Followed all instructions, please review HJT log

Welcome to MGs!

Please complete step 6 of the READ ME and attach the requested logs.

Also perform step 7 of the READ ME and get HJT installed properly as in the instructions.

You have a Wareout infection that we must fix. But first please do the above and attach a new HJT log and the two online scanner logs.

 

Have you installed HJT properly yet? I requested a new HJT log be posted after installing it correcly.

 

After getting HJT installed properly, continue with the below:

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O17 - HKLM\System\CCS\Services\Tcpip\..\{59E1A42E-F7CF-4AD3-8B61-0443A2EED95A}: NameServer = 85.255.115.2,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FBEC085-09B2-4736-83A5-5E19B04901DA}: NameServer = 85.255.115.2,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F70F8AB6-E6C9-47DE-871C-5C0939E254F5}: NameServer = 85.255.115.2,85.255.112.8

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\system32\hhk.
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

If these IP address belong to you ISP, you need to change ISPs.

They belong to inhoster which is a well know malware site and is being added to many black lists

I don't think they are for your ISP.

 

You still did not install HJT as requested. You have it exactly where we specify not to install it (on your Desktop & in Docs & Settings)
C:\Documents and Settings\Thomas Warton\Desktop\hijackthis\HijackThis.exe

But right now it may not matter since we could almost be finished. However for future use, you must get it installed properly.

Look for the below two files and delete them:
C:\WINDOWS\SYSTEM32\CSGNT.EXE
C:\WINDOWS\SYSTEM32\DMWUS.EXE

Let me know how things are working now.

 

Sorry I missed one (and you should get HJT installed properly first) why are you having such a big problem doing this.


Have HJT fix the below line:
O4 - HKLM\..\Run: [dmpej.exe] C:\WINDOWS\system32\dmpej.exe

Also look for C:\WINDOWS\system32\dmpej.exe and delete if found. Delete in safe mode if necessary.

Then reboot and see how things are working.

 

Do not use Windows Search. We did not enable it to look for hidden and system files. We enabled Windows Explorer to show hidden and system files in step 1 of the read me. This a manual procedure where you expand the folders yourself and look for files. For Windows Search to work you would need to follow the steps in the below:

Searching for Hidden Files on WinXP

You system is still infected and it may be Wareout.

First right click on the MS Antispyware icon in your system tray and select Shutdown Microsoft Antispyware (answer yes or ok when it prompts you).


Now we will run the Wareout fix again.

Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [dmpfx.exe] C:\WINDOWS\system32\dmpfx.exe

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\system32\dmpej.exe
C:\WINDOWS\SYSTEM32\DMWUS.EXE
C:\WINDOWS\system32\dmpfx.exe

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Now run the following procedure and attach the Ewido log: Running Ewido Security Suite

After running Ewido, make sure you are in normal boot mode and attach a new HijackThis log.

 

Your problem keeps mutating. Possibly at each reboot or upon attempting some fixes. You must try to watch for the above type O4 lines in HJT and recognize them. The reason you did not find the above one is because it probably renamed itself. In the last log you posted, it is now:

O4 - HKLM\..\Run: [dmtuy.exe] C:\WINDOWS\system32\dmtuy.exe

It should be easy for you to find any new line(s) since it would be the only new or changed line since posting your last log. Also note the process name in the [ ] is the same as the file name at the end of the line.

Thus, if you do not find what I put into a cleanup procedure, locate that actual problem line and substitute in whatever it is at the present time.

Also when trying to delete files, you must make absolutely sure you have done all of step 2 in the READ ME correctly. Why is it that now all of a sudden you could find C:\WINDOWS\SYSTEM32\CSGNT.EXE when you could not find it before? It was always there. Also it would be a good idea to sort make sure you have selected View, Details in Windows Explorer and then make sure you sort the contents of the C:\windows\system32 folder by Date Modified. This way all the problem files will probably show current dates and you may find more of them.

Let's try the procedure again (keeping in mind the above) and with a slight change in directions. I want you to make sure you are physically disconnected (unplug the cable) from the internet while running the steps. I will tell you when to disconnect.

Please delete your previous copy of FixWareOut and download FixWareout again (just in case a new version is out) from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop.
• Physically Disconnect from the internet now (so print the instructions or save locally to refer to while disconnected). Do not reconnect until specified.
• Run fixwareout.exe by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [dmtuy.exe] C:\WINDOWS\system32\dmtuy.exe

Or whatever the new name is.



After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for any of the below files and delete if found (remember to try sorting by Date Modified and look for others):
C:\WINDOWS\system32\dmtuy.exe
C:\WINDOWS\SYSTEM32\CSGNT.EXE
C:\WINDOWS\SYSTEM32\DMDZU.EXE
C:\WINDOWS\SYSTEM32\DMQWO.EXE

Goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner and let in cleanup.

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

Also attach a new HijackThis log. Please do not reboot or power down after posting these logs.

 

This all sounds a little contradictory. Are you saying that you could not run FixWareOut but then you rebooted and you were able to run it without a problem?

What happened during the time you said it would not run?

The below should not be running anymore when you get a log to attach here.
C:\fixwareout\SUB\BFU.exe

It should only be running during the fix interval.

At anyrate, your HJT log was clean. Is it still clean?
The below file from the fixwareout log must be deleted:
C:\WINDOWS\SYSTEM32\DMFLQ.EXE

Let me know if everything is still clean (look for any of those O4 lines).

 

If that was still running, it means that the fiwwareout program had not completed its task yet. BFU is Brute Force Uninstaller which is part of what fixwareout uses to help clean the problem up. So I was just indicating it was not the correct time to be getting a log to post since the tool had not finished running.

The tool removes a bunch of registry keys created by the infection and also attempts to locate all the bad executable & other files to remove them (there are many of them). The log shows possible suspect files that remain. Not all items shown in the log are always bad (like ipsec6.exe which is valid).

No! As you noted there are no lines in HJT anymore. You need to delete the file yourself as we did in previous messages using Windows Explorer.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! Just send your friends to MGs for help!

Malware never sleeps so we are not allowed to either!