please help. strange probs.

hi all.

i'm having trouble with my comp. when i type something into google i'm redirected to various advertising sites, it kept trying to change my homepage to a blue screen with info about spyware. secure32.

ive done evrything asked in the first thread and the software found loads of stuff but its still happning. ive got a log file from hijack this.

i was told it was 017 on the file so i fixed them and the internet doesnt work atall for me. just says cannot find server. when i reeboot 017 are back and so is the problem, help needed please,


heres my log

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

You appear to have a wareout infection, first we need to get HJT properly installed.

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

After you have completed the above steps to relocate HJT, run it from the new location. Please save your HJT log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


After you complete the above, procede with the below...

Download FixWareout by Lonny and save it to your Desktop.

• Please locate your download of FixWareout and INSTALL it.
• Be sure that Run fixit is checked.
• Click Finish to begin the fix.
• Follow the prompts and Reboot when asked to do so.
• Upon Reboot, follow the prompts

After you complete the above steps, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

done the first bit, heres my log

Inline log attached!

 

it didnt work. ive done all the other steps yesdterday, should i repeat them?

 

Please be patient, we will fix your problems. First, reboot into Safe Mode and run the Wareout Fix utility again then attach the log.

But before you attach the log, run the thread below and attach the logs from the online scans. Then attach the the fix wareout log, fresh HJT log and the online scan logs. Please ATTACH them not post them inline!

READ & RUN ME FIRST Before Asking for Support

 

ok seems to be running well now, thanks very much for help. heres a log just in case. its really not clear how to attach them sorry.

Inline log removed again!

 

actually no its still not fixed???

 

what else can i try

 

You are not following my instructions, you need to read my post carefully.

Before we do anything else, go to the thread below and run everything that applies to you including the online scans.

READ & RUN ME FIRST Before Asking for Support

AFTER you have completed this thread above, attach the logs from the online scans, then a fresh HJT log.

ATTACH the logs to your post, do NOT paste the inline!!

 

C:\Program Files\hijackthis\hijackthis


the 017 are back in the log

 

I'm going to assume you did not see my previous post before posting so I will cut you a break.

Read my previous post please.

 

ive folowed it all nothing was there were 2 items found on the ad aware se that were deleted, no log was given the rest were all clear. this is a fresh log

 

Your HJT log shows no sign of this step being ran! You MUST follow my instructions in order to remove this infection.

 

ok ill do number 6 now, i forgot to go back to that sorry.

 

heres the 1st scan. it found something anyway.
it exeeds the size limet its 254.

 

ZIP it and attach it, if you still cant upload it, paste it inline.

 

heres the panda scan results

 

While you are finishing the online scans, I am going to get a little rest. I will check back in a little bit.

After you complete the online scans and attach the log follow the below...

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Inline log attached!

 

Now run Ewido as requested in previous thread, post the Ewido log with a fresh HJT log and I will check back in a little bit.

 

thanks. new htl here but the the last one didnt give me a log although it did find 9 items and fixed them.

 

i cant seem to put what was removed with ewido up theres nothing in the report but the items are in the quarantine section but there just numbered files.

 

heres my new log from the wereout thing. i ran it again after using spyware blaster.

 

Download Pocket KillBox
(Don't run it yet)


Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [dmpna.exe] C:\WINDOWS\system32\dmpna.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, procede with the below steps...

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Finally, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete this entire fix, reboot once more and attach a fresh HJT log with a fresh log from the FixWareout Tool.

 

heres a wareout tool log

 

hijack this log

 

017's are still there. stubborn bums.

 

can anyone help me get rid of this problem

 

Please be patient, there are bowl games today and besides we are all volunteer, we come in here when we have time.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Microsoft AntiSpyware

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [dmwpi.exe] C:\WINDOWS\system32\dmwpi.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dmtpp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\dmwpi.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log and run FixWareout once more and then attach this log.

 

sorry to seem frustrated, i really appreciate your help and would be stuck big time without it.
heres my logs

 

hjt log

 

Inline log attached!

 

O4 - HKLM\..\Run: [dmwpi.exe] C:\WINDOWS\system32\dmwpi.exe

i didnt have this in my log to delete when i did it that time. i just did the 2 017's

 

What? You should not be editing the logs.....

Listen, you are going to have to quit rebooting. These are just mutating on every reboot.

Run Fixwareout, reboot, attach the log, run HJT, attach the log.

DO NOT REBOOT AGAIN UNTIL I POST A FIX!

 

fixwareoutlog

 

now if i do a new hijack log it will have the 017's in them, should i do this??

 

No, do not do anything yet! Run this fix!

Have HJT fix the below entry:

O4 - HKLM\..\Run: [dmqoz.exe] C:\WINDOWS\system32\dmqoz.exe

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dmqoz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log.

 

hi, i havnt got that 04 now because i had to open another hijackthis. now ive got the 017's and the 04 but its dmilo not dmqoz i presume its these i need to fix?

 

should i follow your instructions with those 3

 

You MUST quit rebooting, when you post a log and reboot, the previous log is useless. You HAVE TO QUIT REBOOTING!!!!!!!

Post a HJT log and DO NOT REBOOT!!!!!!!!!!!

 

ok ive just opened a new log and wont touch anything untill further instructions.

 

Have HJT fix these entries:

O4 - HKLM\..\Run: [dmilo.exe] C:\WINDOWS\system32\dmilo.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dmilo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete this, attach a fresh Wareout fix log with a fresh HJT log.

 

can i just confirm that you want me to reeboot after these steps.

 

After you enter the file into Killbox, this will reboot your computer. After your computer has rebooted, attach a fresh HJT log with a wareout fix log.

 

ok heres my hjt log. now if i do a fixwareout log its going to automatically reeboot my comp . do you want me to do this.

 

Yes! I will be waiting on the log.

 

ok here we are.

 

and a fresh htj

 

Have HJT fix these 2 entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{0911AD1A-AFE7-41AE-BB9E-05BD730DB433}: NameServer = 85.255.116.162 85.255.112.196

After you fix these entries, reboot, each time open a browser to your homepage close it and reboot again. Do this about 3 times then attach a fresh HJT log.

This is to confirm it wont come back.

 

here we are did it 3 times. the 017 are still there though. but the 04 seems to have gone.