Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
My web browser has been hijacked and I was wondering if you could help analyze my Hijackthis log and tell me what to delete. Thanks
I'm sure its a hijacking, I can't use google or ebay Australia, when I try I get redirected to 'hotnewfatties.com' or something
----WARNING WALL OF TEXT :P ----
Logfile of HijackThis v1.99.1
Scan saved at 2:45:16 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Looks like you have a WareOut infection and LOP to boot, very nice.
We'll run the WareOut fix first, then move HJT to a proper locatin, then do some fixing with HJT.
Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
WareOutFix:
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
If you get a file output similar to below:
Quote:
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check
Go here and run the fix appropriate to your version of Windows:
Then hit your 'Start' button, select 'Control Panel' and click on 'Add or Remove Programs'. Then find the following programs and click the 'Change|Remove' button for each, if they are listed
Viewpoint<<<--Usually acquired via AOL AIM, not required for proper operation of AIM.
Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present: C:\WINDOWS\system32\dmcjd.exe
Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, some may not be there due to previous procedures,check the boxes next to them and press the "Fix Checked" button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\dmcjd.exe<<<--this file
C:\PROGRA~1\MEOW32~1<<<<---this folder
C:\Program Files\Viewpoint<<<<---this folder
C:\DOCUME~1\Annie\APPLIC~1\ONECLO~1<<<<---this folder
C:\DOCUME~1\Annie\APPLIC~1\MEOW32~1<<<<---this folder
To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
Post a new HJT log back into this thread please along with the text file from FixWareOut.
Boy this is weird, I hope your still there, I am on the step
Quote:
Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\system32\dmcjd.exe
It appears i have no tabs on my Control Alt Delete window all i have is the initial running programs screen. How do I fix this?
EDIT: Doubled clicked the border fiixed
Last edited by Pepperoni; 29th November 2006 at 07:42.
All done, thank you very much, here are the results:
WareOut Test #1
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSNJE.EXE
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNJE.EXE 51,262 2006-08-21
C:\WINDOWS\SYSTEM32\DMAKC.EXE 61,995 2004-08-04
C:\WINDOWS\SYSTEM32\DMKHO.EXE 61,995 2004-08-04
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
WareOut Test #2
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSNJE.EXE
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNJE.EXE 51,262 2006-08-21
C:\WINDOWS\SYSTEM32\DMAKC.EXE 61,995 2004-08-04
C:\WINDOWS\SYSTEM32\DMKHO.EXE 61,995 2004-08-04
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
New Hijackthis Log
Logfile of HijackThis v1.99.1
Scan saved at 5:19:40 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Ok, looks like the tool found a few files, lets be sure they have been eliminated.
Download the Killbox from here and save it to the desktop.
Double-click the KillBox icon on your desktop to open it
Select "Delete on Reboot"
Then select "All files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\SYSTEM32\CSNJE.EXE
C:\WINDOWS\SYSTEM32\DMAKC.EXE
C:\WINDOWS\SYSTEM32\DMKHO.EXE
Return to Killbox
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button.
Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.
Reboot the system and let me know how things are operating. You last HJT log was clear of any unwanted symptoms.
fiixed
