Where is your internet from, is this familiar to you?

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.1/


Again did you run the wareoutfix tool? It is still showing in your log.

yes i m familiar with that internet connection and it is still showing me that message but now it has become difficult logging in as not an administrator because the pc hangs as soon as i try to login just after the message
What should i do next, i did everything as asked by u, the pc has become really slow and also hangs itself even when i click on the normal aplications that i generally use on a day to day basis.

This is the new report for wareout


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\qkemd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSDRP.EXE
* csr.exe C:\WINDOWS\System32\CSHJL.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\LJAEM.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSDRP.EXE 51,242 2006-05-27
C:\WINDOWS\SYSTEM32\CSHJL.EXE 51,221 2006-04-25
C:\WINDOWS\SYSTEM32\DMXIH.EXE 44,045 2004-08-04

Bad news all around it sounds like.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done



To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Run hijackthis and click on scan button and put checks next to these:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O4 - HKLM\..\Run: [dmkbb.exe] C:\WINDOWS\system32\dmkbb.exe

17 - HKLM\System\CCS\Services\Tcpip\..\{27403167-9358-4EBC-8971-2ABAC4736B1B}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{6ECE1A8C-5774-45E5-84F3-DD75619A6434}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FD3D40B-1E98-4B82-9C04-9EE12CCA3FC4}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1212C7D-C175-4D33-B9B0-F650F5793D32}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{A25ED52C-D0D3-46CA-A0E6-307AC6589ABE}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{CED1CA96-3183-4759-9154-562C497E2BB4}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C04BBE-FC20-47A4-82EA-A21EEB66F36F}: NameServer = 85.255.115.58,85.255.112.116


Make sure no other program or window is open and click on fix checked.


[b]Still in safe mode


Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
C:\WINDOWS\system32\dmkbb.exe


Reboot normal mode and...


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 9:53:06 AM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\en-ww\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\en-ww\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [dmekq.exe] C:\WINDOWS\system32\dmekq.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-ww\bin\WindowsSearch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\en-ww\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-ww\msntabres.dll/229?3390120750c841c4b826a6141ace8fe4
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-ww\msntabres.dll/230?3390120750c841c4b826a6141ace8fe4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd...id/BoardID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

After all these days of ur help and with the ewido software i found both those files i.e. ibm00001 & dmkbb in the starup and deleted them from there itself so i m not having that error message anymore when i startup but still check the log and let me know if there is anything wrong in there.
I believe if there is nothing wrong in the above log i just posted then my problem is solved
Thanks for all ur help.

There is a disturbing entry that still points to wareout, let's try to kill it with the kill box.




Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select
  • "Delete on Reboot
  • Then click on either the "All Files" button if there is more than 1 item to Delete.
• Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C
  
  C:\WINDOWS\system32\dmekq.exe
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


After the above reboot into safe mode and see if you can find that file and delete it.


Post a new hijackthis log please.

I did all that was told and also found out that dmek thing i dont know waht it is but i have removed it from the startup files and also deleted it using the tools provided by u guys thanks very much the error message that used to pop up whenever i logged in is no more there I believe that problem i solved how do i post that the prolem is solved.I have this issue with the update thing in windows i had already posted that issue along with this one can u please help me on the update issue also?
Thanks.