Thanks for the logs. You've done very well. I am afraid you have the new variant of the wareout. So, we'll have to work a little harder to get it out.You may want to copy/paste these instructions on a notepad and save it to the desktop. Also, print out these instructions for reference, since you will have to restart your computer during the fix. Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools
menu and click Folder Options
· Select the View
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended)
· Click Yes
· Click OK
Please click on Jotti: http://virusscan.jotti.org/
Use the "Browse
" button and locate the following files on your computer: C:\WINDOWS\system32\dmjgq.exe
Click the "Submit
Please copy and post (reply) with the results
If Jotti's service load is too high, you can use the following scanner instead: http://www.virustotal.com/xhtml/index_en.html
Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.
Please discard the old wareoutfix and download a new one.
Please download FixWareout
. Extract it to you desktop. Do not use it yet.
Download Killbox by Option^Explicit
version 188.8.131.52 http://www.atribune.org/downloads/KillBox.exe
. Extract it to your desktop. Once the computer is clean, please uninstall this program as it's a very powerful and dangerous program to use casually.
Restart your computer into safe mode
now (with networking), following my earlier instructions. Perform the following steps in safe mode:Open killbox.exe.
First, click on Tools>Delete Temp Files
A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile
by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.
Then, check on the Button titled "Delete Selected Temp Files
Exit by clicking the Button titled "Exit
Once back into the main killbox program.
Check the following boxes: Delete on Reboot
Highlight the entries in the quote box below and then Copy them.
Then in killbox click File>Paste from Clipboard
At this point the "All Files
" button should be enabled so you can click it.
Click the "All Files
Then click the Red X
...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No
at this point.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No
for both entries.Still in Safe Mode
, next click on Fixwareout.exe
. Click Next, then Install, then make sure "Run fixit
" is checked and click Finish
. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, you'll see your desktop and taskbar won't load yet. This is normal, because it is still scanning. Please be patient.
Afterwards, HijackThis will launch automatically. Please click Scan
, and check the following items:O4 - HKLM\..\Run: [dmjgq.exe] C:\WINDOWS\system32\dmjgq.exeClose all other windows/applications except HijackThis
. Click Fix Checked
. Close HijackThis, and click OK
At the end of the fix, if it doesn't restart automatically, you may need to restart your computer again.
If you have Internet connection problems, please go to Start -> Control Panel
, and choose Network Connections.
Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP)
item and select the radio button that says Obtain DNS servers automatically
. Click OK twice, and restart your computer.
Now run BlackLight. You should have all open windows and programs closed when running the scan. Step 1.
- Please download F-Secure's
- Print out the help page for guidance. It will be found here
- Click the "I Accept
" button at the the license agreement
- Click the "Download
" button to start the download
- Save it to your Desktop Step 2.
Make sure that all windows/applictions are closed.
- Double-click the blbeta.exe
file on your Desktop
- Select the "I Accept the agreement
" at the license agreement, then click "Next
- Make sure "Scan through Windows Explorer (Recommended)
" is selected\checked
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxxxxxxxxxx.txt
- Paste the contents of that log back here.
Download WebRoot SpySweeper
(It's a 2 week trial):
- Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
- Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
- Once the definitions are installed, click Options on the left side.
- Click the Sweep Options tab.
- Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
- Click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply.
- After Spysweeper has finished and removed any items found, reboot your computer right away to ensure the infection is fully removed
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Restart your computer one more time to clear the memory. Scan with HijackThis and save the report.
Finally, please post the contents of the logfile C:\fixwareout\report.txt
, Jotti's scan result, Spysweeper log, along with a new HijackThis log
and the Kaspersky Online Scan
result. You may need to post them separately.
Edited by amateur, 23 January 2006 - 04:25 PM.