Member Panel

It keeps changing its name... now it is:

O4 - HKLM\..\Run: [dmziz.exe] C:\WINDOWS\system32\dmziz.exe

Try to fix it in normal mode this time.

Or if it changed name again , look for an entry like this: (*= random)

O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe

OK, reran Hijackthis in regular mode, found and removed the file, and then just tried Google again. Still hijacks it. Then ran Hijack this again, and the file was back! Removed it again w/HJT and tried to save log. When I look on my computer at the saved log, it is a .txt file. When I try and "manage attachments" on this site, and upload the exact file, it shows as a .txt file, but when I click on it, another page of pchelp comes up. I think the file is attaching, but I am getting hijacked even when I try and look at a .txt file. Please let me know if the attached file is showing the above referenced file as removed (as I have removed it w/HJT). Thanks.

Its gone this time.
Can you now run another fixwareout scan and post the log from that?

I pretty sure that the file we just removed was tied to the wareout infection , and it looks like it kept bringing the wareout infection back. First time i have seen it doing that though... i think it might be a new variant.

But after removing that file with hjt , it shouldn't come back anymore.

I ran another fixwareout scan and I think it ran another HJT scan and I removed the file that came back:
C:\WINDOWS\SYSTEM32\DMZIZ.EXE

I saved the fixwareout log and am attaching it.
Any ideas why it keeps coming back? Strange. My homepage also keeps resetting to MSN.
Thanks.

You can delete this file:

C:\WINDOWS\SYSTEM32\DMZIZ.EXE

And can you upload this file:

C:\WINDOWS\SYSTEM32\IPSEC6.EXE

to this site and report back the result?

http://www.virustotal.com/flash/index_en.html



Also please post a new hjt log. But ill have to do some searching on this one.. im pretty sure this is a new variant of wareout , normally the fixwareout has to be run once and youre done.

Deleted the DMZIZ.exe; uploaded the IPSEC6.EXE to VirusTotal and it said "No Virus Found" for all. Attached is a new HJT log.

I had recently also downloaded and ran Microsoft's AntiSpyware program. It found the following:

Aureate Group Mail (Adware):
C:\Windows\system32\gmaglue.exe

JumpJobby:
C\:Windows\system32\ajj.exe

JumpJobby:
C:\ProgramFiles\groupmail\ajj.exe

Possible Hosts File Hijack (Spyware):
C:\windows\hosts

Thank you for helping!

I dont see anything wrong running atm , and did you let MS AS fix those entry's?

And can you run a Panda active scan here and post the log from it:

http://www.pandasoftware.com/product...ACHEHINT=Guest


Also have a look if the fixwareout still finds the infection.