YQUSTA Posted December 19, 2008 ID:40663 Share Posted December 19, 2008 I have run malwarebytes and it found 10 items which I deleted.I could not update malwarebytes because the dns changer wont let me to malwarebytes website.after deleting the files I rebooted but I cannot stop the dns from changing to the bogus 1.I tried to do a ipconfig /dnsflush with no luck either.Please help as I am now lost.Thanks YQUSTALogfile of Trend Micro HijackThis v2.0.2Scan saved at 01:05:23, on 19/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeC:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exeC:\Program Files\Slim Multimedia Keyboard\MagicKey.exeC:\Program Files\Slim Multimedia Keyboard\OSD.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OMO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cabO16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeO23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 6423 bytes Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 19, 2008 Staff ID:40817 Share Posted December 19, 2008 Hello, I'm Tom, part of Malwarebytes support team and I'll be assisting you today.At any point if you're unsure of the directions presented to you below, don't hesitate to come back for clarification. It may help if you print them out. Also please remember to subscribe or track this topic for replies so you'll be alerted when I post back continuing instructions.The symptom of being unable to reach Malwarebytes website may indicate a rootkit, so lets perform the following to check for that rootkit.Locate if present the following file & delete it: C:\windows\ntbtlog.txt <<<<this fileReboot, this way:Turn on the computer.Immediately begin tapping the <F8> key. (Do not go into safe mode)A menu will appear with several choices to choose from.From the advanced boot menu choose "enable boot logging" then hit enter.Once the system boots, please post the following log file for my review: C:\windows\ntbtlog.txt <<<--this oneWe'll proceed based on what this .txt file shows me. Link to post Share on other sites More sharing options...
YQUSTA Posted December 19, 2008 Author ID:40825 Share Posted December 19, 2008 HI tomFirst off thank you for helping me.Here is the log requestedDid not load driver Intel ProcessorDid not load driver Intel ProcessorDid not load driver Radeon X1950 ProDid not load driver Radeon X1950 Pro SecondaryDid not load driver Realtek High Definition AudioDid not load driver Realtek RTL8168/8111 PCI-E Gigabit Ethernet NICDid not load driver Canon iP4300Did not load driver Texas Instruments OHCI Compliant IEEE 1394 Host ControllerDid not load driver ECP Printer PortDid not load driver Standard Game PortDid not load driver Communications PortDid not load driver Audio CodecsDid not load driver Legacy Audio DriversDid not load driver Media Control DevicesDid not load driver Legacy Video Capture DevicesDid not load driver Video CodecsDid not load driver WAN Miniport (L2TP)Did not load driver WAN Miniport (IP)Did not load driver WAN Miniport (PPPOE)Did not load driver WAN Miniport (PPTP)Did not load driver Packet Scheduler MiniportDid not load driver Packet Scheduler MiniportDid not load driver Packet Scheduler MiniportDid not load driver Direct Parallel Service Pack 312 19 2008 23:31:12.359Loaded driver \WINDOWS\system32\ntoskrnl.exeLoaded driver \WINDOWS\system32\hal.dllLoaded driver \WINDOWS\system32\KDCOM.DLLLoaded driver \WINDOWS\system32\BOOTVID.dllLoaded driver ACPI.sysLoaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYSLoaded driver pci.sysLoaded driver isapnp.sysLoaded driver ohci1394.sysLoaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYSLoaded driver pciide.sysLoaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYSLoaded driver MountMgr.sysLoaded driver ftdisk.sysLoaded driver dmload.sysLoaded driver dmio.sysLoaded driver PartMgr.sysLoaded driver VolSnap.sysLoaded driver atapi.sysLoaded driver disk.sysLoaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYSLoaded driver fltmgr.sysLoaded driver sr.sysLoaded driver drvmcdb.sysLoaded driver PxHelp20.sysLoaded driver KSecDD.sysLoaded driver Ntfs.sysLoaded driver NDIS.sysLoaded driver srescan.sysLoaded driver speedfan.sysLoaded driver sbhr.sysLoaded driver Mup.sysLoaded driver giveio.sysLoaded driver \SystemRoot\System32\DRIVERS\nic1394.sysLoaded driver \SystemRoot\system32\DRIVERS\SMBios.sysLoaded driver \SystemRoot\System32\DRIVERS\intelppm.sysLoaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sysLoaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sysLoaded driver \SystemRoot\system32\DRIVERS\Rtenicxp.sysLoaded driver \SystemRoot\System32\DRIVERS\usbuhci.sysLoaded driver \SystemRoot\system32\DRIVERS\usbehci.sysLoaded driver \SystemRoot\System32\DRIVERS\fdc.sysLoaded driver \SystemRoot\System32\DRIVERS\parport.sysLoaded driver \SystemRoot\System32\DRIVERS\gameenum.sysLoaded driver \SystemRoot\System32\DRIVERS\i8042prt.sysLoaded driver \SystemRoot\System32\Drivers\kbfilter.SYSLoaded driver \SystemRoot\System32\DRIVERS\kbdclass.sysLoaded driver \SystemRoot\System32\DRIVERS\serial.sysLoaded driver \SystemRoot\System32\DRIVERS\serenum.sysLoaded driver \SystemRoot\system32\DRIVERS\imapi.sysLoaded driver \SystemRoot\System32\DRIVERS\cdrom.sysLoaded driver \SystemRoot\System32\DRIVERS\redbook.sysLoaded driver \SystemRoot\System32\DRIVERS\audstub.sysLoaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sysLoaded driver \SystemRoot\System32\DRIVERS\ndistapi.sysLoaded driver \SystemRoot\System32\DRIVERS\ndiswan.sysLoaded driver \SystemRoot\System32\DRIVERS\raspppoe.sysLoaded driver \SystemRoot\System32\DRIVERS\raspptp.sysLoaded driver \SystemRoot\System32\DRIVERS\msgpc.sysLoaded driver \SystemRoot\System32\DRIVERS\psched.sysLoaded driver \SystemRoot\System32\DRIVERS\ptilink.sysLoaded driver \SystemRoot\System32\DRIVERS\raspti.sysLoaded driver \SystemRoot\System32\DRIVERS\rdpdr.sysLoaded driver \SystemRoot\System32\DRIVERS\termdd.sysLoaded driver \SystemRoot\System32\DRIVERS\mouclass.sysLoaded driver \SystemRoot\System32\DRIVERS\swenum.sysLoaded driver \SystemRoot\System32\DRIVERS\update.sysLoaded driver \SystemRoot\System32\DRIVERS\mssmbios.sysLoaded driver \SystemRoot\System32\Drivers\NDProxy.SYSDid not load driver \SystemRoot\System32\Drivers\NDProxy.SYSLoaded driver \SystemRoot\system32\drivers\RtkHDAud.sysLoaded driver \SystemRoot\System32\DRIVERS\usbhub.sysLoaded driver \SystemRoot\System32\DRIVERS\flpydisk.sysDid not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYSDid not load driver \SystemRoot\System32\Drivers\Sfloppy.SYSDid not load driver \SystemRoot\System32\Drivers\i2omgmt.SYSLoaded driver \SystemRoot\system32\drivers\sscdbhk5.sysDid not load driver \SystemRoot\System32\Drivers\Changer.SYSDid not load driver \SystemRoot\System32\Drivers\Cdaudio.SYSLoaded driver \SystemRoot\System32\Drivers\Asapi.SYSLoaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYSLoaded driver \SystemRoot\System32\Drivers\Null.SYSLoaded driver \SystemRoot\System32\Drivers\Beep.SYSLoaded driver \SystemRoot\system32\drivers\ssrtln.sysDid not load driver \SystemRoot\system32\DRIVERS\kbdhid.sysLoaded driver \SystemRoot\System32\drivers\vga.sysLoaded driver \SystemRoot\System32\Drivers\mnmdd.SYSLoaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sysLoaded driver \SystemRoot\System32\Drivers\Msfs.SYSLoaded driver \systemroot\system32\drivers\msqpdxmhxtoeqh.sysLoaded driver \SystemRoot\System32\Drivers\Npfs.SYSLoaded driver \SystemRoot\System32\DRIVERS\rasacd.sysLoaded driver \SystemRoot\System32\DRIVERS\ipsec.sysLoaded driver \SystemRoot\System32\DRIVERS\tcpip.sysLoaded driver \SystemRoot\System32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\System32\DRIVERS\wanarp.sysLoaded driver \SystemRoot\System32\DRIVERS\netbt.sysLoaded driver \SystemRoot\System32\DRIVERS\arp1394.sysLoaded driver \SystemRoot\System32\vsdatant.sysLoaded driver \SystemRoot\System32\drivers\afd.sysLoaded driver \SystemRoot\System32\DRIVERS\netbios.sysDid not load driver \SystemRoot\System32\DRIVERS\processr.sysDid not load driver \SystemRoot\System32\Drivers\PCIDump.SYSLoaded driver \SystemRoot\System32\DRIVERS\rdbss.sysLoaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sysLoaded driver \??\C:\WINDOWS\system32\drivers\hmonitor.sysLoaded driver \SystemRoot\System32\Drivers\Fips.SYSLoaded driver \SystemRoot\system32\DRIVERS\hidusb.sysLoaded driver \SystemRoot\System32\Drivers\Cdfs.SYSLoaded driver \SystemRoot\system32\DRIVERS\usbccgp.sysLoaded driver \SystemRoot\system32\DRIVERS\usbprint.sysLoaded driver \SystemRoot\System32\DRIVERS\mouhid.sysLoaded driver \SystemRoot\system32\DRIVERS\kbdhid.sysLoaded driver \SystemRoot\system32\drivers\drvnddm.sysLoaded driver \SystemRoot\system32\dla\tfsndres.sysLoaded driver \SystemRoot\system32\dla\tfsnifs.sysLoaded driver \SystemRoot\system32\dla\tfsnopio.sysLoaded driver \SystemRoot\system32\dla\tfsnpool.sysLoaded driver \SystemRoot\system32\dla\tfsnboio.sysLoaded driver \SystemRoot\system32\dla\tfsncofs.sysLoaded driver \SystemRoot\system32\dla\tfsndrct.sysLoaded driver \SystemRoot\system32\dla\tfsnudf.sysLoaded driver \SystemRoot\system32\dla\tfsnudfa.sysLoaded driver \SystemRoot\System32\DRIVERS\ndisuio.sysLoaded driver \SystemRoot\System32\Drivers\Fastfat.SYSDid not load driver \SystemRoot\System32\DRIVERS\rdbss.sysDid not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\system32\drivers\wdmaud.sysLoaded driver \SystemRoot\system32\drivers\sysaudio.sysLoaded driver \SystemRoot\system32\drivers\splitter.sysLoaded driver \SystemRoot\system32\drivers\aec.sysLoaded driver \SystemRoot\system32\drivers\swmidi.sysLoaded driver \SystemRoot\system32\drivers\DMusic.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \SystemRoot\system32\drivers\drmkaud.sysLoaded driver \SystemRoot\System32\DRIVERS\mrxdav.sysLoaded driver \SystemRoot\System32\Drivers\ParVdm.SYSLoaded driver \SystemRoot\System32\DRIVERS\srv.sysLoaded driver \SystemRoot\System32\DRIVERS\secdrv.sysDid not load driver \SystemRoot\System32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\System32\Drivers\HTTP.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysRegardsYQUSTA Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 20, 2008 Staff ID:40845 Share Posted December 20, 2008 Ok, thanks for doing that. Good news, no rootkit!Lets run another tool which checks DNS settings and see what it finds.Before we get going tho, please disable all your 'real time' security software which may interfere with these steps.Please download SmitfraudFix (by S!Ri). Save it to your desktop.For Vista users:Right-click SmitfraudFix.exe, select 'Run as administrator'Double-click the Smitfraud.exe and it will install a new folder to your desktop, called SmitFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.No need for a new HJT log, just the results from the SmitFraud tool. Link to post Share on other sites More sharing options...
YQUSTA Posted December 20, 2008 Author ID:40885 Share Posted December 20, 2008 Hi Tom here is the text fileSmitFraudFix v2.387Scan done at 9:49:16.18, 20/12/2008Run from C:\Documents and Settings\Yqusta\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is Fix run in normal mode Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 20, 2008 Staff ID:40902 Share Posted December 20, 2008 Second part of fix:Please update and rescan with MBAM.Then reboot, into safe mode, this way:Turn on the computer Immediately begin tapping the F8 key. Use the arrow keys to highlight Safe Mode and press the Enter key. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the MBAM report and a new HijackThis log. Link to post Share on other sites More sharing options...
YQUSTA Posted December 20, 2008 Author ID:40994 Share Posted December 20, 2008 Have done all pointshere are the logs in orderSmitFraudFix v2.387Scan done at 20:51:20.20, 20/12/2008Run from C:\Documents and Settings\Yqusta\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is Fix run in safe mode Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 21, 2008 Staff ID:41135 Share Posted December 21, 2008 Ok, thanks for getting that done.Open HJT and run another scan. Once it's completed the scan, look over the following entries I have listed, place a check in the boxes next to them as displayed(some may not be present due to previous instructions): and press the button. When you are doing this, make sure you have no browser windows open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83 Reboot, run another scan with HJT and post the log back into this thread please and advise of any ongoing or new problems as well as providing any info and or logs requested above. Link to post Share on other sites More sharing options...
YQUSTA Posted December 21, 2008 Author ID:41148 Share Posted December 21, 2008 Hi Tomplease find below the HJT logThe DNS address still reverts back to 85.255.114.102 when I change it in the TCP/IP of my lan.My screen background has changed I have not tried to change it back yet.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:37:09, on 21/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeC:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exeC:\Program Files\Slim Multimedia Keyboard\MagicKey.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Slim Multimedia Keyboard\OSD.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OMO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cabO16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeO23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5936 bytesRegardsYQUSTA Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 21, 2008 Staff ID:41150 Share Posted December 21, 2008 OK, lets see what's really going on here.Download ComboFix from one of these locations:Link 1Link 2Link 3* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
YQUSTA Posted December 21, 2008 Author ID:41159 Share Posted December 21, 2008 Hi Tom As requestedComboFix 08-12-20.05 - Yqusta 2008-12-21 18:52:42.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1116 [GMT 0:00]Running from: c:\documents and settings\Yqusta\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Dogg1\Local Settings\Temporary Internet Files\search.htmlc:\windows\system32\404Fix.exec:\windows\system32\drivers\msqpdxmhxtoeqh.sysc:\windows\system32\dumphive.exec:\windows\system32\IEDFix.C.exec:\windows\system32\IEDFix.exec:\windows\system32\msqpdxosvdnrsr.dllc:\windows\system32\o4Patch.exec:\windows\system32\Process.exec:\windows\system32\SrchSTS.exec:\windows\system32\tmp.regc:\windows\system32\VACFix.exec:\windows\system32\VCCLSID.exec:\windows\system32\WS2Fix.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_MSQPDXSERV.SYS-------\Legacy_MSQPDXSERV.SYS((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 ))))))))))))))))))))))))))))))).2008-12-20 09:49 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe2008-12-18 23:44 . 2008-12-18 23:44 <DIR> d-------- C:\VundoFix Backups2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\system32\xircom2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\system32\Lang2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\mui2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\program files\microsoft frontpage2008-12-18 23:23 . 2008-12-18 23:23 <DIR> d-------- c:\documents and settings\Administrator.YQUSTA-28YGJHXQ\Application Data\Malwarebytes2008-12-18 23:07 . 2008-12-18 23:07 <DIR> d-------- c:\documents and settings\Administrator.YQUSTA-28YGJHXQ\Application Data\Pmcc2008-12-15 23:55 . 2008-12-15 23:58 <DIR> d-------- c:\program files\SmartDraw 20092008-12-05 08:33 . 2008-12-05 08:33 54,156 --ah----- c:\windows\QTFont.qfn2008-12-05 08:33 . 2008-12-05 08:33 1,409 --a------ c:\windows\QTFont.for2008-12-05 08:16 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll2008-12-02 20:29 . 2008-12-02 20:29 <DIR> d-------- c:\documents and settings\Yqusta\Application Data\Red Alert 3 Demo2008-12-02 20:20 . 2008-12-02 20:20 <DIR> d-------- c:\windows\Logs2008-12-02 20:20 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll2008-12-02 20:20 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll2008-12-02 20:20 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll2008-11-23 00:34 . 2008-12-18 23:12 <DIR> d-------- c:\program files\GRIB.US.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-12-20 20:36 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2008-12-19 23:47 --------- d-----w c:\documents and settings\Yqusta\Application Data\Sonic2008-12-18 23:11 --------- d-----w c:\program files\QuickTime2008-12-18 23:11 --------- d-----w c:\program files\Paint.NET2008-12-15 23:44 --------- d-----w c:\program files\SpywareBlaster2008-12-02 20:20 --------- d-----w c:\program files\Electronic Arts2008-10-27 07:54 4,667,306 ----a-w c:\windows\Internet Logs\tvDebug.zip2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll2008-10-02 19:54 155,995 ----a-w c:\windows\Java\Packages\FB5Z77D3.ZIP2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll2007-11-12 00:34 32 ----a-r c:\documents and settings\All Users\hash.dat2006-10-28 00:25 1 ----a-w c:\documents and settings\Dogg1\SI.bin2005-07-27 15:59 284 ----a-w c:\documents and settings\Dogg1\Application Data\ViewerApp.dat2008-09-05 18:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 429568]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-05-15 54576]"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Slim Multimedia Keyboard.lnk - c:\program files\Slim Multimedia Keyboard\MagicKey.exe [2007-01-07 163840][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"=R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2008-04-28 15544]R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2007-12-22 11264]R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2007-01-07 11886]R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]S3 Asushwio;Asushwio;\??\c:\windows\system32\drivers\Asushwio.sys [2007-01-07 5824].Contents of the 'Scheduled Tasks' folder2008-12-21 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]..------- Supplementary Scan -------.uInternet Connection Wizard,ShellNext = iexploreIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000TCP: {797EDC49-81E3-45DA-B625-6DCE16FA63F8} = 212.104.130.9,212.104.130.65TCP: {DD011539-FD3B-44D7-894F-380CA7EF2819} = 212.104.130.9,212.104.130.65O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cabc:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cabc:\windows\Downloaded Program Files\hcImpl.infO16 -: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://www.download.five.tv/Download/five_3_4_0_8.cabc:\windows\Downloaded Program Files\MediaSphere.infO16 -: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://www.download.five.tv/Download/Entriq_3_4_0_10_Silent.cabc:\windows\Downloaded Program Files\MediaSphere.inf.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-12-21 18:55:15Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]"imagepath"="\systemroot\system32\drivers\msqpdxmhxtoeqh.sys".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(788)c:\windows\system32\Ati2evxx.dll.Completion time: 2008-12-21 18:56:45ComboFix-quarantined-files.txt 2008-12-21 18:56:05Pre-Run: 78,346,137,600 bytes freePost-Run: 78,336,360,448 bytes free158 --- E O F --- 2008-12-20 09:43:02ThanksYQUSTA Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 22, 2008 Staff ID:41308 Share Posted December 22, 2008 Seeing as that removed some can I please get a fresh HJT log, thanks. Link to post Share on other sites More sharing options...
YQUSTA Posted December 22, 2008 Author ID:41323 Share Posted December 22, 2008 Hi Tom heres the new HJT logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 08:20:36, on 22/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeC:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exeC:\Program Files\Slim Multimedia Keyboard\MagicKey.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Slim Multimedia Keyboard\OSD.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OMO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cabO16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeO23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5900 bytesYQUSTA Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 22, 2008 Staff ID:41329 Share Posted December 22, 2008 Your HijackThis log appears clear of any malware, is the machine running ok now? Any more odd or unwanted symptoms? Please let me know, thanks. Link to post Share on other sites More sharing options...
liljoe2276 Posted December 23, 2008 ID:41668 Share Posted December 23, 2008 I was unable to get on newtwork and it was unable to repair because somethiing about ip.So i manualy put an IP address and restart then the DNS comes messed up again. Ever time I time and get rid of it the thing comes backIt will look clean untill something is done with the net.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:03:16, on 12/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\WINDOWS\system32\tcpsvcs.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\Wireless\Wireless.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exeC:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Roxio\CinePlayer\DMXLauncher.exeC:\Program Files\Dell DataSafe Online\DataSafeOnline.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exeC:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exeC:\Program Files\BitDefender\BitDefender 2009\seccenter.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\svchost.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080318O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dllO4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenterO4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [standardKeyboard] C:\WINDOWS\Wireless\Wireless.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUNO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /mO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startupO8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{30D95782-06D5-4E57-A374-E73D81DC966F}: NameServer = 85.255.114.55;85.255.112.21O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exeO23 - Service: avp - Kaspersky Lab - C:\Downloads\B.C.C\avp.exeO23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeO23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exeO23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exeO23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exeO23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeO23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exeO23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exeO23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exeO23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exeO23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exeO23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeO23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (file missing)O23 - Service: Webroot Client Service (WRConsumerService) - Unknown owner - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (file missing)--End of file - 7964 bytes Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 23, 2008 Staff ID:41681 Share Posted December 23, 2008 liljoe, are you YOUSTA? Link to post Share on other sites More sharing options...
YQUSTA Posted December 23, 2008 Author ID:41825 Share Posted December 23, 2008 Hi TomAfter testing for a while now no porobles found.Thank you very much for all your helpRegardsYQUSTA Link to post Share on other sites More sharing options...
Staff TeMerc Posted December 24, 2008 Staff ID:41975 Share Posted December 24, 2008 That's great news YQUSTA.Guess it's time we cleaned up some of the tools we used and then our recommendations to remain malware free.Time to uninstall ComboFix, it is not a tool for everyday use, and it should never be used without specific instructions by a trained analyst.Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore againBe sure your Java is up to date, many infections use exploits of unpatched systems.Go to Start > Control Panel double-click on the Software icon > add/remove programs.Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )Select it and click Remove.Then Download and install the newest version from hereNow that you have regained control of your machine, lets keep it clean. The apps listed below are the ones we recommend. They will help prevent further infections and can be trusted to work well on all systemsSpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.With Spyware Blaster, just DL, check for updates, enable all protection and you're done.And either of the two following hosts file databases will keep an even stronger layer of defense: MVPS Hosts File hpHosts The latter contains more sites as they tend to include domains\IPs which are involved in even the slightest way with malware distribution or sites involved in any other sort of salacious activities. Basically, lay with dogs, get fleas type of thing.To manage your hosts file we recommend using HostsXpert. With this tool, you can download the latest updates, merge them with another hosts file, edit entries and much more. It's freeware and works very well on all systemsAnd to prevent unknown applications from being installed on your machine install WinPatrol 2008 v15. WinPatrol is also great at controlling which applications start with Windows. It's even got a nifty 'delay' feature.Another thing I would suggest, is to install SiteAdvisor or SiteHound. Each provide similar protection, tho SiteAdvisor also rates sites on business practices and spam. SiteHound will offer some content advice as well as security alerts on known rogue sites. Confused about which apps are good or not? Read about anti-spyware apps pretending to be just that, but are in fact apps which will infect you. For the latest software rated as such check out the this page.And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:Calendar of UpdatesHappy surfing!!Tom Link to post Share on other sites More sharing options...
Recommended Posts