GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Zlob DNS Changer PLEASE HELP ME

View previous topic View next topic Go down

Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 5:07 am

Hello,

I somehow got the Zlob DNS Changer Trojan and have been having issues with it. I thought I got rid of it by reformatting my computer but it did not go away. I tried using Spybot S & D, Malwarebyte's, SUPERAntispyware, Adware, AVG, and it appeared to be gone but the computer was running weird. I decided to reformat again and when I scanned the Zlob DNS Changer was back and I can't get rid of it! I need serious help PLEASE I cannot get rid of this virus! Here is the Hijackthis result-Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:25 AM, on 1/3/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hp\kbd\kbd.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Peter\Downloads\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8299 bytes

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 5:07 am

Here is the uninstall list also generated from Hijack this

Adobe Audition 3.0
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
AppCore
AV
ccCommon
ClamWin Free Antivirus 0.94.1
Enhanced Multimedia Keyboard Solution
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Home and Student 60 day trial
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.5)
MSRedist
muvee autoProducer 6.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Python 2.5
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SPBBC 32bit
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
WeatherBug Gadget

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 2:37 pm

Since MBAM is already on this system, lets use that.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 5:08 pm

Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 5:11 pm

Okay, hopefully that has removed the dns hijack.
Press Start > Run
Type in:
ipconfig /flushdns <== note the space between the g and /
Press enter.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 5:22 pm

DDS Logfile-


DDS (Version 1.1.0) - NTFSx86
Run by Peter at 12:21:05.20 on Sat 01/03/2009
Internet Explorer: 7.0.6000.16473
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.1837 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\ClamWin\bin\ClamWin.exe
C:\Program Files\ClamWin\bin\freshclam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Peter\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: []
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\peter\appdata\roaming\mozilla\firefox\profiles\spiykwwi.default\

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20081213.001\IDSvix86.sys [2009-1-2 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-2 99376]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]

=============== Created Last 30 ================

2009-01-02 23:56 --d----- c:\users\peter\appdata\roaming\.clamwin
2009-01-02 23:56 --d----- c:\program files\ClamWin
2009-01-02 23:39 --d----- c:\program files\common files\Adobe Systems Shared
2009-01-02 20:05 16 a------- c:\windows\system32\coh.cache
2009-01-01 22:34 --d----- c:\programdata\Spybot - Search & Destroy
2009-01-01 22:34 --d----- c:\program files\Spybot - Search & Destroy
2009-01-01 22:34 --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-01 22:30 --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-01 22:30 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-01 22:30 --d----- c:\users\peter\appdata\roaming\SUPERAntiSpyware.com
2009-01-01 22:30 --d----- c:\program files\SUPERAntiSpyware
2009-01-01 22:30 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-01 22:29 --d----- c:\users\peter\appdata\roaming\Malwarebytes
2009-01-01 22:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 22:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 22:29 --d----- c:\programdata\Malwarebytes
2009-01-01 22:29 --d----- c:\progra~2\Malwarebytes
2009-01-01 22:29 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 18:55 44 a------- c:\windows\system\hpsysdrv.dat
2009-01-01 18:09 1,839 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_GN561AA-ABA a6230n_YC_0Pavi_QCNH742_E74NAv3PrA1_49_INARRA2_SASUSTek Computer INC._V2.00_B5.11_T070716_WUH0_L409_M2943_J400_7AMD_8Athlon 64 X2 Dual Core_92.8_#071205_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-01-01 18:07 --d----- c:\users\Peter
2009-01-01 18:03 --dsh--- c:\programdata\Documents
2009-01-01 18:03 --dsh--- C:\Documents and Settings

==================== Find3M ====================

2009-01-02 20:12 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-02 20:12 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 20:12 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2007-08-05 00:16 665,600 a------- c:\windows\inf\drvindex.dat
2007-08-04 23:38 86,016 a------- c:\windows\inf\infstrng.dat
2007-08-04 23:38 51,200 a------- c:\windows\inf\infpub.dat
2007-08-04 23:38 86,016 a------- c:\windows\inf\infstor.dat
2006-11-02 07:50 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-12-05 18:04 22 a--sh--- c:\windows\sminst\HPCD.SYS
2007-08-05 00:16 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:21:41.33 ===============

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 5:24 pm

Do you want to see the Attach text file that was also produced form this scan?

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 5:25 pm

No, don't need attach.txt.
Still having problems?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 6:14 pm

Yes, I just did another Malwarebyte's Anti-Malware and it picked up 6 infections now. Here is the log-

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 6.0.6000

1/3/2009 1:14:16 PM
mbam-log-2009-01-03 (13-14-16).txt

Scan type: Quick Scan
Objects scanned: 46279
Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 6:16 pm

Okay, lets go deeper.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 6:46 pm

ComboFix 09-01-02.01 - Peter 2009-01-03 13:36:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2079 [GMT -5:00]
Running from: c:\users\Peter\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\resycled

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 23:56 . 2009-01-03 00:01 d-------- c:\users\Peter\AppData\Roaming\.clamwin
2009-01-02 23:56 . 2009-01-02 23:56 d-------- c:\program files\ClamWin
2009-01-02 23:39 . 2009-01-02 23:39 d-------- c:\program files\Common Files\Adobe Systems Shared
2009-01-02 20:05 . 2009-01-02 20:15 16 --a------ c:\windows\System32\coh.cache
2009-01-01 22:34 . 2009-01-01 23:39 d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-01 22:34 . 2009-01-01 23:39 d-------- c:\programdata\Spybot - Search & Destroy
2009-01-01 22:34 . 2009-01-01 23:32 d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 22:30 . 2009-01-01 22:30 d-------- c:\users\Peter\AppData\Roaming\SUPERAntiSpyware.com
2009-01-01 22:30 . 2009-01-01 22:30 d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-01-01 22:30 . 2009-01-01 22:30 d-------- c:\programdata\SUPERAntiSpyware.com
2009-01-01 22:30 . 2009-01-01 22:30 d-------- c:\program files\SUPERAntiSpyware
2009-01-01 22:30 . 2009-01-01 22:30 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-01 22:29 . 2009-01-01 22:29 d-------- c:\users\Peter\AppData\Roaming\Malwarebytes
2009-01-01 22:29 . 2009-01-01 22:29 d-------- c:\users\All Users\Malwarebytes
2009-01-01 22:29 . 2009-01-01 22:29 d-------- c:\programdata\Malwarebytes
2009-01-01 22:29 . 2009-01-01 22:29 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 22:29 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-01 22:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-01 18:55 . 2009-01-01 18:55 dr------- c:\users\Peter\Searches
2009-01-01 18:55 . 2009-01-01 18:55 dr------- c:\users\Peter\Contacts
2009-01-01 18:55 . 2009-01-01 18:55 d-------- c:\users\Peter\AppData\Roaming\Snapfish
2009-01-01 18:55 . 2009-01-01 18:55 44 --a------ c:\windows\system\hpsysdrv.dat
2009-01-01 18:10 . 2009-01-01 18:56 d-------- c:\users\Peter\AppData\Roaming\Hewlett-Packard
2009-01-01 18:09 . 2009-01-01 18:09 1,839 -rahs---- c:\windows\System32\drivers\103C_HP_CPC_GN561AA-ABA a6230n_YC_0Pavi_QCNH742_E74NAv3PrA1_49_INARRA2_SASUSTek Computer INC._V2.00_B5.11_T070716_WUH0_L409_M2943_J400_7AMD_8Athlon 64 X2 Dual Core_92.8_#071205_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-01-01 18:08 . 2009-01-02 22:44 dr------- c:\users\Peter\Videos
2009-01-01 18:08 . 2009-01-01 18:55 dr------- c:\users\Peter\Saved Games
2009-01-01 18:08 . 2009-01-01 18:55 dr------- c:\users\Peter\Pictures
2009-01-01 18:08 . 2009-01-01 18:55 dr------- c:\users\Peter\Music
2009-01-01 18:08 . 2009-01-01 18:55 dr------- c:\users\Peter\Links
2009-01-01 18:08 . 2009-01-03 13:21 dr------- c:\users\Peter\Downloads
2009-01-01 18:08 . 2009-01-03 12:22 dr------- c:\users\Peter\Documents
2009-01-01 18:08 . 2006-11-02 07:37 d-------- c:\users\Peter\AppData\Roaming\Media Center Programs
2009-01-01 18:08 . 2009-01-01 18:09 d--h----- c:\users\Peter\AppData
2009-01-01 18:07 . 2009-01-01 18:55 d-------- c:\users\Peter
2009-01-01 09:03 . 2009-01-01 09:03 dr------- c:\windows\System32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:32 --------- d-----w c:\programdata\Symantec
2009-01-03 18:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-03 04:38 --------- d-----w c:\program files\Common Files\Adobe
2009-01-02 03:34 --------- d--h--w c:\programdata\yahoo!
2009-01-02 03:34 --------- d-----w c:\program files\Yahoo!
2009-01-01 23:57 --------- d-----w c:\programdata\Hewlett-Packard
2009-01-01 23:03 --------- d-sh--w c:\programdata\Templates
2009-01-01 23:03 --------- d-sh--w c:\programdata\Start Menu
2009-01-01 23:03 --------- d-sh--w c:\programdata\Favorites
2009-01-01 23:03 --------- d-sh--w c:\programdata\Documents
2009-01-01 23:03 --------- d-sh--w c:\programdata\Desktop
2009-01-01 23:03 --------- d-sh--w c:\programdata\Application Data
2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a------ 2007-05-24 15:13 71176 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-06-01 15:40 1783400 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 2007-04-18 10:01 65536 c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{90823AD4-A2F1-486D-8EA7-9E2C01DE83B2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4AE50274-27D8-4966-87D5-6311AA99B027}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AD0E426E-AB2A-4962-AE9B-768675D72A51}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BA8C0E53-1F52-47C1-8971-885FFD426EE4}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E7BCF2CF-8A5A-459D-A68B-F732A469DAB3}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CBF53917-2CFE-4BF8-8EAA-BD1A70250085}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{910241C0-1924-4F9A-8983-F09E47DAE720}"= UDP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{4138513D-EC3D-41B2-B144-E7857CF850A5}"= TCP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{44971A20-210F-4BEA-AA6D-3730BBD208C1}"= UDP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{D44A964B-D049-42D7-A464-AF800A1F9040}"= TCP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{D9972B78-4ED0-4A5E-9AFB-507626BF95F1}"= UDP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{816E4EDB-C296-4BF9-8E23-094869EFF3BE}"= TCP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\spiykwwi.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-03 13:38:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2728)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2009-01-03 13:39:53
ComboFix-quarantined-files.txt 2009-01-03 18:39:50

Pre-Run: 361,799,438,336 bytes free
Post-Run: 361,829,814,272 bytes free

161

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 6:47 pm

Combofix deleted the resycled folder, and the log appears to be clean.
Any change?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 6:58 pm

Nope. Here is Malwarebyte's report again....

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 6.0.6000

1/3/2009 1:58:08 PM
mbam-log-2009-01-03 (13-58-08).txt

Scan type: Quick Scan
Objects scanned: 45198
Time elapsed: 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ee8227c0-2acf-47e5-9dff-89e83026540a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 7:14 pm

Hello.
Please download smitfraudfix from here:
[You must be registered and logged in to see this link.]
Download the file to your Desktop (Important!!)

Once it's downloaded, right click the file > "Run as administrator"
It will generate a folder for itself named Smitfraudfix, and the blue cmd window will open.
Allow it to load, and press any key to continue when asked.
Then when given a list of choice, choose option 5 - Search and clean DNS Hijack.
I think it will make a log file, if it does, please post it here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 7:19 pm

Okay... I ran this and it prompted- "Your computer may be victim of a DNS Hijack: 85.255.x.x

NVIDIA nForce Networking Controller

Do you want to set your network to dynamic -DHCP- Server?"

I clicked "Yes" and here is the log. Also, is it possible that the virus attacked the network and that's why I won't go away even if I reformatted my computer?

SmitFraudFix v2.388

Scan done at 14:18:07.17, Sat 01/03/2009
Run from C:\Users\Peter\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 85.255.112.75
DNS Server Search Order: 85.255.112.79
DNS Server Search Order: 1.2.3.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EE8227C0-2ACF-47E5-9DFF-89E83026540A}: DhcpNameServer=85.255.112.75 85.255.112.79 1.2.3.4

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 7:24 pm

Hmmm, I think that might have done it, there is no line in the "after" fix.
Does MBAM still find it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by pc0809 on Sat Jan 03, 2009 9:21 pm

Okay, this is pretty advanced and complicated.

This DNS Changer actually went into my router and changed my DNS to what they wanted. I reset router and everything is removed!

pc0809
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-01-03
OS : Windows Vista 32 Bit Home Edition
Points : 28910
# Likes : 0

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Belahzur on Sat Jan 03, 2009 9:25 pm

But the infection is gone?
Can you put your settings back?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Zlob DNS Changer PLEASE HELP ME

Post by Doctor Inferno on Sat Feb 21, 2009 10:00 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum