Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS redirect malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 lcw132

lcw132

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 28 December 2008 - 11:49 AM

The DNS server address is automatically changed to 85.255.112.115, wreaking havoc on my updates and redirecting me to a variety of websites. Thank you for your help.

DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 11:42:12.99 on Sun 12/28/2008
Internet Explorer: 6.0.2600.0000
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.254.65 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: System=kdzoz.exe
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {A94D6FAA-DD5E-491F-8748-43C78205BC64} = 85.255.112.115;85.255.112.186
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\vm0dryns.default\
FF - prefs.js: browser.startup.homepage - www.google.com|www.cnn.com
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-12-1 27904]

=============== Created Last 30 ================

2008-12-28 11:10 <DIR> --d----- c:\program files\Trend Micro
2008-12-28 09:54 <DIR> --d----- c:\program files\Lavasoft
2008-12-28 09:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-27 17:19 13,824 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-27 17:19 146,944 a------- c:\windows\system32\ptpusd.dll
2008-12-27 17:19 13,824 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-27 17:19 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-20 15:52 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-02 19:06 <DIR> --d----- C:\Downloads
2008-12-02 19:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-12-02 19:01 <DIR> --d----- c:\program files\DNA
2008-12-02 19:01 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-02 19:01 <DIR> --d----- c:\program files\BitTorrent
2008-12-01 22:17 27,904 a------- c:\windows\system32\drivers\ndisprot.sys
2008-12-01 22:17 <DIR> --dshr-- C:\resycled
2008-12-01 22:17 103 ---shr-- C:\autorun.inf
2008-12-01 20:41 <DIR> --d----- c:\program files\MagicISO
2008-12-01 20:39 <DIR> --d----- c:\program files\Alex Feinman
2008-12-01 19:19 <DIR> --d----- C:\WUTemp
2008-12-01 19:19 182,880 ac------ c:\windows\system32\dllcache\iuengine.dll
2008-12-01 19:19 182,880 a------- c:\windows\system32\iuengine.dll
2008-12-01 19:15 21,760 ac------ c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2008-10-31 21:11 80,007 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-31 21:08 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 11:43:31.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:59 AM

Posted 08 January 2009 - 12:59 AM

Hello lcw132,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:59 AM

Posted 23 January 2009 - 04:54 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users