WEB Hijacked, Cleaner Applications Hang

Hi,

In the last four days, a 2-week built Dell P4 2MBRAM XP–Prof often turnes very slow.

WEB pages are hijacked showing “The page cannot be displayed” or going to P?E?N?I?$.??? pages {-\

I drilled down into forums and unsuccessfully performed the Major Geek’s “Read & Run Me First before Asking …” instructions.

When I tried the cleaners as recommended. Window Task Manager shows 100% CPU in all modes; safe/normal, restore off/on, all services/ no service at all, LAN or not:

• CCleaner hangs in “Scan for issues”;

• Spyboot S&D, hangs at Win32.Sober; “Running bot-check (5135/47020); I even reinstalled Spybot but same result;

• Avast scan hangs at C:\WINDOWS\system32 in all modes; booted in safe, no services no other process.

• Symantec FixSbr.exe stuck at C:\WINDOWS\system32\zonedon.reg not responding;

• No strange processes shown in Window Task Manager.

Before posting hijack results, could anybody suggest something to do?

Merci à l’avance to well devoted Guru.

 

If you have completed the steps in the READ ME then please attach the requested logs.

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Malware Fighting Freak,

Please don't think I understimate you offer for help by not responding quickly.

I am just trying to do as much as possible on my side. Your time&expertise is very valuable ( I know what I am talking about as a superviser or a large server farm in a quiet big gov. deptmt).

If I can get fix my problem in the following dates, alllow me to post your suggested logs.

Regards,
J.

 

Just post your logs if you need my help.

 

Hi bjgarrick,

I cannot get rid of:

- Selection from Google result redirected from time to time; and

- Active Protection has blocked the new startup program dmhus.exe from being installed in your startup registry. Name & path: c:\windows\system32\dmhus.exe

Attached are the 3-first requested files, and I will post the 3 other in a minute.

Au plaisir to ear from you,
J.

 

bjgarrick,
Here are the 3 other requested files,

Bonne chance (good luck),
J.

 

It appears you have a Wareout infestation, navigate to the site below and follow the instructions here. Once you have completed it attach a fresh HJT log with the log from the utility.

Also, before you attach a new HJT log, relocate your HJT to a safer location such as C:\Program Files\HJT.

WareOut Removal

 

Bonjour bjgarrick,

Attached is the FixWarehouse log and the HJT log made from a safer location after FixWareouse run in normal OS mode.

Note that:
A. Conterspy detected 4 changes that I blocked while FixWarehouse was running. One of them was in policies.

B. I recognized in the FixWarehouse log DMHUS.EXE that some mysterious process tries to start from time to time, but blocked by Conterspy.

Should I run FixWarehouse again and authorize the changes, and should I run it in safe mode without Restore on?

Merci encore une fois,
J.

 

Hops bjgarrick,

Here are the attachements

 

Hi

I just had the following CounterSpy message

===================================
An attempt is being made to add a program to your startup registry. Startup programs are loaded automatically when Windows boots up.
A strartup Program Required Approval

An attempt is being made to add a program to your startup registry. Startup programs are loaded automatically when Windows boots up. Name:

c:\program files\le robert\le petit robert\prhyper.exe )followed by non ASCII chars)


===================================
Which I block.

Would you have any idea where is it comming from and how can I prevent it?

Regards,

J.

 

My fault, I forgot to mention you must close everything running including antivirus and antispy programs.

Once you have closed everything, run the fix again.

Be sure you remove the entires below in HJT.

 

Hi bjgarrick,

I have just preciously re-run FixWarehouse, deleted with HJT the three lines, rebooted twice, run HJT and attached the log.

The 3 lines are gone and unless you see something suspicious, Merci 1000 fois. (thanks a thousand). I am impressed.

J.

PS: Any directions for me to read&leard to do what you did with HJT.log?

 

I also need the log from WareoutFix from the last time you ran it. Also, I need you to relocate your HJT from its current location to a safer location such as C:\Program Files\HJT.

Once you have relocated it, attach the two logs to your next post.

 

I don’t understand patient Guru, it was run from

C:\Documents and Settings\JeanJr\My Documents\......\....\PC\Virus\....\Hijack

In any cases here is the log from the now only HJT.exe copy in my system run in C:\Program Files\HJT and the copy WareoutFix log below (I cannot attach it)

J.

"When You Come To A Fork In The Road, Take It." Yogi Bera

edit by bjgarrick: log attached!

 

Your log looks good, I would recommend installing a firewall. Please see the thread below for a list of free ones.

Are you having any current problems?

How to Protect yourself from malware!

 

Thanks a million,

Houw would I close the thread and do i have too?

 

Your Welcome!

You don't have to do anything, if your not having any more problems, follow the "How To Protect" article and you're good to go.

Surf Safely!