trojan.dns

[YQUSTA]

I have run malwarebytes and it found 10 items which I deleted.

I could not update malwarebytes because the dns changer wont let me to malwarebytes website.

after deleting the files I rebooted but I cannot stop the dns from changing to the bogus 1.

I tried to do a ipconfig /dnsflush with no luck either.

Please help as I am now lost.

Thanks

YQUSTA

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:05:23, on 19/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

C:\Program Files\Slim Multimedia Keyboard\OSD.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 6423 bytes

[TeMerc]

Hello, I'm Tom, part of Malwarebytes support team and I'll be assisting you today.

At any point if you're unsure of the directions presented to you below, don't hesitate to come back for clarification. It may help if you print them out. Also please remember to subscribe or track this topic for replies so you'll be alerted when I post back continuing instructions.

The symptom of being unable to reach Malwarebytes website may indicate a rootkit, so lets perform the following to check for that rootkit.

Locate if present the following file & delete it:

C:\windows\ntbtlog.txt <<<<this file

Reboot, this way:

• Turn on the computer.
  
• Immediately begin tapping the <F8> key. (Do not go into safe mode)
  
• A menu will appear with several choices to choose from.
  
• From the advanced boot menu choose "enable boot logging" then hit enter.
  

Once the system boots, please post the following log file for my review:

C:\windows\ntbtlog.txt <<<--this one

We'll proceed based on what this .txt file shows me.

[YQUSTA]

HI tom

First off thank you for helping me.

Here is the log requested

Did not load driver Intel Processor

Did not load driver Intel Processor

Did not load driver Radeon X1950 Pro

Did not load driver Radeon X1950 Pro Secondary

Did not load driver Realtek High Definition Audio

Did not load driver Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Did not load driver Canon iP4300

Did not load driver Texas Instruments OHCI Compliant IEEE 1394 Host Controller

Did not load driver ECP Printer Port

Did not load driver Standard Game Port

Did not load driver Communications Port

Did not load driver Audio Codecs

Did not load driver Legacy Audio Drivers

Did not load driver Media Control Devices

Did not load driver Legacy Video Capture Devices

Did not load driver Video Codecs

Did not load driver WAN Miniport (L2TP)

Did not load driver WAN Miniport (IP)

Did not load driver WAN Miniport (PPPOE)

Did not load driver WAN Miniport (PPTP)

Did not load driver Packet Scheduler Miniport

Did not load driver Packet Scheduler Miniport

Did not load driver Packet Scheduler Miniport

Did not load driver Direct Parallel

Service Pack 312 19 2008 23:31:12.359

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver drvmcdb.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver srescan.sys

Loaded driver speedfan.sys

Loaded driver sbhr.sys

Loaded driver Mup.sys

Loaded driver giveio.sys

Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\SMBios.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\Rtenicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\System32\Drivers\kbfilter.SYS

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Loaded driver \SystemRoot\system32\drivers\sscdbhk5.sys

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Asapi.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\system32\drivers\ssrtln.sys

Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \systemroot\system32\drivers\msqpdxmhxtoeqh.sys

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\System32\vsdatant.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\hmonitor.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbprint.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\system32\drivers\drvnddm.sys

Loaded driver \SystemRoot\system32\dla\tfsndres.sys

Loaded driver \SystemRoot\system32\dla\tfsnifs.sys

Loaded driver \SystemRoot\system32\dla\tfsnopio.sys

Loaded driver \SystemRoot\system32\dla\tfsnpool.sys

Loaded driver \SystemRoot\system32\dla\tfsnboio.sys

Loaded driver \SystemRoot\system32\dla\tfsncofs.sys

Loaded driver \SystemRoot\system32\dla\tfsndrct.sys

Loaded driver \SystemRoot\system32\dla\tfsnudf.sys

Loaded driver \SystemRoot\system32\dla\tfsnudfa.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Regards

YQUSTA

[TeMerc]

Ok, thanks for doing that. Good news, no rootkit!

Lets run another tool which checks DNS settings and see what it finds.

Before we get going tho, please disable all your 'real time' security software which may interfere with these steps.

Please download SmitfraudFix (by S!Ri). Save it to your desktop.

For Vista users:

Right-click SmitfraudFix.exe, select 'Run as administrator'

Double-click the Smitfraud.exe and it will install a new folder to your desktop, called SmitFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

No need for a new HJT log, just the results from the SmitFraud tool.

[YQUSTA]

Hi Tom here is the text file

SmitFraudFix v2.387

Scan done at 9:49:16.18, 20/12/2008

Run from C:\Documents and Settings\Yqusta\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is

Fix run in normal mode

[TeMerc]

Second part of fix:

Please update and rescan with MBAM.

Then reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the F8 key.

Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the MBAM report and a new HijackThis log.

[YQUSTA]

Have done all points

here are the logs in order

SmitFraudFix v2.387

Scan done at 20:51:20.20, 20/12/2008

Run from C:\Documents and Settings\Yqusta\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is

Fix run in safe mode

[TeMerc]

Ok, thanks for getting that done.

Open HJT and run another scan. Once it's completed the scan, look over the following entries I have listed, place a check in the boxes next to them as displayed(some may not be present due to previous instructions): and press the button. When you are doing this, make sure you have no browser windows open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

Reboot, run another scan with HJT and post the log back into this thread please and advise of any ongoing or new problems as well as providing any info and or logs requested above.

[YQUSTA]

Hi Tom

please find below the HJT log

The DNS address still reverts back to 85.255.114.102 when I change it in the TCP/IP of my lan.

My screen background has changed I have not tried to change it back yet.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:37:09, on 21/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Slim Multimedia Keyboard\OSD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BEE56D-E8E6-4227-B82E-25C2616C315F}: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.102;85.255.112.83

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5936 bytes

Regards

YQUSTA

[TeMerc]

OK, lets see what's really going on here.

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[YQUSTA]

Hi Tom

As requested

ComboFix 08-12-20.05 - Yqusta 2008-12-21 18:52:42.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1116 [GMT 0:00]

Running from: c:\documents and settings\Yqusta\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dogg1\Local Settings\Temporary Internet Files\search.html

c:\windows\system32\404Fix.exe

c:\windows\system32\drivers\msqpdxmhxtoeqh.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\msqpdxosvdnrsr.dll

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_MSQPDXSERV.SYS

-------\Legacy_MSQPDXSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))

.

2008-12-20 09:49 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe

2008-12-18 23:44 . 2008-12-18 23:44 <DIR> d-------- C:\VundoFix Backups

2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\system32\xircom

2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\system32\Lang

2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\windows\mui

2008-12-18 23:34 . 2008-12-18 23:34 <DIR> d-------- c:\program files\microsoft frontpage

2008-12-18 23:23 . 2008-12-18 23:23 <DIR> d-------- c:\documents and settings\Administrator.YQUSTA-28YGJHXQ\Application Data\Malwarebytes

2008-12-18 23:07 . 2008-12-18 23:07 <DIR> d-------- c:\documents and settings\Administrator.YQUSTA-28YGJHXQ\Application Data\Pmcc

2008-12-15 23:55 . 2008-12-15 23:58 <DIR> d-------- c:\program files\SmartDraw 2009

2008-12-05 08:33 . 2008-12-05 08:33 54,156 --ah----- c:\windows\QTFont.qfn

2008-12-05 08:33 . 2008-12-05 08:33 1,409 --a------ c:\windows\QTFont.for

2008-12-05 08:16 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll

2008-12-02 20:29 . 2008-12-02 20:29 <DIR> d-------- c:\documents and settings\Yqusta\Application Data\Red Alert 3 Demo

2008-12-02 20:20 . 2008-12-02 20:20 <DIR> d-------- c:\windows\Logs

2008-12-02 20:20 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-12-02 20:20 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll

2008-12-02 20:20 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll

2008-11-23 00:34 . 2008-12-18 23:12 <DIR> d-------- c:\program files\GRIB.US

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-20 20:36 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-12-19 23:47 --------- d-----w c:\documents and settings\Yqusta\Application Data\Sonic

2008-12-18 23:11 --------- d-----w c:\program files\QuickTime

2008-12-18 23:11 --------- d-----w c:\program files\Paint.NET

2008-12-15 23:44 --------- d-----w c:\program files\SpywareBlaster

2008-12-02 20:20 --------- d-----w c:\program files\Electronic Arts

2008-10-27 07:54 4,667,306 ----a-w c:\windows\Internet Logs\tvDebug.zip

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-02 19:54 155,995 ----a-w c:\windows\Java\Packages\FB5Z77D3.ZIP

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2007-11-12 00:34 32 ----a-r c:\documents and settings\All Users\hash.dat

2006-10-28 00:25 1 ----a-w c:\documents and settings\Dogg1\SI.bin

2005-07-27 15:59 284 ----a-w c:\documents and settings\Dogg1\Application Data\ViewerApp.dat

2008-09-05 18:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 429568]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-05-15 54576]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Slim Multimedia Keyboard.lnk - c:\program files\Slim Multimedia Keyboard\MagicKey.exe [2007-01-07 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2008-04-28 15544]

R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2007-12-22 11264]

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2007-01-07 11886]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

S3 Asushwio;Asushwio;\??\c:\windows\system32\drivers\Asushwio.sys [2007-01-07 5824]

.

Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: {797EDC49-81E3-45DA-B625-6DCE16FA63F8} = 212.104.130.9,212.104.130.65

TCP: {DD011539-FD3B-44D7-894F-380CA7EF2819} = 212.104.130.9,212.104.130.65

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

c:\windows\Downloaded Program Files\hcImpl.inf

O16 -: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://www.download.five.tv/Download/five_3_4_0_8.cab

c:\windows\Downloaded Program Files\MediaSphere.inf

O16 -: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://www.download.five.tv/Download/Entriq_3_4_0_10_Silent.cab

c:\windows\Downloaded Program Files\MediaSphere.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-21 18:55:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]

"imagepath"="\systemroot\system32\drivers\msqpdxmhxtoeqh.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2008-12-21 18:56:45

ComboFix-quarantined-files.txt 2008-12-21 18:56:05

Pre-Run: 78,346,137,600 bytes free

Post-Run: 78,336,360,448 bytes free

158 --- E O F --- 2008-12-20 09:43:02

Thanks

YQUSTA

[TeMerc]

Seeing as that removed some can I please get a fresh HJT log, thanks.

[YQUSTA]

Hi Tom heres the new HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:20:36, on 22/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Slim Multimedia Keyboard\OSD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://www.download.five.tv/Download/five_3_4_0_8.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://www.download.five.tv/Download/Entri...0_10_Silent.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD011539-FD3B-44D7-894F-380CA7EF2819}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS2\Services\Tcpip\..\{797EDC49-81E3-45DA-B625-6DCE16FA63F8}: NameServer = 212.104.130.9,212.104.130.65

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5900 bytes

YQUSTA

[TeMerc]

Your HijackThis log appears clear of any malware, is the machine running ok now? Any more odd or unwanted symptoms? Please let me know, thanks.

[liljoe2276]

I was unable to get on newtwork and it was unable to repair because somethiing about ip.

So i manualy put an IP address and restart then the DNS comes messed up again. Ever time I time and get rid of it the thing comes back

It will look clean untill something is done with the net.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:03:16, on 12/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\Wireless\Wireless.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080318

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [standardKeyboard] C:\WINDOWS\Wireless\Wireless.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"

O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{30D95782-06D5-4E57-A374-E73D81DC966F}: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55;85.255.112.21

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: avp - Kaspersky Lab - C:\Downloads\B.C.C\avp.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (file missing)

O23 - Service: Webroot Client Service (WRConsumerService) - Unknown owner - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (file missing)

--

End of file - 7964 bytes

[TeMerc]

liljoe, are you YOUSTA?

[YQUSTA]

Hi Tom

After testing for a while now no porobles found.

Thank you very much for all your help

Regards

YQUSTA

[TeMerc]

That's great news YQUSTA.

Guess it's time we cleaned up some of the tools we used and then our recommendations to remain malware free.

Time to uninstall ComboFix, it is not a tool for everyday use, and it should never be used without specific instructions by a trained analyst.

Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

Be sure your Java is up to date, many infections use exploits of unpatched systems.

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  
• Select it and click Remove.
  
• Then Download and install the newest version from here
  

Now that you have regained control of your machine, lets keep it clean. The apps listed below are the ones we recommend. They will help prevent further infections and can be trusted to work well on all systems

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.

With Spyware Blaster, just DL, check for updates, enable all protection and you're done.

And either of the two following hosts file databases will keep an even stronger layer of defense:

• MVPS Hosts File
  
• hpHosts
  

The latter contains more sites as they tend to include domains\IPs which are involved in even the slightest way with malware distribution or sites involved in any other sort of salacious activities. Basically, lay with dogs, get fleas type of thing.

To manage your hosts file we recommend using HostsXpert. With this tool, you can download the latest updates, merge them with another hosts file, edit entries and much more. It's freeware and works very well on all systems

And to prevent unknown applications from being installed on your machine install WinPatrol 2008 v15. WinPatrol is also great at controlling which applications start with Windows. It's even got a nifty 'delay' feature.

Another thing I would suggest, is to install SiteAdvisor or SiteHound. Each provide similar protection, tho SiteAdvisor also rates sites on business practices and spam. SiteHound will offer some content advice as well as security alerts on known rogue sites.

Confused about which apps are good or not? Read about anti-spyware apps pretending to be just that, but are in fact apps which will infect you. For the latest software rated as such check out the this page.

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:

Calendar of Updates

Happy surfing!!

Tom