need help plz

You forgot the BitDefender log.

You must install HJT properly per step 7 of the READ & RUN ME. You have it here:

C:\Documents and Settings\Ryan Tyrell\Desktop\HijackThis.exe

which is exactly where we request that it not be installed. Fix this before continuing.
The directions linked in step 7 also request that you do not use msconfig to control startups which could hide things we need to see. Please follow the directions and select Normal Startup.

Why did you install Spybot to your Desktop? Do not install any programs to your Desktop. They should be installed in their default folders which is normally under C:\Program Files. Uninstall it and then reinstall properly.


You have a Wareout infection and more.

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch (if it does not automatically run, run it yourself). Please click Scan, and check the following items if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {C16D8025-A062-AC11-8DB1-89304070462F} - zantu.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [install2] SAPSTR.exe
O4 - HKLM\..\Run: [panel_its] vxdman.exe
O4 - HKLM\..\Run: [dmdau.exe] C:\WINDOWS\system32\dmdau.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [ERTYDF] TForm1.exe
O4 - HKCU\..\Run: [backorif] qwe.exe
O4 - HKCU\..\Run: [atl_helper] xxtoolbar.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C202F874-4878-468C-A2DD-BAC91C4547E1}: NameServer = 85.255.116.37,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDE7EFF4-8C27-4E6E-90A1-9F797F84CD57}: NameServer = 85.255.116.37,85.255.112.184



After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\windows\system32\zantu.dll
C:\windows\system32\SAPSTR.exe
C:\windows\system32\vxdman.exe
C:\WINDOWS\system32\dmdau.exe
C:\windows\system32\TForm1.exe
C:\windows\system32\qwe.exe
C:\windows\system32\xxtoolbar.exe
C:\WINDOWS\SYSTEM32\favset.exe
C:\WINDOWS\SYSTEM32\sdkbg32.exe
C:\GatorPatch.log
C:\WINDOWS\appaz32.exe
C:\WINDOWS\rdt.ini
C:\Program Files\UnSpyPC <--- delete the whole folder

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

Also attach a new HijackThis log.

 

Please compress make sure you converted the BitDefender log to text using the directions in step 6 and see if you can attach it. If not, compress it into a ZIP file and upload the ZIP.

Also look for the below file and delete it:

C:\WINDOWS\SYSTEM32\DMMAL.EXE

Tell me if you find it and get it deleted.

 

Make sure you have performed step 2 of the READ ME excatly and check for the file again.

 

It may have been replace with another file name. I still saw problems in your last HJT log related to WareOut. Let's run the fix again. Make sure you delete the previous copy and download the tool again. This way we are sure to have the current version.


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch (if it does not automatically run, run it yourself). Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [dmtlb.exe] C:\WINDOWS\system32\dmtlb.exe


After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\system32\dmtlb.exe

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

Also attach a new HijackThis log.

 

Now the file is: C:\WINDOWS\SYSTEM32\DMARR.EXE

Also fix the HJT line:
O4 - HKLM\..\Run: [dmarr.exe] C:\WINDOWS\system32\dmarr.exe

Find it and delete it. It is there. If you are not finding it, you did not enable viewing of hidden files.

 

Did you find the file last time!

Now it renamed it self again.
O4 - HKLM\..\Run: [dmqly.exe] C:\WINDOWS\system32\dmqly.exe

Did you reboot since last time? If so, don't reboot anymore unless requested.

Fix the new line and delete the new file. Tell me the results. Also run the steps in the below and attach the requested log.

Using GetRunKey

 

Another line may have taking the O4 lines place too. So double check. To stop the running process, try using the below tool:

ProcessExplorer for Win NT/2K/XP

Run it and then locate the dmqly.exe process and right click on it and select Kill process tree. Then try to delete the file.

Also repeat if a new O4 line appeared in the HJT log.

 

That's not a HijackThis log. It's the GetRunKey log and it still shows:

"dmqly.exe"="C:\\WINDOWS\\system32\\dmqly.exe"

What's in your HJTlog?

 

Yeah but maybe it is gone because that is the same line as last time.

What's in your HJT log now? If you look for the C:\WINDOWS\system32\dmqly.exe is it there?

Also give the steps in the below a run and attach the Ewido log when finished.

Running Ewido Security Suite

Also do the below.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Okay so have you tried using HJT to fix that remaining line:

O4 - HKLM\..\Run: [dmqly.exe] C:\WINDOWS\system32\dmqly.exe

And then see if it stays gone. Even after a reboot is it gone.

I'm glad I had you run Ewido! We found a lot more stuff hidden in your registry and some more files too.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!