Win32.Qhost.DF

Welcome to Majorgeeks!

Please go back to step 7 of the READ & RUN ME and install HijackThis like the instructions indicate. You have it running exactly how we specify not to install it. Do this now before continuing.

Did you install the Zero Knowledge stuff yourself? Do you like it? It does seem like at least part of it is broken based on the below line:
O23 - Service: FreezeScreenSaver - Zero-Knowledge Systems Inc. - (no file)

You have a couple problems! One of them is a WareOut infection! You should print or save the below steps locally because you will have to be Offline (with ALL browsers closed) while running some of them. Do this NOW!

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

• Run Fixwareout.
• Click Next,
• then Install,
• make sure Run fixit is checked
• and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed. And run the below steps.

• Go into Control Panel -->Network Connections.
• Right click on your connection and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.

Now make sure viewing of hidden files is enabled (per the tutorial)
.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {62EDA11C-1C65-691B-34E6-C03404F130B7} - (no file)
R3 - URLSearchHook: (no name) - {A73F9ABC-4880-1627-C19C-5A422E7AF3E5} - (no file)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [WinInitDll] InpriseMon.exe
O4 - HKLM\..\Run: [dmpfc.exe] C:\WINDOWS\system32\dmpfc.exe
O4 - HKCU\..\Run: [iehelper] ftbar.exe
O4 - HKCU\..\Run: [ExchangeMaster] xxtoolbar.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73ACA1A8-F1DD-4118-BC82-8E4A1B402361}: NameServer = 85.255.116.109,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{A91BCB04-7AFC-49AC-A5EC-DC34561A5521}: NameServer = 85.255.116.109,85.255.112.84

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\InpriseMon.exe
C:\WINDOWS\system32\dmpfc.exe
C:\WINDOWS\system32\ftbar.exe
C:\WINDOWS\system32\xxtoolbar.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and open user browser and come here and attach two items:

1. the log from fixwareout. It is located at c:\fixwareout\report.txt
2. a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes! I know what it is. I just wanted to make sure that YOU installed it and also wondered how you like. Based on seocnd hand experience (from users coming here) and other comments I read. They basically said that the name of the company (Zero Knowledge) seemed appropriate because they appeared to have no knowledge of what they were doing.

HijackThis more than likely deleted the first 4 while fixing the lines in your log. However the C:\Windows\Prefetch folder must exist. It is part of the OS. Are you sure you did step 2 of the READ & RUN ME correctly.

Have HJT fix the below line:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm414DVUS

Look for the below file and delete it if found (if you cannot delete it in normal mode, boot to safe mode):
C:\WINDOWS\SYSTEM32\DMYGK.EXE


How are things working now?

 

You were not supposed to delete the C:\windows\Prefetch folder. You were just supposed to delete all files in it. If it is still deleted (Windows may have recreated it), then create the folder yourself.

Perhaps you should consider dumping the Zero Knowledge stuff and find something better. Exactly what features was it supposed to be providing you with.

Also I'm not an avid fan of the Command Antivirus you also probably got from your ISP.

 

You're welcome!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!