Jump to content

DNS settings keep reverting


Recommended Posts

Thank you in advance for any help.

The dumb stuff I did:

There is so much to tell, but I'll keep it brief.

I d/l a file and started an install, and it turned out to be infected.

I uninstalled the file and deleted suspect files on the D: (backup) drive.

Symptoms:

Initial blank screen when starting the computer lasts longer than normal.

When I check the DNS with ipconfig, it keeps showing 85.255.112.159 no matter what I do.

Changing the IPv4 preferred DNS in the Windows network settings does no good. When I close the window and re-open it, it is changed back to automatic DNS.

I use Firefox w/ad block plus, but when I do use IE, the web page ads are all for male enhancement.

I am posting as well as attaching the logs.

Here they are:

MBAM

Malwarebytes' Anti-Malware 1.30

Database version: 1340

Windows 6.0.6001 Service Pack 1

10/30/2008 6:04:15 PM

mbam-log-2008-10-30 (18-04-15).txt

Scan type: Quick Scan

Objects scanned: 54926

Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

PandaActive scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-10-30 17:54:10

PROTECTIONS: 2

MALWARE: 10

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.2204.0 No Yes

Norton Antivirus Internet Security 2008 15.0.0.58 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\users\michael & marie\favorites\health

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@com[2].txt

00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@stats1.clicktracks[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\michael_&_marie@server.iad.liveperson[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@overture[2].txt

00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@xxxcounter[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@target[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\michael_&_marie@did-it[2].txt

00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@www2.addfreestats[1].txt

00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Michael & Marie\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael_&_marie@www3.addfreestats[2].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location 9@us5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description 9@us5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

HiJack This log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:15:14 PM, on 10/30/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\services.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Users\Michael & Marie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5DA4019-031E-41C7-ADF5-526B8EBD6E86}: NameServer = 85.255.112.159;85.255.112.23

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16552 bytes

mbam_log_2008_10_30__18_04_15_.txt

ActiveScan.txt

hijackthis.log.txt

mbam_log_2008_10_30__18_04_15_.txt

ActiveScan.txt

hijackthis.log.txt

Link to post
Share on other sites

Hi mikeydude and welcome to Malwarebytes. Please update MBAM and run a quick scan, post that log and a new HJT log. Let me know if your still be redirected.

Thank you for your reply.

Updated, scanned with MBAM, and rebooted per MBAM instructions.

Still being redirected.

MBAM

Malwarebytes' Anti-Malware 1.30

Database version: 1343

Windows 6.0.6001 Service Pack 1

10/31/2008 6:47:19 AM

mbam-log-2008-10-31 (06-47-19).txt

Scan type: Quick Scan

Objects scanned: 55500

Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HiJack This

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:54:10 AM, on 10/31/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\ehome\ehmsas.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Users\Michael & Marie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5DA4019-031E-41C7-ADF5-526B8EBD6E86}: NameServer = 85.255.112.159;85.255.112.23

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16433 bytes

Link to post
Share on other sites

OK your router/modem is what is infected. Follow these instructions carefully.

scan , disconnect , remove , reboot , scan , save report , reconnect , reboot , scan , save report

Update MBAM again, scan a quick scan remove what is found, disconnect the ethernet cable, restart your computer, scan again, save the log.

Reconnect the router/modem, reboot do another quick scan and post that log. This should clean you but you must follow the instructions exactly. I know it's a lot of connecting and rebooting but this is how we can clean the router/modem. You will never convince your ISP that you know the router/modem is infected. They won't listen and do what is needed.

Link to post
Share on other sites

OK your router/modem is what is infected. Follow these instructions carefully.

scan , disconnect , remove , reboot , scan , save report , reconnect , reboot , scan , save report

Update MBAM again, scan a quick scan remove what is found, disconnect the ethernet cable, restart your computer, scan again, save the log.

Reconnect the router/modem, reboot do another quick scan and post that log. This should clean you but you must follow the instructions exactly. I know it's a lot of connecting and rebooting but this is how we can clean the router/modem. You will never convince your ISP that you know the router/modem is infected. They won't listen and do what is needed.

There are two things you might need to know:

I didn't have the following info at work, so I'm posting it now.

First, before posing on this forum, I used Panda Active scan, and found W32/Autorun.AJZ.worm on the backup partition (d:).

After reading the autorun file with notepad, I deleted it, as well as a directory called "resycled", that the autorun file referred to, also on the d: drive.

Second, there are 2 computers hooked through a network switch to the DSL modem/router.

The second computer shows no symptoms.

I changed the password on the DSL modem when I first put it in over a year ago.

Link to post
Share on other sites

Thank you for all of your help so far.

Unfortunately, the infection persists.

I followed your instructions precisely.

All scans were quick scans, and I only removed when you indicated.

After the last reboot, I got an error message "Transitions Accessible Technologies between desktops has stopped working"

I clicked the close button on the error message window.

Note: the file that originally infected my computer appeared innocent enough.

When I ran the installer, it revealed itself as sexvid, but it was too late.

I didn't remember the name until I saw it in the MBAM quarantine list.

Malwarebytes has 4 objects in quarantine

trojan.DNSChanger - c:\ resycled\boot.com (file)

trojan.DNSChanger - c:\recycled (folder)

trojan.dnsChanger - HKEY_CLASSES_ROOT\sexvid (registry key)

ADWARE.COUPONS - HKEY_CURRENT_USER\SOFTWARE... (registry key)

Now the logs

Log 1:

Malwarebytes' Anti-Malware 1.30

Database version: 1343

Windows 6.0.6001 Service Pack 1

10/31/2008 5:53:59 PM

mbam-log1-2008-10-31 (17-53-17).txt

Scan type: Quick Scan

Objects scanned: 54998

Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Log 2:

Malwarebytes' Anti-Malware 1.30

Database version: 1343

Windows 6.0.6001 Service Pack 1

10/31/2008 6:03:56 PM

mbam-log2-2008-10-31 (18-03-44).txt

Scan type: Quick Scan

Objects scanned: 54882

Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Log 3:

Malwarebytes' Anti-Malware 1.30

Database version: 1348

Windows 6.0.6001 Service Pack 1

10/31/2008 6:15:13 PM

mbam-log3-2008-10-31 (18-15-01).txt

Scan type: Quick Scan

Objects scanned: 54974

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Log 4:

Malwarebytes' Anti-Malware 1.30

Database version: 1348

Windows 6.0.6001 Service Pack 1

10/31/2008 6:24:12 PM

mbam-log4-2008-10-31 (18-24-06).txt

Scan type: Quick Scan

Objects scanned: 55206

Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

You didnt remove anything every log shows no action taken. You will need to repeat the process. This time be sure that you have placed a check in the boxes for all items found and that you take action.

Drat! The problem persists.

Whenever the ethernet cable is connected, MBAM finds nothing, but when I disconnect the ethernet cable, it finds 5 or 6 items.

Only my computer is affected, even though I have 2 computers hooked to the DSL modem through a wired network switch.

I gave more details at the beginning of my last post just to give you the "big picture".

NOTE: I had to restart the procedure you gave me from the beginning because I lost my place.

Logs:

MBAM Log 1

Malwarebytes' Anti-Malware 1.30

Database version: 1348

Windows 6.0.6001 Service Pack 1

11/1/2008 8:21:26 PM

mbam-log-2008-11-01 (20-21-26).txt

Scan type: Quick Scan

Objects scanned: 54194

Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM Log 2

Malwarebytes' Anti-Malware 1.30

Database version: 1348

Windows 6.0.6001 Service Pack 1

11/1/2008 8:28:25 PM

mbam-log-2008-11-01 (20-28-25).txt

Scan type: Quick Scan

Objects scanned: 54309

Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM Log 3

Malwarebytes' Anti-Malware 1.30

Database version: 1354

Windows 6.0.6001 Service Pack 1

11/1/2008 8:39:03 PM

mbam-log-2008-11-01 (20-39-03).txt

Scan type: Quick Scan

Objects scanned: 54403

Time elapsed: 1 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM Log 4

Malwarebytes' Anti-Malware 1.30

Database version: 1354

Windows 6.0.6001 Service Pack 1

11/1/2008 8:46:20 PM

mbam-log-2008-11-01 (20-46-20).txt

Scan type: Quick Scan

Objects scanned: 54347

Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I failed to mention that while I was re-running what you told me to do (just posted), after the 3rd reboot I got error messages on startup.

1st window:

AtBroker.exe

Application Error

The application failed to initialize properly (0xc0000005)

Click OK to terminate the application.

I clicked ok.

2nd window pops up:

Transitions accessible technologies between desktops has stopped working.

I closed that window too.

I rebooted the computer again just now, and the same thing happened.

Thanks for your time and patience, Jean.

Link to post
Share on other sites

I went through the sequence again, no error messages, but still infected.

Sorry for all of the extra posts.

I can post the latest logs if you wish.

1st & 2nd scans show 3 infected registry data items

3rd scan shows 6 infected registry data items

Last scan shows 0 infected items

Link to post
Share on other sites

OK, what you need to do, is hard reset the modem. On the back there is a small opening labeled reset,, you will need to use a pen to poke it. Be ready to call your ISP to get them to reconnect you, they will not believe you know what is going on and that it is their router/modem infected or that it is the router/modem infected. We know it is and it's pointless to try and convince them. Just tell them you have lost connection. They will reset you on their end and you should be clean. Maybe you can find the new connection, if your machine is able, mine will if I reset mine. Most will not. Let me know how you make out.

Link to post
Share on other sites

OK, what you need to do, is hard reset the modem. On the back there is a small opening labeled reset,, you will need to use a pen to poke it. Be ready to call your ISP to get them to reconnect you, they will not believe you know what is going on and that it is their router/modem infected or that it is the router/modem infected. We know it is and it's pointless to try and convince them. Just tell them you have lost connection. They will reset you on their end and you should be clean. Maybe you can find the new connection, if your machine is able, mine will if I reset mine. Most will not. Let me know how you make out.

The DNS on my computer is still being redirected.

I did a hard reset on the DSL modem/router, pushing the reset button for 4-5 seconds. It powered off, and... reset.

I have 2 computers in the network, both going through a network switch to the DSL modem.

Only one of the computers is affected.

I appreciate your help. Don't give up on me!

Link to post
Share on other sites

I'm not giving up. I will need to get advice from someone. I already did that once, and we thought this would work. It might be to do with two machines being involved. I can't say anything useful at this time. I'll get some sleep, talk to the guru, and get back to you.

Link to post
Share on other sites

I'm not giving up. I will need to get advice from someone. I already did that once, and we thought this would work. It might be to do with two machines being involved. I can't say anything useful at this time. I'll get some sleep, talk to the guru, and get back to you.

Thanks.

I don't know what part of my earlier comments you've read, but it seems that this all started when I carelessly d/l and installed a file from an unknown and untrusted website.

I know better, but a lack of sleep may have had something to do with my lack of good sense.

Link to post
Share on other sites

I need a new updated MBAM log and a HJT please. I did re-read, and if you did delete all the files that's good, but obviously something is still here. I think we know what it is and I just need to see it in the HJT log.

Thanks for your assistance and your perseverance.

Here are the latest logs:

MBAM Log

Malwarebytes' Anti-Malware 1.30

Database version: 1361

Windows 6.0.6001 Service Pack 1

11/3/2008 5:28:04 PM

mbam-log-2008-11-03 (17-28-04).txt

Scan type: Quick Scan

Objects scanned: 54652

Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:33:06 PM, on 11/3/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Windows\system32\taskeng.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Users\Michael & Marie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5DA4019-031E-41C7-ADF5-526B8EBD6E86}: NameServer = 85.255.112.159;85.255.112.23

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16518 bytes

Link to post
Share on other sites

OK, first you need to move HJT from the desktop to Program Files. I missed this before. Once that is done run in scan only place a check next to the following and then click fix.

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

Reboot, update MBAM, run a quick scan remove all post the log and a new HJT. Cross your fingers ;)

Link to post
Share on other sites

OK, first you need to move HJT from the desktop to Program Files. I missed this before. Once that is done run in scan only place a check next to the following and then click fix.

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

Reboot, update MBAM, run a quick scan remove all post the log and a new HJT. Cross your fingers ;)

Success! ;)

I checked IPCONFIG and the DNS is back to normal.

"Those" ads were still showing up on some websites in IE.

I didn't wait for instructions, but cleared all IE temporary files, cache, cookies, etc. and the ads returned to normal.

Also, I just did another MBAM scan while posting, and it showed no infected items!

Your help is greatly appreciated, O wise one!

Thank you!

Logs:

MBAM

Malwarebytes' Anti-Malware 1.30

Database version: 1366

Windows 6.0.6001 Service Pack 1

11/4/2008 4:28:06 PM

mbam-log-2008-11-04 (16-28-06).txt

Scan type: Quick Scan

Objects scanned: 54397

Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:33:14 PM, on 11/4/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\services.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Windows\system32\STacSV.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16402 bytes

Link to post
Share on other sites

Heh, I can't take credit for this one, I got advice from the lead definitions researcher. Nice having an inside track. ;)

I need to see a clean MBAM log and a clean HJT before I call it clean

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe <======== still in the log.

Show me new clean logs and we still have some final steps.

Link to post
Share on other sites

Heh, I can't take credit for this one, I got advice from the lead definitions researcher. Nice having an inside track. ;)

I need to see a clean MBAM log and a clean HJT before I call it clean

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe <======== still in the log.

Show me new clean logs and we still have some final steps.

Your suspicions were correct. It's back (or never gone).

I will give you two sets of scans.

The first set you asked for, when things seemed normal, and another after a normal reboot.

(I was curious what would happen after power off/on, so I rebooted to simulate an off/on cycle, then did another set of scans).

MBAM found the usual suspects on the second scan (after reboot). The HJT file size is larger on the after-reboot scan also.

Sorry if it is overload, but I wanted you to be able to compare them, if necessary.

1st Set of Scans

MBAM 1st Scan

Malwarebytes' Anti-Malware 1.30

Database version: 1366

Windows 6.0.6001 Service Pack 1

11/4/2008 7:17:35 PM

mbam-log-2008-11-04 (19-17-35).txt

Scan type: Quick Scan

Objects scanned: 54493

Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT 1st Scan

Malwarebytes' Anti-Malware 1.30

Database version: 1366

Windows 6.0.6001 Service Pack 1

11/4/2008 7:17:35 PM

mbam-log-2008-11-04 (19-17-35).txt

Scan type: Quick Scan

Objects scanned: 54493

Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Scans After a Normal Reboot

2nd MBAM Scan

Malwarebytes' Anti-Malware 1.30

Database version: 1367

Windows 6.0.6001 Service Pack 1

11/4/2008 11:42:59 PM

mbam-log-2008-11-04 (23-42-59).txt

Scan type: Quick Scan

Objects scanned: 54669

Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2nd HJT Scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:47:34 PM, on 11/4/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\system32\STacSV.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskeng.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C5DA4019-031E-41C7-ADF5-526B8EBD6E86}: NameServer = 85.255.112.159;85.255.112.23

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16468 bytes

Link to post
Share on other sites

Sorry for the extra scan.

The second scan will probably look like all the rest that I've already sent you.

I realized that if the malware is still active on the first scan, that's probably all you need.

It was late when I posted, so my tiredness will have to be my excuse.

Link to post
Share on other sites

Did you delete this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe ?

You need to run HJT in scan only, put a check next to this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe click fix, reboot, scan with updated MBAM post that log and the HJT.

Link to post
Share on other sites

Did you delete this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe ?

You need to run HJT in scan only, put a check next to this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe click fix, reboot, scan with updated MBAM post that log and the HJT.

I did follow those steps, but I repeated them again just to be sure.

HJT doesn't seem to be doing anything.

Let me explain.

On reboot after MBAM, Windows Vista shows a message in the systray saying "Windows has blocked some startup programs".

I have to click on MBAM listed there before Windows will let MBAM finish removing items.

This does not happen with HJT, so I don't know if anything is happening with HJT on reboot.

Logs:

MBAM

Malwarebytes' Anti-Malware 1.30

Database version: 1368

Windows 6.0.6001 Service Pack 1

11/5/2008 9:42:23 PM

mbam-log-2008-11-05 (21-42-23).txt

Scan type: Quick Scan

Objects scanned: 54412

Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c5da4019-031e-41c7-adf5-526b8ebd6e86}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.159;85.255.112.23 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:45:57 PM, on 11/5/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\System32\svchost.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\PSIService.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Windows\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.star-telegram.com/local_news/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')

O4 - HKUS\S-1-5-21-2192114254-1372839668-3813449264-1000\..\Run: [startWMDriverWiz] C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\Logitech\WmDrivers\wmwizard.dll,WMWizardMain (User 'IUSR_NMPR')

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html

O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html

O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html

O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html

O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe

--

End of file - 16377 bytes

Link to post
Share on other sites

Did you delete this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe ?

You need to run HJT in scan only, put a check next to this O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdkfp.exe click fix, reboot, scan with updated MBAM post that log and the HJT.

Please see my previous reply.

Should I try the "delete a file on reboot" button under the HJT miscellaneous tools menu to get rid of the offending file?

Link to post
Share on other sites

You need to allow MBAM to do what it wants and delete the line with HJT by putting a check in the box and clicking fix. Run both as an admin. Vista is horrid for stopping all functions. What else is getting blocked from starting? You need to be logged on with full permissions as an admin. If it's blocking MBAM from starting, it wont let HJT delete on reboot either. You might try file assasin in MBAM delete the file C:\Windows\system32\kdkfp.exe that is your malware. It has to go.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.