12 infections every reboot

[Meteor Hammer]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:50:51 AM, on 12/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Spin32 - 3497d1fd-bd47-4046-b167-4e4382228237 - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Spin32\Spin32.lnk (HKCU)

O9 - Extra button: ReeferPoker - 60a501e4-a078-4cb2-8728-3fab4264f3c1 - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\ReeferPoker\ReeferPoker.lnk (HKCU)

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra button: The Poker Community - {23ce1f91-bc56-49f9-be01-bddf4ef76305} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\The Poker Community\The Poker Community.lnk (HKCU)

O9 - Extra button: WassPoker - {4053ebe6-a54d-4bb9-b118-ce1d8f99a548} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\WassPoker\WassPoker.lnk (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{5507D818-39EC-44C4-9753-8F2583E8A15B}: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CCS\Services\Tcpip\..\{59FE2AF6-C93A-4B84-ACFB-793A9D60E66B}: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 7934 bytes

[Meteor Hammer]

Malwarebytes' Anti-Malware 1.23

Database version: 985

Windows 5.1.2600 Service Pack 2

4:57:15 AM 12/15/2008

mbam-log-12-15-2008 (04-57-15).txt

Scan type: Quick Scan

Objects scanned: 20384

Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 12

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5507d818-39ec-44c4-9753-8f2583e8a15b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5507d818-39ec-44c4-9753-8f2583e8a15b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5507d818-39ec-44c4-9753-8f2583e8a15b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[nosirrah]

There is a form of DNSChanger that adds its malicious DNS servers directly to your router/modem and in turn these servers are absorbed as defaults by windows as it boots .

You can confirm this by doing the following :

1. Boot

2. Do a MBAM scan and save the log (DO NOT REBOOT YET) .

3. Disconnect your networking cable (if you have wireless disable it temporarily) .

4. With your networking disconnected/disabled allow MBAM to remove these threats and then reboot your system .

5. Do a MBAM scan and save a (this log will be empty if your router/modem has been patched) .

6. Reconnect/enable your networking again , reboot and do another scan .

If your router/modem is patched you will have gotten the following :

1. Boot with networking enabled = dirty scan (you have already seen this one many times) .

2. Boot with networking disabled (and and after MBAM scan/remove) = clean scan .

3. Boot with networking re enabled = dirty scan again .

If we can confirm that malware is not reinstalling these servers then there are two ways to get these servers out of your router modem/router .

1. Use the hard reset button (this is NOT the same as power cycling/bouncing your modem/router) which sets it back to factory default .

2. Log into your router/modem and delete these servers directly .

Option 1 is easy and works 100% of the time but does also often force you to set up your ISP again (if you have DSL this is a 100% certainty) .

Option 2 is harder and if you have never logged into your modem/router requires either that you look up the info on your modem/router so that you can log in and make changes or that you call your ISP and ask for the same info .

If this info is enough for you to fix this on your own there are 2 critical final steps :

1. Set a username/password for your router/modem that is unique .

2. Disable UPNP in your router/modem settings (this is NOT the UPNP service in windows and MUST be done from within the option of the router/modem itself) .

Step 1 prevents anyone from logging into your router/modem with factory default set info .

Step 2 prevents a well known exploit of UPNP from allowing an attacker to bypass your router/modem username/password altogether .

[Meteor Hammer]

its got me good.. 12 still show up after multiple MBAM scans with network disabled..anymore ideas?

Malwarebytes' Anti-Malware 1.23

Database version: 985

Windows 5.1.2600 Service Pack 2

12:27:19 PM 12/15/2008

mbam-log-12-15-2008 (12-27-19).txt

Scan type: Quick Scan

Objects scanned: 66271

Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 12

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{59fe2af6-c93a-4b84-acfb-793a9d60e66b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.55;85.255.112.21 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[nosirrah]

Malwarebytes' Anti-Malware 1.23

Database version: 985

Why are you using such an old version of MBAM ?

This is current :

Malwarebytes' Anti-Malware 1.31

Database version: 1502

[Meteor Hammer]

WOW TY..got a fresh updated copy..it found more stuff and FIXED EVERYTHING..PC is running great now tytytyytyty

[nosirrah]

Glad to hear it .

Keep in mind that in this day and age going even a day without updates is dangerous .