully re-post in a minute with some success.

Cheers Mule

[Mule]

If you're going through it all again then do it all in safe mode and before you do anything else turn off system restore.

So, reboot into safe mode,

turn off system restore, Start>Programs>accessories>system tools>system restore click 'system restore settings' tick 'turn off system restore' and click apply

Uninstall winfixer and make sure that the installer for it is not in your startup folder, if it is then check where the target file is, delete the shortcut in the startup folder and the target file itself.

If it's not then go Start>Run type 'MSconfig' and press return. Click the startup tab and see if the installer for it is listed there, if it is then uncheck it and look to see where it's installed, go to that directory and delete the file.

Run HJT and have it kill these;

C:\Program Files\etea\rpen.exe
O4 - HKLM\..\RunServices: [Microsoft Crs Fix Serv] wincrs.exe
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe

run a full AVG scan and a full MS antispyware scan.

Turn system restore back on.

Reboot.

[lombie]

Ok

All done again mule while turning off the system restore as described.

When i've rebooted this time i'm still getting an alarm saying that an attempt to add a registry value as before except this has 'new data' and not 'data':-

Root: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion|Run
Value: Usrr
Data:
New Data: C:\Program Files\etea\rpen.exe

The ad's are not coming up anymore though!

[ABCMan]

open msconfig
youll see that there is a line somewhere with a regedit command it should point you to the location of the file that is being recopied to your system and also allow you to remove that command.

mostly these will execute a command to copy a file and rename it as well as adding it to your registry.

webroots spysweeper should be run in safe mode if you want to remove all traces once you've killed the regedit / loader command.

[lombie]

open msconfig
youll see that there is a line somewhere with a regedit command it should point you to the location of the file that is being recopied to your system and also allow you to remove that command.

mostly these will execute a command to copy a file and rename it as well as adding it to your registry.

webroots spysweeper should be run in safe mode if you want to remove all traces once you've killed the regedit / loader command.

I've done the msconfig and get a 'System Configuration Utility' but can't see any regedit?

I get 'General' 'System.ini' 'WIN.INI' 'Boot.INI' 'Services' and 'Startup'

The problem does seem to have disappeared for the time being though but i'll get the spysweeper just in case

Thanks

[Mule]

If it's there it would be under the 'startup' tab, have a look through all the things listed there and post anything that you don't recognise, which may well be most of it, unfortunately you cant cut and paste it so it might be easier to do a couple of screenshots of it instead, up to you.

I expect you'll get the same alarm every time you reboot until it's removed.

[lombie]

a

[Mule]

My poor eyes!


It looks ok actually, I'm not sure where else it could be running from.

[lombie]

My poor eyes!


It looks ok actually, I'm not sure where else it could be running from.

Thanks for all your efforts anyway mule - its been much appreciated.

You were right about the warning everytime on startup but i can live with that as the pop-ups and virus stuff have all gone.

:thumbs

[Mule]

I'm sure someone will come up with a way to get rid of it for you, my brain has melted for the day which means it's time for a glass of wine.

[flumperino]

mHotkey
gcasServ
dumpprep 0-k
gsicon
Datalayer
SVChost

gcasServ is to do with MS Antispyware mate
svchost is a system process that runs dll's or something. You don't want to stop it, put it that way

the others I don't know, sorry

[Mule]

Thanks for all your efforts anyway mule - its been much appreciated.

You were right about the warning everytime on startup but i can live with that as the pop-ups and virus stuff have all gone.

:thumbs

If you still haven't got rid of it then this program lists all auto-starting apps on your computer;

http://www.lurkhere.com/~nicefiles/startuplist1521.zip

[lombie]

If you still haven't got rid of it then this program lists all auto-starting apps on your computer;

http://www.lurkhere.com/~nicefiles/startuplist1521.zip

Touch wood Mule things have been fine over the last couple of weeks after your previous effort the pop-ups and registry alterations have even stopped