Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How can I tell if my DNS has been hijacked by malware?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Sgt. Brutalisk

Sgt. Brutalisk

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 28 April 2009 - 07:56 PM

Hi, I had an infection of my PC with trojans and viruses, and I took it to the place where I bought it, it got fixed (read: Windows reinstalled), but some sites and downloads refuse to work at all. It may not seem like a big deal, but I would like to deal with this properly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:08 AM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181
O17 - HKLM\System\CS2\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181
O17 - HKLM\System\CS3\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3523 bytes

Edited by Sgt. Brutalisk, 28 April 2009 - 08:02 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 29 April 2009 - 05:36 AM

Hi Sgt. Brutalisk,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your DNS is indeed hijacked by a DNS-changer trojan.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181
    O17 - HKLM\System\CS2\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181
    O17 - HKLM\System\CS3\Services\Tcpip\..\{28B24C75-0767-48F3-967F-BCA4BD11BACC}: NameServer = 85.255.112.191,85.255.112.181


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • In case you lost internet connection make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot.
  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went and if you lost connection.


#3 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 29 April 2009 - 08:35 AM

Step 1... done
Step 2... done
Step 3... done (although, when I rebooted, while Windows was loading, there was a black screen with options, similar to one you get if you press F8 right then - it appeared only briefly, so that I couldn't see what it said, and continued with boot-up as always, just wanted to mention the fact that it happened)
Step 4... done

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:20 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3269 bytes


ComboFix 09-04-28.03 - MM 04/29/2009 14:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.272 [GMT 2:00]
Running from: c:\documents and settings\MM\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-27 04:48 . 2009-04-27 04:48 -------- d-----w c:\program files\GameTop.com
2009-04-25 16:10 . 2009-04-25 16:32 -------- d-----w c:\program files\Jishop
2009-04-25 03:26 . 2009-04-25 03:26 -------- d-----w c:\program files\QuickTime
2009-04-25 03:25 . 2009-04-25 03:25 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-25 03:25 . 2009-04-25 03:25 -------- d-----w c:\documents and settings\MM\Local Settings\Application Data\Apple
2009-04-25 03:25 . 2009-04-25 03:25 -------- d-----w c:\program files\Apple Software Update
2009-04-25 03:25 . 2009-04-25 03:25 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-25 03:24 . 2009-04-25 03:24 -------- d-----w c:\documents and settings\MM\Local Settings\Application Data\Apple Computer
2009-04-24 21:39 . 2009-04-24 21:39 -------- d-----w c:\documents and settings\MM\Application Data\Elladive3
2009-04-24 15:27 . 2009-04-24 15:27 -------- d-----w c:\documents and settings\MM\Application Data\Ubisoft
2009-04-23 19:55 . 2009-04-24 15:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 19:53 . 2009-04-23 19:55 -------- d-----w c:\program files\CSI - NY - The Game
2009-04-23 19:17 . 2009-04-23 19:17 -------- d-----w c:\program files\bfgclient
2009-04-23 19:15 . 2009-04-24 15:43 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-23 18:33 . 2009-02-24 16:42 116736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2009-04-23 18:33 . 2009-04-23 18:33 -------- d-----w c:\program files\MagicDisc
2009-04-14 11:44 . 2009-04-14 11:44 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-02 23:49 . 2009-04-02 23:49 -------- d-----w c:\program files\Zone Labs
2009-03-31 17:22 . 2009-03-31 17:28 -------- d-----w c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 12:22 . 2009-04-02 23:50 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-04-22 02:56 . 2009-04-22 10:53 1641472 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-04-21 03:13 . 2009-04-21 09:59 184320 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-21 03:13 . 2009-04-21 09:59 1661440 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-17 12:33 . 2009-04-17 12:33 98816 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_17_13_23_38_small.dmp.zip
2009-04-17 11:23 . 2009-04-17 12:34 21504 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-17 09:27 . 2009-04-17 09:48 1634816 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-17 09:27 . 2009-04-17 09:48 521216 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-04-08 05:33 . 2009-03-19 09:21 -------- d-----w c:\program files\Java
2009-03-24 21:16 . 2009-03-24 21:16 -------- d-----w c:\program files\Cucusoft
2009-03-24 19:36 . 2009-03-24 19:36 -------- d-----w c:\program files\Samsung
2009-03-24 19:36 . 2009-03-17 09:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 03:47 . 2009-03-22 03:47 -------- d-----w c:\program files\CCleaner
2009-03-21 13:36 . 2009-03-21 13:36 -------- d-----w c:\program files\Trend Micro
2009-03-19 00:52 . 2009-03-19 00:51 -------- d-----w c:\program files\VDMSound
2009-03-18 19:54 . 2009-03-18 19:54 -------- d-----w c:\program files\uTorrent
2009-03-18 19:50 . 2009-03-18 19:50 -------- d-----w c:\program files\GRETECH
2009-03-18 10:03 . 2009-03-17 09:45 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-17 20:33 . 2009-03-17 20:32 -------- d-----w c:\program files\Windows Live Messenger Khalid Edition v5.1
2009-03-17 19:20 . 2009-03-17 19:20 -------- d-----w c:\program files\Windows Live
2009-03-17 19:08 . 2009-03-17 09:53 42168 ----a-w c:\documents and settings\MM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-17 11:29 . 2009-03-17 11:29 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-17 11:29 . 2009-03-17 11:29 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-17 11:29 . 2009-03-17 11:29 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-17 10:34 . 2009-03-17 10:34 -------- d-----w c:\program files\AVG
2009-03-17 10:27 . 2009-03-17 10:27 0 ----a-w c:\windows\nsreg.dat
2009-03-17 10:27 . 2009-03-17 10:25 -------- d-----w c:\program files\Winamp
2009-03-17 10:24 . 2009-03-17 10:23 -------- d-----w c:\program files\Ahead
2009-03-17 10:23 . 2009-03-17 10:23 -------- d-----w c:\program files\Common Files\Ahead
2009-03-17 10:21 . 2009-03-17 10:21 -------- d-----w c:\program files\CDex_140b9
2009-03-17 10:21 . 2009-03-17 10:21 -------- d-----w c:\program files\Foxit Software
2009-03-17 10:21 . 2009-03-17 10:20 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-17 10:20 . 2009-03-17 10:20 -------- d-----w c:\program files\ACD Systems
2009-03-17 10:16 . 2009-03-17 10:16 -------- d-----w c:\program files\CyberLink
2009-03-17 10:15 . 2009-03-17 10:15 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-17 10:08 . 2009-03-17 10:08 -------- d-----w c:\program files\Microsoft.NET
2009-03-17 10:07 . 2009-03-17 10:07 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-17 10:02 . 2009-03-17 10:02 -------- d-----w c:\program files\CONEXANT
2009-03-17 09:58 . 2009-03-17 09:58 -------- d-----w c:\program files\Analog Devices
2009-03-17 09:57 . 2009-03-17 09:57 -------- d-----w c:\program files\Intel
2009-03-17 09:56 . 2009-03-17 09:56 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-17 09:47 . 2009-03-17 09:47 -------- d-----w c:\program files\microsoft frontpage
2009-03-17 09:46 . 2001-08-22 20:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-17 09:42 . 2009-03-17 09:42 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-09 03:19 . 2009-03-19 09:22 410984 ----a-w c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-17 1601304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-14 755472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-03-20 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-17 11:29 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^MM^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\MM\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live Messenger Khalid Edition v5.1\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\MM\\Local Settings\\Application Data\\Chat Republic Games\\Superstar Racing\\ChatRepublicPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\MM\\My Documents\\USER\\My Documents\\Downloads\\Myth II - Soulblighter\\Myth II.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48260:TCP"= 48260:TCP:utorrent

R3 SetupNTGLM7X;SetupNTGLM7X; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-17 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-17 107272]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-17 298264]

.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\MM\Application Data\Mozilla\Firefox\Profiles\4iobzaih.default\
FF - component: c:\documents and settings\MM\Application Data\Mozilla\Firefox\Profiles\4iobzaih.default\extensions\{2bae58c2-79f9-45d1-a286-81f911301c3a}\components\FFExternalAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-29 14:53
ComboFix-quarantined-files.txt 2009-04-29 12:53

Pre-Run: 4,336,463,872 bytes free
Post-Run: 4,373,381,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

158


ComboFix found one file to be infected, and I didn't lose connection, except for a moment, after I had set 'Obtain DNS server automatically'.
I still can't make my AVG auto-update, but I manage to do it manually, also ZoneAlarm Pro keeps trying to update, and when I allow it to do so, it points to a blank page (link seems to be broken), but I can live with that.
What worries me the most, is since ZAP logs 'access attempts', that yesterday it counted 2, today it's 3. Perhaps it's just that ZAP is thorough in its job - that is why I use it. Though, I'm very pleased we fixed this DNS problem. So am I in the clear?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 29 April 2009 - 09:03 AM

Well done and thanks for the detalied feedback. :thumbup2:

while Windows was loading, there was a black screen with options, similar to one you get if you press F8 right then - it appeared only briefly

This is a result of installing the Recovery Console. It gave you an extra option like Safe Mode to recover if Windows is not able to boot. You will see that briefly (3 second) evry time you start the computer. You can make the time shorter (like one second) if you wanted.

++++++++++

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

+++++++++++++
Removal Instructions

We have taken those DNS servers out, but we have still some work to do to make sure you are totally clean.

Please download Malwarebytes' Anti-Malware from MajorGeeks
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#5 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 29 April 2009 - 09:32 AM

Downloaded it, installed it, but I can't update it. The error is:

Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the Internet.

I have set its privileges in Zone Alarm to be 'Super' (unrestricted access to my system), and allowed it to act as both a client and a server for both the 'Internet' and 'Trusted' zones. And it still won't update. I must say that some of the programs (Java, Firefox) on my PC update with no problem, and some will just refuse to update.
The database version says '4/6/2009'. Do I go ahead with the scans?

Edited by Sgt. Brutalisk, 29 April 2009 - 09:37 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 29 April 2009 - 11:12 AM

I suspected there is still something there preventing the security programs to update.

The database version says '4/6/2009'. Do I go ahead with the scans?


Please go ahead and post the log.

#7 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 29 April 2009 - 10:00 PM

Very well.
Scan is completed.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/30/2009 4:35:02 AM
mbam-log-2009-04-30 (04-35-02).txt

Scan type: Quick Scan
Objects scanned: 61542
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After deletion of the above values, I was prompted to reboot, which I did. I also did another scan, and certain values have reappeared in the registry. I've deleted them once again, again rebooted, and they are still present.
Results of the 2nd scan:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/30/2009 4:48:38 AM
mbam-log-2009-04-30 (04-48-38).txt

Scan type: Quick Scan
Objects scanned: 61708
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 30 April 2009 - 02:29 PM

  • Please update MBAM manually. To do that download mbam-rules.exe.
    Double-click mban-rules.exew to run it.
    Then run MBAM, let remove what it finds, reboot if needed and post the log.

  • After reboot, please copy and paste a fresh Hijackthis log to your reply.


#9 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 30 April 2009 - 09:32 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/1/2009 4:22:33 AM
mbam-log-2009-05-01 (04-22-33).txt

Scan type: Quick Scan
Objects scanned: 68693
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{28b24c75-0767-48f3-967f-bca4bd11bacc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:58 AM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3358 bytes

#10 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 30 April 2009 - 10:29 PM

I think I found out what is going on.
I suspected from the start my router (Huawei MT882) could be the cause of this.
But what to look for in its settings?
I've noticed that values mention 'DHCP'.
So I open my router's settings page and under 'Basic' tab I find 'DHCP' and the settings read:

DHCP Settings
DHCP: Server*
Client IP Pool Starting Address: 192.168.1.2
Size of Client IP Pool: 64
Primary DNS Server: 85.255.112.191
Secondary DNS Server: 85.255.112.181
Remote DHCP Server: N/A
DHCP Lease Time: 3 Days 0 Hours 0 Min
DHCP Table
Host Name: home-4b02ef7adf
IP Address: 192.168.1.2
MAC Address: 00-08-74-A9-DE-1E

* Values can be 'Server', 'None' and 'Relay'

Why is it that offending values keep reappearing? Could it be that's because there are two copies of these settings - one in the registry and the other in the router - and if I delete the registry ones, router will replace them with his own? What do you think about this?
I won't take any action until you give your permission to do so.

Edited by Sgt. Brutalisk, 30 April 2009 - 10:39 PM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 01 May 2009 - 01:40 AM

Great job Sgt. Brutalisk.:thumbup2:
The router seems to be hijacked by the trojan DNS-changer. See this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default password of your router and how you can connect to internet after resetting the router to its factory default. You can print out the instructions for later reference: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • Now follow the steps you have already figured out in step 1 to use the default password, get connected and then set a strong password.

  • Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard.
    If after this you could not connect proceed with the following.

  • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP) under General tab:
    • Check Obtain an IP address automatically and Obtain DNS server address automatically.
    • Click OK twice to save the settings.
  • Go to Start > Run and type in cmd
    A command window pops up.Type in the command window the following line and press Enter (note that there space between config and /) :

    ipconfig /flushdns

    Now reboot your computer.


#12 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 01 May 2009 - 12:31 PM

I have reset my router three times total. In all cases, after the reset, when I tried to access its settings, there would be a one-time prompt for a username and password besides the optional one for default admin account. First two times, I wasn't quite sure what I am supposed to enter in these fields, and in both of those cases, I didn't have a connection. And now what?
So, in this moment of utter despair I had only one last hope.
I called ISP's Customer Service. And, actually, they gave me a useful reply: "You're supposed to enter the information you chose when you signed the contract with us as your ISP. This is on your monthly bill as well". So, let's try it...
I reset my router for one last time, open its web configurator, and enter the information. And it works! In hindsight, I must say that if one doesn't have any experience with doing this, it certainly seems pretty intimidating.
Malwarebytes' Anti-Malware now updates on its own, and in fact, all security programs do.
I've picked a strong password for the router, flushed the DNS cache as you instructed me to do, and rebooted.
I consider that we have completely dealt with this and erased all traces of malware from my computer.
Thank you very much, farbar!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 01 May 2009 - 02:03 PM

You did an excellent job Sgt. Brutalisk and you are most welcome.

You are indeed good to go now.

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Happy surfing!

#14 Sgt. Brutalisk

Sgt. Brutalisk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 05 May 2009 - 10:45 AM

I will do that, but I have noticed something that's very disturbing - ZAP blocked 200+ access attempts over the last few days from the same IP that we have seen, even after we've fixed matters. In all cases, it involves svchost.exe being blocked from accepting a connection from the Ukraine. Should I be worried? Maybe I ought to make a different topic.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,806 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 05 May 2009 - 11:17 AM

The access attempts whether random or directed as in this case should not worry you as long as they can't get to the system. There are usually many random access attempts prevented by the firewall we are not aware of.
Usually when you are behind the router, and the router is password protected (with a strong password) they should not get to the system as long as there is no malware file on the system and there is no open ports. The only open port on the system was made to let utorrent connection go through: "48260:TCP"= 48260:TCP:utorrent If you keep utorrent closed for a while and don't open any port it is even better.
The firewall you have on the computer is the second line of defense, controlling inbound and outband internet traffic.
It is also natural you are vigilant and you should be for a while. But after sometime let the firewall does the job and forget it.

svchost.exe located at C:\Windows\System32 is a legit important system file. It can host and initiate services.

Do you have any other question?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users