1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Very annoying trojan. Please help.

Discussion in 'Virus & Other Malware Removal' started by Greyfox--, Oct 11, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    First of all i have just signed up as this seemed a good place to get help with my problem but i also look forward to contributing to this by the looks of it great site.

    Now to to the problem. I have somehow got infected with the trojan 'Zlob.DNSChanger'

    it keeps causing sites to get redirected. Eg when trying to get onto the microoft update website i get redirected to a completely irrelevant site. Ran scans with malwarebytes pro, spybot SD, and NOD32. Malwarebytes detects 4 trojan dns infected files and it says it has deleted them but whenever i run a new scan then come up again. NOD32 dosent detect these files but spybot SD detects 'Zlob.DNSChanger and says it has removed it but once again after reboot it's back again.

    Any ideas how to get rid of this?

    Help greatly appreciated.

    EDIT: Added to this i have also ran smitfraudfix and combofix and they havent helped fix the problem either.
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    Run the tools first and then post all the logs with a hijakc this log!


    Download hijack this from the link below.Please do this. Click here:

    http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?hhTest=1

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.



    Please download
    SmitfraudFix
    (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.




    You should print out these instructions, or copy them to a NotePad file for
    reading while in Safe Mode, because you will not be able to connect to the
    Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following
    :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the
      Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and
    double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter"
    to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the
    registry?"; answer "Yes" by typing Y and press "Enter" in order to
    remove the Desktop background and clean registry keys associated with the
    infection.

    The tool will now check if wininet.dll is infected. You may be
    prompted to replace the infected file (if found); answer "Yes" by typing
    Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process;
    please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at
    C:\rapport.txt

    Warning: running option #2 on a non infected computer
    will remove your Desktop background
    .




    Please download FixWareout from one of these sites:


    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/file...Fixwareout.exe


    Save it to your desktop and run it. Click Next, then Install, then make sure
    "Run fixit" is checked and click Finish. The fix will begin; follow the
    prompts. You will be asked to reboot your computer; please do so. Your
    system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, Hijack This will
    launch. Close Hijack This, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt,
    along with a new Hijack This log.

    ==================================
    If you get an Autoexec nt error do the following

    XP Fix - http://www.visualtour.com/downloads/

    Scroll down to get XP Fix

    And run FixWareout again.


    * Click here to download ATF Cleaner by Atribune and save it to your
    desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    * Click Exit on the Main menu to close the program.




    * Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    * Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    * This will scan the files currently running in memory and when something is
    found,
    click the yes button when it asks you if you want to cure it. This is only a
    short scan.
    * Once the short scan has finished, Click Options > Change settings
    * Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
    * Back at the main window, mark the drives that you want to scan.
    * Select all drives. A red dot shows which drives have been chosen.
    * Click the green arrow at the right, and the scan will start.
    * Click 'Yes to all' if it asks if you want to cure/move the file.
    * When the scan has finished, look if you can click next icon next to the
    files found: IPB Image
    * If so, click it and then click the next icon right below and select Move
    incurable as you'll see in next image:
    IPB Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
    can't be cured. (this in case if we need samples)
    * After selecting, in the Dr.Web CureIt menu on top, click file and choose
    save report list
    * Save the report to your desktop. The report will be called DrWeb.csv
    * Close Dr.Web Cureit.
    * Reboot your computer!! Because it could be possible that files in use will
    be moved/deleted during reboot.




    Post a new hijack this, the dr web scan log, the smitfraud and the fixwareout log!
     
  3. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    FIRST HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:05:41, on 13/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NOD32\egui.exe
    F:\Microsoft office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DK\DkService.exe
    C:\Program Files\NOD32\ekrn.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

    --
    End of file - 6526 bytes

    SMIT FRAUD FIX LOG

    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

    AntiXPVSTFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» RK


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{66DDFB55-1287-497E-A988-C81D22DC3513}: DhcpNameServer=85.255.114.67 85.255.112.200
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{66DDFB55-1287-497E-A988-C81D22DC3513}: DhcpNameServer=85.255.114.67 85.255.112.200
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.67 85.255.112.200
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.67 85.255.112.200


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    FIXWAREOUT LOG

    Username "Edward Berrecloth" - 13/10/2008 17:15:44 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{66DDFB55-1287-497E-A988-C81D22DC3513}
    "DhcpNameServer"="85.255.114.67" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "egui"="\"C:\\Program Files\\NOD32\\egui.exe\" /hide /waitservice"
    "CTHelper"="CTHELPER.EXE"
    "SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
    "UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
    "GrooveMonitor"="\"F:\\Microsoft office\\Office12\\GrooveMonitor.exe\""
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
    "iTunesHelper"="\"C:\\Program Files\\Itunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
    "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "SetDefaultMIDI"="MIDIDef.exe"
    "RogueMonitor"="C:\\Program Files\\Rogue remover pro\\Update\\RogueRemover PRO\\RogueRemoverPRO.exe /monitor"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~

    HIJACKTHIS SECOND LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:18:55, on 13/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DK\DkService.exe
    C:\Program Files\NOD32\ekrn.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\Program Files\NOD32\egui.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    F:\Microsoft office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Itunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

    --
    End of file - 5890 bytes


    I stupidly closed Dr.Web cureit after the scan had finished due to forgetting and all i can remember is that 46 viruses were found (sheesh)
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    can you post the fixwareout log and rerun dr web and post it's log!
     
  5. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    FIXWARE OUT LOG

    Username "Edward Berrecloth" - 14/10/2008 16:38:01 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{66DDFB55-1287-497E-A988-C81D22DC3513}
    "DhcpNameServer"="85.255.114.67" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "egui"="\"C:\\Program Files\\NOD32\\egui.exe\" /hide /waitservice"
    "CTHelper"="CTHELPER.EXE"
    "SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
    "UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
    "GrooveMonitor"="\"F:\\Microsoft office\\Office12\\GrooveMonitor.exe\""
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
    "iTunesHelper"="\"C:\\Program Files\\Itunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
    "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "SetDefaultMIDI"="MIDIDef.exe"
    "RogueMonitor"="C:\\Program Files\\Rogue remover pro\\Update\\RogueRemover PRO\\RogueRemoverPRO.exe /monitor"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~



    DRWEB CUREIT LOG

    ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Edward Berrecloth\Desktop\ComboFix.exe;Program.PsExec.171;;
    ComboFix.exe;C:\Documents and Settings\Edward Berrecloth\Desktop;Archive contains infected objects;Moved.;
    ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Program Files\Combofix\ComboFix.exe;Program.PsExec.171;;
    ComboFix.exe;C:\Program Files\Combofix;Archive contains infected objects;Moved.;
    AntiXPVSTFix.exe;C:\Program Files\Smitfraudfix\SmitfraudFix;BackDoor.IRC.Dosig.15;Deleted.;
    Process.exe;C:\Program Files\Smitfraudfix\SmitfraudFix;Tool.Prockill;;
    restart.exe;C:\Program Files\Smitfraudfix\SmitfraudFix;Tool.ShutDown.11;;
    Process.exe;C:\SDFix\apps;Tool.Prockill;;
    A0000081.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP1\A0000081.exe;Program.PsExec.171;;
    A0000081.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP1;Archive contains infected objects;Moved.;
    A0000084.exe\SmitfraudFix\AntiXPVSTFix.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2\A0000084.exe;BackDoor.IRC.Dosig.15;;
    A0000084.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2\A0000084.exe;Tool.Prockill;;
    A0000084.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2\A0000084.exe;Tool.ShutDown.11;;
    A0000084.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2;Archive contains infected objects;Moved.;
    A0000108.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2\A0000108.exe;Tool.Prockill;;
    A0000108.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2;Archive contains infected objects;Moved.;
    A0000109.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2\A0000109.exe;Tool.Prockill;;
    A0000109.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2;Archive contains infected objects;Moved.;
    A0000172.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP2;Tool.Prockill;;
    A0000343.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP3\A0000343.exe;Program.PsExec.171;;
    A0000343.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP3;Archive contains infected objects;Moved.;
    A0000344.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP3\A0000344.exe;Program.PsExec.171;;
    A0000344.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP3;Archive contains infected objects;Moved.;
    A0000345.exe;C:\System Volume Information\_restore{53187D46-8F8D-470B-AA3E-499FDD07B539}\RP3;BackDoor.IRC.Dosig.15;Deleted.;
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Do you have a firewall, if not download and instlal this one!



    Comodo firewall. Sign up it's free!

    http://www.personalfirewall.trustix.com/


    Threads on comodo!

    http://www.wilderssecurity.com/forumdisplay.php?f=31



    Download Superantispyware (SAS):

    http://www.superantispyware.com/supe....html?rid=3132


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!


    * Double-click SUPERAntiSypware.exe and use the default settings for
    installation.
    * An icon will be created on your desktop. Double-click that icon to launch
    the program.
    * If asked to update the program definitions, click "Yes". If not, update
    the definitions before scanning by selecting "Check for Updates". (If you
    encounter any problems while downloading the updates, manually download and
    unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all
    others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your
    computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your
    computer.
    * After the scan is complete, a Scan Summary box will appear with
    potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete".
    Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware
    again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log.
    A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2

    http://malwarebytes.gt500.org/mbam-setup.exe

    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

    * Make sure you are connected to the Internet.
    * Double-click on Download_mbam-setup.exe to install the application.
    * When the installation begins, follow the prompts and do not make any changes to default settings.
    * When installation has finished, make sure you leave both of these checked:
    o Update Malwarebytes' Anti-Malware
    o Launch Malwarebytes' Anti-Malware
    * Then click Finish.
    * MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    * On the Scanner tab:
    o Make sure the "Perform Quick Scan" option is selected.
    o Then click on the Scan button.
    * If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    * The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    * When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    * Click OK to close the message box and continue with the removal process.
    * Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    * Make sure that everything is checked, and click Remove Selected.
    * When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    * The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    * Copy and paste the contents of that report in your next reply with a new hijackthis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    post another hijack this, and the super and malwarebyte log!
     
  7. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    Using Malwarebytes pro

    Malwarebytes' Anti-Malware 1.28
    Database version: 1263
    Windows 5.1.2600 Service Pack 3

    15/10/2008 14:11:19
    mbam-log-2008-10-15 (14-11-19).txt

    Scan type: Quick Scan
    Objects scanned: 47552
    Time elapsed: 11 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Superantispyware log


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/15/2008 at 02:31 PM

    Application Version : 4.21.1004

    Core Rules Database Version : 3555
    Trace Rules Database Version: 1543

    Scan type : Complete Scan
    Total Scan Time : 00:33:26

    Memory items scanned : 385
    Memory threats detected : 0
    Registry items scanned : 6673
    Registry threats detected : 0
    File items scanned : 25275
    File threats detected : 3

    Adware.Tracking Cookie
    C:\Documents and Settings\Edward Berrecloth\Cookies\[email protected][2].txt
    C:\Documents and Settings\Edward Berrecloth\Cookies\[email protected][2].txt
    C:\Documents and Settings\Edward Berrecloth\Cookies\[email protected][1].txt


    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:35:29, on 15/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NOD32\egui.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    F:\Microsoft office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DK\DkService.exe
    C:\Program Files\NOD32\ekrn.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Itunes\iTunesHelper.exe
    C:\Program Files\Firefox\firefox.exe
    C:\Program Files\Itunes\iTunes.exe
    C:\Program Files\Hijackthis\124.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe /boot
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

    --
    End of file - 6322 bytes
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    clena log,

    how's the computer running now any better?




    You should now turn off system restore to flush out the bad restore points
    and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.


    http://www.spywarewarrior.com/uiuc/resource.htm




    Use either Arovax or spyware terminator, you could try both and see
    what one you like!


    Arovax shield.

    http://www.arovaxshield.com/


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups
    asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!




    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
    also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  9. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    Thanks for links but no matter how many times i delete the dnschangers, be it through spybot SD, superanti spyware or malwarebytes pro it ALWAYS comes back.
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    where is dnschangers? boot to safe mode and fix them, also disable your security as they maybe blocking the changes?
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    also try this!



    * Go to Control Panel. - If you are using Windows XP's Category View, select
    the Network and Internet Connections category. If you are in Classic View,
    go to the next step .

    * Double-click the Network Connections icon
    * Right-click the Local Area Connection icon and select Properties.
    * Hilight Internet Protocol (TCP/IP) and click the Properties button.
    * Be sure Obtain DNS server address automatically is selected.
    * OK your way out.



    * Restart your computer.


    * Got to Start > Run and type in cmd.
    Click OK.
    Type this line in the command window:

    ipconfig /flushdns

    Hit Enter.
     
  12. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    They are always located in the registry. Here is where they are all found

    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Tcpip\Parametres\Dchpnameserver=208.67.220.220.208.67.222.22

    that is an example of where one found but they are all found there or after 'parametres' section they are also found in 'interfaces'

    eg HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Tcpip\Parametres\Interfaces\{66DDFB55-1287-497E-A988-C81D22DC3513}\Dchpnameserver=208.67.220..220.208.67.222
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok see post 11 and try that! if it doesn't fix it I'll write a reg fix!
     
  14. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Can you tell me what part of the world are you in, is it the US?

    This is the nasty infection which wareout has fixed.


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpN ameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.


    Yours here appears to be the original!

    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Tcpip\Parametres\Dchpn ameserver=208.67.220.220.208.67.222.22
     
  15. Greyfox--

    Greyfox-- Thread Starter

    Joined:
    Oct 11, 2008
    Messages:
    17
    Post 11 dosent help. I'm in England. For some help (i dont actually know if it will help you or not) here is the latest scan by malwarebytes pro and where the dnschanger is hiding.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.

    I've also manually deleted these to but they always come back after reboot as ive said.


    Thanks for all your help.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/758137

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice