TROJAN. DNS_CHANGER! HELP PLEASE

View previous topic View next topic Go down

TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sat Jun 27, 2009 12:52 am

heyy.. iv been having problems with this virus called "Trojan. Dns_Changer" I have scanned it with malwarebytes.. and it does find it but after i remove it.. it comes back. Please help me.

My hijackthis is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:54 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Malwarebytes' Anti-Malware\xxx.exe.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Xx.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\L.e.a.h\Local Settings\Temp\982.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [GreedyTorrent] "C:\Program Files\GreedyTorrent\GTor.exe" -tray
O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\L.e.a.h\Local Settings\Temp\982.exe
O4 - S-1-5-18 Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'Default user')
O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13783 bytes

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sat Jun 27, 2009 12:53 am

ALSO MY MALWAREBYTES LOG IS:


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/26/2009 8:40:52 PM
mbam-log-2009-06-26 (20-40-46).txt

Scan type: Quick Scan
Objects scanned: 113201
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BHVideo (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\BHVideo (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\L.e.a.h\Start Menu\Programs\BHVideo (Trojan.DNSChanger) -> No action taken.
C:\Program Files\BHVideo (Trojan.DNSChanger) -> No action taken.

Files Infected:
c:\documents and settings\l.e.a.h\start menu\Programs\BHVideo\Uninstall.lnk (Trojan.DNSChanger) -> No action taken.
c:\program files\BHVideo\Uninstall.exe (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
C:\install.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> No action taken.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sat Jun 27, 2009 1:37 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
    O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\L.e.a.h\Local Settings\Temp\982.exe
    O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\L.e.a.h\Local Settings\Temp\982.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sat Jun 27, 2009 6:54 pm

Hey thanks very much Belahzur for you response!
NOTE: Every time i run Malewarebytes and delete the files it just comes back again when i scan the computer. Also the virus has already disabled my router. But here is the Malwarebytes LOG:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/27/2009 2:39:17 PM
mbam-log-2009-06-27 (14-39-17).txt

Scan type: Quick Scan
Objects scanned: 113295
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BHVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BHVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\L.e.a.h\Start Menu\Programs\BHVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\BHVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\l.e.a.h\start menu\Programs\BHVideo\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\BHVideo\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sat Jun 27, 2009 7:09 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Norton)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sat Jun 27, 2009 8:48 pm

The Virus won't let me open up my Anti-Virus in order to disable it. Also how do i rename it while it's download?

*just wanted to know, because i don't want to make any mistakes"

Thanks.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sat Jun 27, 2009 8:56 pm

My instruction show how to, but to do so, you need to use Firefox.
If it won't open to disable, boot to safe mode as the AV won't interfere in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 7:55 pm

ComboFix 09-06-26.02 - L.e.a.h 06/28/2009 13:36.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.154 [GMT -4:00]
Running from: c:\documents and settings\L.e.a.h\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\L.e.a.h\Application Data\inst.exe
c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\system32\drivers\msqpdxpxfeoitu.sys
c:\windows\system32\msqpdxmtpekrxx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-26 22:46 . 2009-06-26 22:46 1630864 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-26 22:05 . 2009-06-26 22:05 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Auslogics
2009-06-26 22:04 . 2009-06-26 22:04 -------- d-----w- c:\program files\Auslogics
2009-06-26 21:56 . 2009-06-26 21:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-26 21:28 . 2009-06-26 21:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-06-26 21:23 . 2009-06-26 21:25 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Uniblue
2009-06-26 21:22 . 2009-06-26 21:23 -------- d-----w- c:\program files\Uniblue
2009-06-26 21:22 . 2009-06-26 21:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-06-26 21:13 . 2009-06-26 21:13 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Vso
2009-06-26 11:52 . 2009-06-26 11:52 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Adobe
2009-06-26 04:17 . 2009-06-26 04:17 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Yahoo
2009-06-26 04:01 . 2009-06-26 04:01 262144 ----a-w- C:\ntuser.dat
2009-06-26 04:00 . 2009-06-26 04:01 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Yahoo!
2009-06-26 04:00 . 2009-06-26 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-26 03:59 . 2009-06-26 04:07 -------- d-----w- c:\program files\Yahoo!
2009-06-25 18:28 . 2009-06-26 22:47 -------- d-----w- c:\program files\DivX
2009-06-24 06:03 . 2009-06-25 16:35 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Ahead
2009-06-23 04:28 . 2009-06-23 04:28 -------- d-----w- c:\program files\OpenAL
2009-06-23 04:27 . 2009-06-23 04:28 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\flightgear.org
2009-06-22 23:22 . 2009-06-27 18:50 -------- d-----w- C:\logs
2009-06-22 18:48 . 2007-12-10 18:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-22 18:48 . 2007-12-10 18:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-22 18:48 . 2007-12-10 18:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-22 18:48 . 2007-12-10 18:53 41864 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-22 18:48 . 2009-06-22 18:48 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\PC Tools
2009-06-22 18:40 . 2009-06-22 18:45 -------- d-----w- c:\program files\PCPitstop
2009-06-22 18:39 . 2009-06-28 14:34 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\BitTorrent
2009-06-22 02:35 . 2009-06-22 02:35 1097728 ----a-w- c:\program files\SilkroadOnline_GlobalOfficial_v1_180.exe
2009-06-20 04:05 . 2009-06-20 04:05 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\TuneUp Software
2009-06-20 03:41 . 2009-06-26 12:17 -------- d-----w- C:\JCEntertainment
2009-06-18 03:46 . 2009-06-18 03:46 -------- d-----w- c:\windows\system32\Quicktime
2009-06-18 03:46 . 2009-06-18 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-06-18 03:46 . 2009-06-18 03:46 -------- d-----w- c:\program files\SmartSound Software
2009-06-18 03:45 . 2003-03-16 03:15 90112 ----a-w- c:\windows\unvise32.exe
2009-06-18 03:42 . 2004-03-10 20:27 11264 ----a-w- c:\windows\system32\drivers\asapiW2k.sys
2009-06-18 03:42 . 2004-03-10 20:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
2009-06-18 03:42 . 2004-03-10 20:27 19456 ----a-w- c:\windows\system32\asapi.dll
2009-06-18 03:40 . 2004-01-23 21:44 61440 ----a-w- c:\windows\system32\pclepim1.dll
2009-06-18 03:40 . 2002-01-05 07:40 487424 ----a-w- c:\windows\system32\MSVCP70.DLL
2009-06-18 03:40 . 2002-01-05 07:38 54784 ----a-w- c:\windows\system32\MSVCI70.DLL
2009-06-18 03:40 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-06-18 03:39 . 2003-11-21 21:48 61440 ----a-w- c:\windows\system32\MFC71FRA.DLL
2009-06-18 03:39 . 2002-01-05 08:36 964608 ----a-w- c:\windows\system32\MFC70U.DLL
2009-06-18 03:39 . 2004-01-23 21:44 49152 ----a-w- c:\windows\system32\PCLEGetGuid.dll
2009-06-18 03:39 . 2002-01-05 08:48 974848 ----a-w- c:\windows\system32\MFC70.DLL
2009-06-18 03:36 . 2009-06-18 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-06-18 03:35 . 2009-06-22 03:01 -------- d-----w- c:\program files\Pinnacle
2009-06-18 03:34 . 2002-03-19 14:29 14165 ------w- c:\windows\system32\drivers\Pclepci.sys
2009-06-18 02:42 . 2009-06-18 02:42 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\{66EEADA1-1A93-4107-81E5-AC234482B5D1}
2009-06-18 02:35 . 2009-06-18 03:29 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Deployment
2009-06-18 02:10 . 2009-06-18 02:10 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Blender Foundation
2009-06-18 01:50 . 2009-06-22 03:02 -------- d-----w- c:\program files\OpenLibraries
2009-06-18 01:49 . 2009-06-23 04:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-18 01:49 . 2009-06-23 04:28 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-18 01:10 . 2009-06-18 01:10 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\WMTools Downloaded Files
2009-06-13 18:50 . 2009-06-22 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-13 18:41 . 2008-09-04 20:11 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-13 18:41 . 2009-06-13 18:41 -------- d-----w- c:\program files\Microsoft WSE
2009-06-13 18:21 . 2009-06-13 18:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-10 11:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 11:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-06 23:24 . 2009-06-23 18:09 -------- d-----w- c:\program files\Sony
2009-06-06 19:38 . 2009-06-06 19:38 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\DragonicaSCB
2009-06-05 22:06 . 2009-06-05 22:06 -------- d-----w- c:\documents and settings\David\Application Data\DragonicaSCB
2009-06-04 03:54 . 2009-06-04 03:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-02 02:31 . 2009-06-02 02:31 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Malwarebytes
2009-06-02 00:36 . 2009-06-02 00:36 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Symantec
2009-06-01 01:35 . 2009-06-01 01:35 -------- d-sh--w- c:\documents and settings\L.e.a.h\PrivacIE
2009-06-01 01:30 . 2009-06-01 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-06-01 01:30 . 2009-06-23 18:14 -------- d-----w- c:\program files\Siber Systems
2009-05-31 14:36 . 2009-05-31 14:36 -------- d-sh--w- c:\documents and settings\David\IECompatCache
2009-05-31 14:02 . 2009-05-31 14:02 -------- d-sh--w- c:\documents and settings\David\PrivacIE
2009-05-30 13:50 . 2009-06-25 18:35 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\DivX
2009-05-30 13:50 . 2009-05-30 13:50 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Ahead
2009-05-29 20:52 . 2009-05-29 20:52 -------- d-sh--w- c:\documents and settings\David\IETldCache

.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 7:56 pm

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 17:36 . 2008-12-22 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 17:28 . 2009-02-18 21:09 -------- d-----w- c:\program files\Norton AntiVirus
2009-06-28 14:57 . 2009-05-14 01:58 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\FrostWire
2009-06-27 20:43 . 2009-02-18 21:10 -------- d-----w- c:\program files\Symantec
2009-06-27 18:50 . 2009-01-10 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 18:47 . 2008-12-21 03:51 -------- d-----w- c:\program files\Trend Micro
2009-06-26 21:13 . 2009-06-26 21:13 47360 ----a-w- c:\docume~1\L.e.a.h\Application Data\pcouffin.sys
2009-06-26 17:45 . 2009-04-25 22:59 -------- d-----w- c:\program files\BestGameEver
2009-06-26 12:18 . 2008-11-22 21:37 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-26 12:18 . 2008-11-25 01:35 -------- d-----w- c:\program files\ScanSoft
2009-06-26 12:18 . 2008-12-05 22:29 -------- d-----w- c:\program files\Outsim
2009-06-26 12:18 . 2009-04-19 03:22 -------- d-----w- c:\program files\Electronic Arts
2009-06-26 04:07 . 2009-03-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-25 18:18 . 2008-11-18 22:22 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-25 16:27 . 2008-11-19 00:00 -------- d-----w- c:\program files\Gpotato
2009-06-25 04:10 . 2009-05-19 22:29 1856 ----a-w- c:\docume~1\L.e.a.h\Application Data\wklnhst.dat
2009-06-24 04:27 . 2009-04-12 17:03 -------- d-----w- c:\program files\Spyware Doctor
2009-06-23 18:12 . 2008-12-17 20:55 -------- d-----w- c:\program files\Image-Line
2009-06-23 18:09 . 2009-03-22 23:32 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-23 18:07 . 2008-12-19 04:20 -------- d-----w- c:\program files\Logitech
2009-06-23 18:06 . 2009-04-19 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-23 18:06 . 2008-12-12 03:30 -------- d-----w- c:\program files\Paint.NET
2009-06-23 18:05 . 2009-02-21 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-23 16:40 . 2009-06-13 16:17 1900184 ----a-w- c:\documents and settings\All Users\Application Data\shs_setup_4056-345359.exe
2009-06-22 18:44 . 2009-05-03 16:41 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-22 16:21 . 2009-03-14 02:21 2632 ----a-w- c:\documents and settings\David\Application Data\wklnhst.dat
2009-06-22 02:57 . 2008-11-18 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 20:48 . 2008-11-27 02:53 -------- d-----w- c:\documents and settings\David\Application Data\FrostWire
2009-06-20 17:42 . 2008-11-22 15:29 -------- d-----w- c:\documents and settings\David\Application Data\BitTorrent
2009-06-18 18:52 . 2009-05-12 19:48 47568 ----a-w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 03:55 . 2008-11-19 22:07 47568 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 15:27 . 2009-01-10 20:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-10 20:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 11:24 . 2009-03-14 02:16 -------- d-----w- c:\program files\Microsoft Works
2009-06-10 11:16 . 2008-11-20 01:55 -------- d-----w- c:\program files\Java
2009-06-01 23:40 . 2009-06-01 23:40 5700 ----a-w- c:\documents and settings\All Users\SPL22.tmp
2009-05-29 21:38 . 2009-04-19 03:48 -------- d-----w- c:\documents and settings\David\Application Data\SPORE
2009-05-25 00:03 . 2009-05-25 00:03 43232 ----a-w- c:\documents and settings\All Users\SPL391.tmp
2009-05-24 18:26 . 2009-05-24 17:57 -------- d-----w- c:\program files\VideoLAN
2009-05-24 18:22 . 2009-05-24 18:22 -------- d-----w- c:\documents and settings\David\Application Data\Media Player Classic
2009-05-24 18:22 . 2009-05-24 17:28 -------- d-----w- c:\documents and settings\David\Application Data\DivX
2009-05-24 18:10 . 2009-05-24 18:09 -------- d-----w- c:\documents and settings\David\Application Data\vlc
2009-05-24 14:25 . 2009-02-13 22:24 -------- d-----w- c:\documents and settings\David\Application Data\DAEMON Tools Lite
2009-05-24 14:22 . 2009-05-24 14:22 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-24 14:22 . 2009-05-24 14:22 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-24 14:18 . 2009-02-13 22:24 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-23 21:53 . 2008-12-09 20:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-23 21:24 . 2009-03-22 23:37 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-23 21:24 . 2009-05-23 21:24 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-23 21:12 . 2009-04-13 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-21 15:33 . 2008-11-22 14:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 01:50 . 2009-05-20 01:50 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Lexmark Productivity Studio
2009-05-19 22:30 . 2009-05-19 22:30 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Template
2009-05-19 02:28 . 2009-05-19 02:28 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\FaxCtr
2009-05-18 23:43 . 2009-05-18 23:43 -------- d-----w- c:\documents and settings\David\Application Data\Lexmark Productivity Studio
2009-05-18 20:53 . 2009-05-18 20:53 -------- d-----w- c:\documents and settings\David\Application Data\FaxCtr
2009-05-18 18:55 . 2009-05-18 18:33 -------- d-----w- c:\program files\Lexmark Toolbar
2009-05-18 18:53 . 2009-05-18 18:32 -------- d-----w- c:\program files\Lexmark 3600-4600 Series
2009-05-18 18:38 . 2009-05-18 18:36 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-05-18 18:37 . 2009-05-18 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr
2009-05-18 18:36 . 2009-05-18 18:36 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-16 00:03 . 2009-05-12 23:19 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Apple Computer
2009-05-15 22:37 . 2009-05-15 22:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-14 01:58 . 2009-05-01 22:54 -------- d-----w- c:\program files\FrostWire
2009-05-13 05:15 . 2008-04-14 09:42 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:01 . 2009-05-12 20:01 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Sony Corporation
2009-05-12 19:50 . 2008-11-19 01:27 -------- d-----w- c:\program files\Windows Live
2009-05-08 23:31 . 2009-05-08 21:48 -------- d-----w- c:\documents and settings\David\Application Data\GetRightToGo
2009-05-07 15:32 . 2008-04-14 09:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 01:51 . 2009-01-18 18:18 -------- d-----w- c:\documents and settings\Leah\Application Data\BitTorrent
2009-05-03 16:07 . 2008-11-19 23:01 37768 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 15:52 . 2009-05-03 15:51 -------- d-----w- c:\documents and settings\Leah\Application Data\Uniblue
2009-05-02 00:08 . 2008-04-14 04:50 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-04-27 12:21 . 2009-05-23 21:24 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-04-27 03:42 . 2009-03-24 02:15 2674 ----a-w- c:\documents and settings\Leah\Application Data\wklnhst.dat
2009-04-17 12:26 . 2008-04-14 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 09:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-12 17:13 . 2009-04-12 17:13 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-04-06 20:23 . 2009-01-14 01:51 6820 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-06 20:20 . 2009-04-06 20:20 0 ----a-w- c:\windows\ativpsrm.bin
.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 7:56 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-03-20 320168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2009-05-26 2741560]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2007-12-10 1103752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\L.e.a.h\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-6-6 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\recycler\S-1-5-21-2707270637-4036358763-845387194-5710\rundll32.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\Wireless\\lxdxwpss.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 7:57 pm

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [3/20/2009 11:15 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [3/20/2009 11:15 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [3/20/2009 11:15 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys [6/24/2009 12:36 PM 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/20/2009 9:39 PM 55152]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [5/18/2009 2:39 PM 98984]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [5/25/2009 11:05 PM 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [4/22/2008 9:25 AM 163840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/22/2009 2:48 PM 747912]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [3/22/2009 7:37 PM 604416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:53 PM 101936]
S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]
S2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll" /prefetch:1 --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]
S3 DADriv1;DADriv1;\??\c:\docume~1\David\LOCALS~1\Temp\Rar$EX05.156\DA Engine\DAK32.sys --> c:\docume~1\David\LOCALS~1\Temp\Rar$EX05.156\DA Engine\DAK32.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08 PM 533360]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2009-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 16:56]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-GreedyTorrent - c:\program files\GreedyTorrent\GTor.exe
HKLM-Run-Win32 Firewall - c:\docume~1\Owner\LOCALS~1\Temp\449.exe


.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5757
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\docume~1\L.e.a.h\Application Data\Mozilla\Firefox\Profiles\annxsajb.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-28 13:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 7:57 pm

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIVXserv.sys]
"imagepath"="\systemroot\system32\drivers\MSIVXjxmajlnsoftqhyrianxyvxrgefabffox.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ce,ec,a4,63,85,
67,8a,c9,c8,28,51,af,b0,29,a3,98,57,e5,a8,ae,e7,90,c2,e4,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,16,1d,4a,29,08,
0e,fa,75,71,3b,04,66,8b,46,0d,96,b4,50,a7,95,c3,ab,3b,46,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,da,0d,bc,4e,de,
19,96,b5,25,da,ec,7e,55,20,c9,26,44,39,78,8a,00,22,7c,b5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,97,dd,e8,ba,3d,
7d,39,48,3e,1e,9e,e0,57,5a,93,61,d4,14,c3,90,2d,ba,28,a5,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,7e,56,92,42,87,
b5,cd,99,cd,44,cd,b9,a6,33,6c,cd,69,4b,1f,44,a9,59,7f,4c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,c1,c5,d3,d3,a4,
af,11,e2,b0,18,ed,a7,3f,8d,37,a4,a1,5d,1b,d0,24,0f,89,46,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,36,dd,d8,68,7a,
65,c6,c7,31,77,e1,ba,b1,f8,68,02,42,51,9f,48,e2,90,cd,0a,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,f8,2b,d6,ad,d2,
6a,36,0c,83,6c,56,8b,a0,85,96,ab,01,65,a4,9b,1e,b6,d9,5a,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,6a,45,e2,70,c8,
b2,bc,92,51,fa,6e,91,28,9e,14,cc,16,b8,30,db,62,bc,e0,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,0e,0a,22,30,19,
66,56,a4,b1,cd,45,5a,a8,c4,f8,b9,e8,8c,f1,fe,e4,21,6d,c6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2e,36,e7,63,44,
0d,1c,75,e3,0e,66,d5,eb,bc,2f,6b,2e,c1,8b,d2,7a,7a,53,41,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6d,2a,87,93,23,
8a,29,4b,fa,ea,66,7f,d4,3b,6b,70,68,ff,ea,6d,c7,7a,45,8b,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-28 13:44
ComboFix-quarantined-files.txt 2009-06-28 17:44

Pre-Run: 29,404,782,592 bytes free
Post-Run: 29,401,747,456 bytes free

384 --- E O F --- 2009-06-24 20:03

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sun Jun 28, 2009 8:08 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

    BitTorrent
    DNA
    Frostwire


Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\ativpsrm.bin
c:\documents and settings\L.e.a.h\Start Menu\Programs\Startup\FrostWire On Startup.lnk

Folder::
c:\program files\FrostWire
c:\Program Files\BitTorrent
c:\Program Files\DNA
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIVXserv.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 9:04 pm

There was this error that came up.... "Cannot export regruns00: Error opening the file. There may be disk or file system error.
But other then that ... it was fine... here's the TXT.

ComboFix 09-06-26.02 - L.e.a.h 06/28/2009 16:36.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.139 [GMT -4:00]
Running from: c:\documents and settings\L.e.a.h\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\L.e.a.h\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\L.e.a.h\Start Menu\Programs\Startup\FrostWire On Startup.lnk"
"c:\windows\ativpsrm.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\L.e.a.h\Start Menu\Programs\Startup\FrostWire On Startup.lnk
c:\program files\BitTorrent
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\install.rdf
c:\windows\ativpsrm.bin
c:\windows\system32\drivers\MSIVXjxmajlnsoftqhyrianxyvxrgefabffox.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXefrnnayssnxooklnddqjmukiphddgkvd.dll
c:\windows\system32\MSIVXqoqkikuulmtgjgocayckikcyibqkjrvf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-28 17:43 . 2009-06-28 17:43 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-26 22:46 . 2009-06-26 22:46 1630864 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-26 22:05 . 2009-06-26 22:05 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Auslogics
2009-06-26 22:04 . 2009-06-26 22:04 -------- d-----w- c:\program files\Auslogics
2009-06-26 21:56 . 2009-06-26 21:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-26 21:28 . 2009-06-26 21:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-06-26 21:23 . 2009-06-26 21:25 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Uniblue
2009-06-26 21:22 . 2009-06-26 21:23 -------- d-----w- c:\program files\Uniblue
2009-06-26 21:22 . 2009-06-26 21:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-06-26 21:13 . 2009-06-26 21:13 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Vso
2009-06-26 11:52 . 2009-06-26 11:52 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Adobe
2009-06-26 04:17 . 2009-06-26 04:17 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Yahoo
2009-06-26 04:01 . 2009-06-26 04:01 262144 ----a-w- C:\ntuser.dat
2009-06-26 04:00 . 2009-06-26 04:01 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Yahoo!
2009-06-26 03:59 . 2009-06-28 20:33 -------- d-----w- c:\program files\Yahoo!
2009-06-25 18:28 . 2009-06-26 22:47 -------- d-----w- c:\program files\DivX
2009-06-24 06:03 . 2009-06-25 16:35 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Ahead
2009-06-23 04:28 . 2009-06-23 04:28 -------- d-----w- c:\program files\OpenAL
2009-06-23 04:27 . 2009-06-23 04:28 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\flightgear.org
2009-06-22 23:22 . 2009-06-27 18:50 -------- d-----w- C:\logs
2009-06-22 18:48 . 2007-12-10 18:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-22 18:48 . 2007-12-10 18:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-22 18:48 . 2007-12-10 18:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-22 18:48 . 2007-12-10 18:53 41864 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-22 18:48 . 2009-06-22 18:48 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\PC Tools
2009-06-22 18:40 . 2009-06-22 18:45 -------- d-----w- c:\program files\PCPitstop
2009-06-22 18:39 . 2009-06-28 14:34 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\BitTorrent
2009-06-22 02:35 . 2009-06-22 02:35 1097728 ----a-w- c:\program files\SilkroadOnline_GlobalOfficial_v1_180.exe
2009-06-20 04:05 . 2009-06-20 04:05 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\TuneUp Software
2009-06-20 03:41 . 2009-06-26 12:17 -------- d-----w- C:\JCEntertainment
2009-06-18 03:46 . 2009-06-18 03:46 -------- d-----w- c:\windows\system32\Quicktime
2009-06-18 03:46 . 2009-06-18 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-06-18 03:46 . 2009-06-18 03:46 -------- d-----w- c:\program files\SmartSound Software
2009-06-18 03:45 . 2003-03-16 03:15 90112 ----a-w- c:\windows\unvise32.exe
2009-06-18 03:42 . 2004-03-10 20:27 11264 ----a-w- c:\windows\system32\drivers\asapiW2k.sys
2009-06-18 03:42 . 2004-03-10 20:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
2009-06-18 03:42 . 2004-03-10 20:27 19456 ----a-w- c:\windows\system32\asapi.dll
2009-06-18 03:40 . 2004-01-23 21:44 61440 ----a-w- c:\windows\system32\pclepim1.dll
2009-06-18 03:40 . 2002-01-05 07:40 487424 ----a-w- c:\windows\system32\MSVCP70.DLL
2009-06-18 03:40 . 2002-01-05 07:38 54784 ----a-w- c:\windows\system32\MSVCI70.DLL
2009-06-18 03:40 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-06-18 03:39 . 2003-11-21 21:48 61440 ----a-w- c:\windows\system32\MFC71FRA.DLL
2009-06-18 03:39 . 2002-01-05 08:36 964608 ----a-w- c:\windows\system32\MFC70U.DLL
2009-06-18 03:39 . 2004-01-23 21:44 49152 ----a-w- c:\windows\system32\PCLEGetGuid.dll
2009-06-18 03:39 . 2002-01-05 08:48 974848 ----a-w- c:\windows\system32\MFC70.DLL
2009-06-18 03:36 . 2009-06-18 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-06-18 03:35 . 2009-06-22 03:01 -------- d-----w- c:\program files\Pinnacle
2009-06-18 03:34 . 2002-03-19 14:29 14165 ------w- c:\windows\system32\drivers\Pclepci.sys
2009-06-18 02:42 . 2009-06-18 02:42 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\{66EEADA1-1A93-4107-81E5-AC234482B5D1}
2009-06-18 02:35 . 2009-06-18 03:29 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Deployment
2009-06-18 02:10 . 2009-06-18 02:10 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Blender Foundation
2009-06-18 01:50 . 2009-06-22 03:02 -------- d-----w- c:\program files\OpenLibraries
2009-06-18 01:49 . 2009-06-23 04:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-18 01:49 . 2009-06-23 04:28 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-18 01:10 . 2009-06-18 01:10 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\WMTools Downloaded Files
2009-06-13 18:50 . 2009-06-22 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-13 18:41 . 2008-09-04 20:11 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-13 18:41 . 2009-06-13 18:41 -------- d-----w- c:\program files\Microsoft WSE
2009-06-13 18:21 . 2009-06-13 18:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-10 11:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 11:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-06 23:24 . 2009-06-23 18:09 -------- d-----w- c:\program files\Sony
2009-06-06 19:38 . 2009-06-06 19:38 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\DragonicaSCB
2009-06-05 22:06 . 2009-06-05 22:06 -------- d-----w- c:\documents and settings\David\Application Data\DragonicaSCB
2009-06-04 03:54 . 2009-06-04 03:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-02 02:31 . 2009-06-02 02:31 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Malwarebytes
2009-06-02 00:36 . 2009-06-02 00:36 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Symantec
2009-06-01 01:35 . 2009-06-01 01:35 -------- d-sh--w- c:\documents and settings\L.e.a.h\PrivacIE
2009-06-01 01:30 . 2009-06-01 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-06-01 01:30 . 2009-06-23 18:14 -------- d-----w- c:\program files\Siber Systems
2009-05-31 14:36 . 2009-05-31 14:36 -------- d-sh--w- c:\documents and settings\David\IECompatCache
2009-05-31 14:02 . 2009-05-31 14:02 -------- d-sh--w- c:\documents and settings\David\PrivacIE
2009-05-30 13:50 . 2009-06-25 18:35 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\DivX
2009-05-30 13:50 . 2009-05-30 13:50 -------- d-----w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\Ahead

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 9:04 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 20:49 . 2008-12-22 01:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 19:49 . 2009-05-14 01:58 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\FrostWire
2009-06-28 17:28 . 2009-02-18 21:09 -------- d-----w- c:\program files\Norton AntiVirus
2009-06-27 20:43 . 2009-02-18 21:10 -------- d-----w- c:\program files\Symantec
2009-06-27 18:50 . 2009-01-10 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 18:47 . 2008-12-21 03:51 -------- d-----w- c:\program files\Trend Micro
2009-06-26 21:13 . 2009-06-26 21:13 47360 ----a-w- c:\docume~1\L.e.a.h\Application Data\pcouffin.sys
2009-06-26 17:45 . 2009-04-25 22:59 -------- d-----w- c:\program files\BestGameEver
2009-06-26 12:18 . 2008-11-22 21:37 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-26 12:18 . 2008-11-25 01:35 -------- d-----w- c:\program files\ScanSoft
2009-06-26 12:18 . 2008-12-05 22:29 -------- d-----w- c:\program files\Outsim
2009-06-26 12:18 . 2009-04-19 03:22 -------- d-----w- c:\program files\Electronic Arts
2009-06-26 04:07 . 2009-03-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-25 18:18 . 2008-11-18 22:22 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-25 16:27 . 2008-11-19 00:00 -------- d-----w- c:\program files\Gpotato
2009-06-25 04:10 . 2009-05-19 22:29 1856 ----a-w- c:\docume~1\L.e.a.h\Application Data\wklnhst.dat
2009-06-24 04:27 . 2009-04-12 17:03 -------- d-----w- c:\program files\Spyware Doctor
2009-06-23 18:12 . 2008-12-17 20:55 -------- d-----w- c:\program files\Image-Line
2009-06-23 18:09 . 2009-03-22 23:32 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-23 18:07 . 2008-12-19 04:20 -------- d-----w- c:\program files\Logitech
2009-06-23 18:06 . 2009-04-19 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-23 18:06 . 2008-12-12 03:30 -------- d-----w- c:\program files\Paint.NET
2009-06-23 18:05 . 2009-02-21 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-23 16:40 . 2009-06-13 16:17 1900184 ----a-w- c:\documents and settings\All Users\Application Data\shs_setup_4056-345359.exe
2009-06-22 18:44 . 2009-05-03 16:41 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-22 16:21 . 2009-03-14 02:21 2632 ----a-w- c:\documents and settings\David\Application Data\wklnhst.dat
2009-06-22 02:57 . 2008-11-18 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 20:48 . 2008-11-27 02:53 -------- d-----w- c:\documents and settings\David\Application Data\FrostWire
2009-06-20 17:42 . 2008-11-22 15:29 -------- d-----w- c:\documents and settings\David\Application Data\BitTorrent
2009-06-18 18:52 . 2009-05-12 19:48 47568 ----a-w- c:\documents and settings\L.e.a.h\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 03:55 . 2008-11-19 22:07 47568 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 15:27 . 2009-01-10 20:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-10 20:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 11:24 . 2009-03-14 02:16 -------- d-----w- c:\program files\Microsoft Works
2009-06-10 11:16 . 2008-11-20 01:55 -------- d-----w- c:\program files\Java
2009-06-01 23:40 . 2009-06-01 23:40 5700 ----a-w- c:\documents and settings\All Users\SPL22.tmp
2009-05-29 21:38 . 2009-04-19 03:48 -------- d-----w- c:\documents and settings\David\Application Data\SPORE
2009-05-25 00:03 . 2009-05-25 00:03 43232 ----a-w- c:\documents and settings\All Users\SPL391.tmp
2009-05-24 18:26 . 2009-05-24 17:57 -------- d-----w- c:\program files\VideoLAN
2009-05-24 18:22 . 2009-05-24 18:22 -------- d-----w- c:\documents and settings\David\Application Data\Media Player Classic
2009-05-24 18:22 . 2009-05-24 17:28 -------- d-----w- c:\documents and settings\David\Application Data\DivX
2009-05-24 18:10 . 2009-05-24 18:09 -------- d-----w- c:\documents and settings\David\Application Data\vlc
2009-05-24 14:25 . 2009-02-13 22:24 -------- d-----w- c:\documents and settings\David\Application Data\DAEMON Tools Lite
2009-05-24 14:22 . 2009-05-24 14:22 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-24 14:22 . 2009-05-24 14:22 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-24 14:18 . 2009-02-13 22:24 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-23 21:53 . 2008-12-09 20:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-23 21:24 . 2009-03-22 23:37 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-23 21:24 . 2009-05-23 21:24 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-23 21:12 . 2009-04-13 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-21 15:33 . 2008-11-22 14:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 01:50 . 2009-05-20 01:50 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Lexmark Productivity Studio
2009-05-19 22:30 . 2009-05-19 22:30 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Template
2009-05-19 02:28 . 2009-05-19 02:28 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\FaxCtr
2009-05-18 23:43 . 2009-05-18 23:43 -------- d-----w- c:\documents and settings\David\Application Data\Lexmark Productivity Studio
2009-05-18 20:53 . 2009-05-18 20:53 -------- d-----w- c:\documents and settings\David\Application Data\FaxCtr
2009-05-18 18:55 . 2009-05-18 18:33 -------- d-----w- c:\program files\Lexmark Toolbar
2009-05-18 18:53 . 2009-05-18 18:32 -------- d-----w- c:\program files\Lexmark 3600-4600 Series
2009-05-18 18:38 . 2009-05-18 18:36 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-05-18 18:37 . 2009-05-18 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr
2009-05-18 18:36 . 2009-05-18 18:36 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-16 00:03 . 2009-05-12 23:19 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Apple Computer
2009-05-15 22:37 . 2009-05-15 22:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-13 05:15 . 2008-04-14 09:42 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:01 . 2009-05-12 20:01 -------- d-----w- c:\docume~1\L.e.a.h\Application Data\Sony Corporation
2009-05-12 19:50 . 2008-11-19 01:27 -------- d-----w- c:\program files\Windows Live
2009-05-08 23:31 . 2009-05-08 21:48 -------- d-----w- c:\documents and settings\David\Application Data\GetRightToGo
2009-05-07 15:32 . 2008-04-14 09:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 01:51 . 2009-01-18 18:18 -------- d-----w- c:\documents and settings\Leah\Application Data\BitTorrent
2009-05-03 16:07 . 2008-11-19 23:01 37768 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 15:52 . 2009-05-03 15:51 -------- d-----w- c:\documents and settings\Leah\Application Data\Uniblue
2009-05-02 00:08 . 2008-04-14 04:50 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-04-27 12:21 . 2009-05-23 21:24 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-04-27 03:42 . 2009-03-24 02:15 2674 ----a-w- c:\documents and settings\Leah\Application Data\wklnhst.dat
2009-04-17 12:26 . 2008-04-14 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 09:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-12 17:13 . 2009-04-12 17:13 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-04-06 20:23 . 2009-01-14 01:51 6820 ----a-w- c:\windows\system32\d3d9caps.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-28 20:49 . 2009-06-28 20:49 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-06-28 17:43 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-28 17:43 . 2008-04-14 09:42 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-28 17:43 . 2008-04-14 09:42 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-28 17:43 . 2008-04-14 09:42 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-28 17:43 . 2008-04-14 09:42 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-28 17:43 . 2008-04-14 09:42 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-28 17:43 . 2008-04-14 09:42 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-28 17:43 . 2008-04-14 04:09 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-28 17:43 . 2008-04-14 04:23 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-28 17:43 . 2008-04-14 09:42 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-11-22 02:20 . 2009-06-28 17:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-22 02:20 . 2009-06-28 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-22 02:20 . 2009-06-28 19:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-22 02:20 . 2009-06-28 17:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-28 17:43 . 2008-04-14 09:42 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-28 17:43 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-28 17:43 . 2008-04-14 09:42 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-28 17:43 . 2008-04-14 09:42 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-28 17:43 . 2009-05-02 00:08 361600 c:\windows\system32\dllcache\cache\TCPIP.SYS
+ 2009-06-28 17:43 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-28 17:43 . 2008-04-14 04:50 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-28 17:43 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-28 17:43 . 2008-04-14 09:41 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-28 17:43 . 2008-04-14 09:41 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
- 2008-11-22 02:20 . 2009-06-28 17:35 344064 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-22 02:20 . 2009-06-28 19:49 344064 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-28 17:43 . 2008-04-14 09:42 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 17:43 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 17:43 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 17:43 . 2008-04-14 09:42 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 9:05 pm

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-03-20 320168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2009-05-26 2741560]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2007-12-10 1103752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\L.e.a.h\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-6-6 344064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\Wireless\\lxdxwpss.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [3/20/2009 11:15 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [3/20/2009 11:15 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [3/20/2009 11:15 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys [6/24/2009 12:36 PM 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/20/2009 9:39 PM 55152]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [5/18/2009 2:39 PM 98984]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [5/25/2009 11:05 PM 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [4/22/2008 9:25 AM 163840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/22/2009 2:48 PM 747912]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [3/22/2009 7:37 PM 604416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:53 PM 101936]
S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]
S2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll" /prefetch:1 --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]
S3 DADriv1;DADriv1;\??\c:\docume~1\David\LOCALS~1\Temp\Rar$EX05.156\DA Engine\DAK32.sys --> c:\docume~1\David\LOCALS~1\Temp\Rar$EX05.156\DA Engine\DAK32.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08 PM 533360]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2009-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 16:56]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5757
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\docume~1\L.e.a.h\Application Data\Mozilla\Firefox\Profiles\annxsajb.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-28 16:51
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 9:05 pm

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ce,ec,a4,63,85,
67,8a,c9,c8,28,51,af,b0,29,a3,98,57,e5,a8,ae,e7,90,c2,e4,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,16,1d,4a,29,08,
0e,fa,75,71,3b,04,66,8b,46,0d,96,b4,50,a7,95,c3,ab,3b,46,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,da,0d,bc,4e,de,
19,96,b5,25,da,ec,7e,55,20,c9,26,44,39,78,8a,00,22,7c,b5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,97,dd,e8,ba,3d,
7d,39,48,3e,1e,9e,e0,57,5a,93,61,d4,14,c3,90,2d,ba,28,a5,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,7e,56,92,42,87,
b5,cd,99,cd,44,cd,b9,a6,33,6c,cd,69,4b,1f,44,a9,59,7f,4c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,c1,c5,d3,d3,a4,
af,11,e2,b0,18,ed,a7,3f,8d,37,a4,a1,5d,1b,d0,24,0f,89,46,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,36,dd,d8,68,7a,
65,c6,c7,31,77,e1,ba,b1,f8,68,02,42,51,9f,48,e2,90,cd,0a,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,f8,2b,d6,ad,d2,
6a,36,0c,83,6c,56,8b,a0,85,96,ab,01,65,a4,9b,1e,b6,d9,5a,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,6a,45,e2,70,c8,
b2,bc,92,51,fa,6e,91,28,9e,14,cc,16,b8,30,db,62,bc,e0,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,0e,0a,22,30,19,
66,56,a4,b1,cd,45,5a,a8,c4,f8,b9,e8,8c,f1,fe,e4,21,6d,c6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2e,36,e7,63,44,
0d,1c,75,e3,0e,66,d5,eb,bc,2f,6b,2e,c1,8b,d2,7a,7a,53,41,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6d,2a,87,93,23,
8a,29,4b,fa,ea,66,7f,d4,3b,6b,70,68,ff,ea,6d,c7,7a,45,8b,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdxcoms.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark 3600-4600 Series\lxdxmsdmon.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-06-28 17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 21:00
ComboFix2.txt 2009-06-28 17:44

Pre-Run: 29,102,120,960 bytes free
Post-Run: 29,012,049,920 bytes free

467 --- E O F --- 2009-06-24 20:03

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sun Jun 28, 2009 9:38 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 10:18 pm

it's working good now, no more Viruses have been found... thanks A lot you have been very helpful Smile

Only only thing is..... it's just slow.

Also i have to reconnect my Router would that bring it back?
Or should i Re-configure it?

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sun Jun 28, 2009 10:22 pm

Hello.
The slowness is probably all the un-needed stuff running in the background, we'll stop some items now, so please post a new Hijack This log.

I don't think the router is infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Sun Jun 28, 2009 11:13 pm

Thanks Belahzur

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:28 PM, on 6/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12133 bytes

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by Belahzur on Sun Jun 28, 2009 11:48 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing)
    O23 - Service: Norton AntiVirus - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe



  • Press "Fix Checked"
  • Close Hijack This.

I recommend you remove the Java Quick Starter because it's not needed.
To do so, follow these instructions.

Go to Start > Control Panel > Java.
In the Java control panel, open the click the Advanced tab. Click the + in front of Miscellaneous and uncheck the Java Quick Starter box.

See [You must be registered and logged in to see this link.] for more info.

Reboot normally.

Does it feel any faster now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: TROJAN. DNS_CHANGER! HELP PLEASE

Post by ginobwoy on Mon Jun 29, 2009 8:35 pm

Yes, thank you it works great now. Thanks for all your help

ginobwoy
Intermediate
Intermediate

Posts Posts : 75
Joined Joined : 2008-12-21
OS OS : Windows XP
Points Points : 29104
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum