Member Panel

joe5

Originally Posted by AndiAndi

Thanks for your help!
I'm sure I disabled System Restore manually, but will do again.
Not sure how to empty the prefetch folder, but can follow directions if you let me know how. Also, how do I run ChckDsk?

Maybe you run Ewido before disabling sysrestore , and to empty the prefetch folder , just navigate to it and delete the contents. If you dont see the prefetch folder then just copy this in the address bar and press enter:

C:\Windows\prefetch

And to run a diskcheck ,in "my computer" rightckick youre drive , select properties , tools , check now , and reboot.

(BTW, whenever I try and restart, I get a window:
End Program:
"ccAPP" this program is not responding, click End Now to end. Changes will be lost (or something like that). I have to click End Now to get it to restart.

We'll see to that later , maibe after removing all the malware that prob might be gone.

I see that you have "Spyware Cleaner" installed , that is not an recommended app and i would advice to uninstall it.
See here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Then boot in safemode and fix these with hjt:

O4 - HKLM\..\Run: [dmhqz.exe] C:\WINDOWS\system32\dmhqz.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF5BEA4-7CFB-482F-A702-89AF4D98CC6F}: NameServer = 85.255.115.118,85.255.112.12

Delete the file in bold. Also delete:

C:\WINDOWS\SYSTEM32\ENCODEX.EXE
C:\WINDOWS\SYSTEM32\CSFHF.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\DMASJ.EXE
C:\WINDOWS\SYSTEM32\DMLOX.EXE

And i would also disable the windows messenger service:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state — running or disabled — that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

Lets see if you still have any trojan warnings after that.

AndiAndi

Not sure if my last post went out.
This is great, Joe5, thanks for answering me. other sites did not.
Here is what I did:
Ran Ewidio again (see file attached);
verified that system restore was disabled;
emptied all 114 files in prefetch;
ran DiskCheck;
Could not find "Spyware Cleaner" (looked in Add/Remove Programs, and Run Search), but did remove Spyware Doctor 3.2 - not sure where it came from);
booted in SAFE Mode and ran HJT, but could not find:
O4 - HKLM\..\Run: [dmhqz.exe] C:\WINDOWS\system32\dmhqz.exe

but did find and delete:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF5BEA4-7CFB-482F-A702-89AF4D98CC6F}: NameServer = 85.255.115.118,85.255.112.12

Then deleted:
C:\WINDOWS\SYSTEM32\ENCODEX.EXE
C:\WINDOWS\SYSTEM32\CSFHF.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\DMLOX.EXE

but couldn't find:
C:\WINDOWS\SYSTEM32\DMASJ.EXE

Downloaded Shoot the Messenger and disabled service.

Rebooted, and NSW icon now works!

However, my internet searches are still getting hijacked! (i.e. if I open a browser, go to Google, type in anything, click on a link, I am taken to a different link). Any ideas? Thanks a lot, I think I am moving in the right direction.

joe5

Looks like the Wareout managed to sneak its way back.. Please run the Fixwareout again as i posted in my first post. After that run a new hjt scan , and post the logs from both please.

AndiAndi

Thanks for the help Joe. sometimes there is a delay as I work 24 hour shifts.
did what you said, rebooted, and attached are the new reports. I await your reply.

joe5

You have used a very old version of hjt this time , can you delete this one and then post the next log from the latest version of hjt? (the one you used before)

Then boot in safemode again and fix these with hjt:

O4 - HKLM\..\Run: [dmmlc.exe] C:\WINDOWS\system32\dmmlc.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

Then delete the files in bold and run Ccleaner.

Then post a new hjt log please.

AndiAndi

see attached. I redownloaded hijack this and ran it, saved a new log, hope it worked. I'll get to the other stuff as soon as this posts.
Thank you.

AndiAndi

here is a problem: I downloaded newest version (v.1.99.1 - hope this is it), ran it in SAFE, and don't see:

O4 - HKLM\..\Run: [dmmlc.exe] C:\WINDOWS\system32\dmmlc.exe

I think the button says "scan and save a log", so I assume it is not fixing it on it's own.

I found (I hope):

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

and deleted it.

Then ran cCleaner, and now attaching the latest log (attached).

I notice that if I go to Google, type something in, click on a link, my browser is still getting hijacked.

Thank you!