Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Zlob DNS Changer


  • This topic is locked This topic is locked
6 replies to this topic

#1 Ashlock

Ashlock

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 16 January 2009 - 01:48 AM

Hey guys my PC is infected with zlob dns changer, even after removing it with Hijackthis. Everytime I reconnect this trojan comes back! The most persistant infection Iīve ever had. Iīve been trying for a few days to remove it, reading on foums and etc, using tools like spybot, malwarebytes, avira, hijackthis and combofix... Since neither of them worked I guess itīs time to take an expert advice ^^ I reallly donīt like to bother you guys, I know you have better things to do, but I tried to remove by myself and failed miserably xD
So could any of you guys help me? Thanks in advance!
Hummm... Well at first there was like 4 or 5 lines related to Zlob on my hijackthis. Using avira I picked the option to remove the infection, guess I shouldīve put that to quarantine... Anyway, after that there were just 2 lines appearing on my Hijack, and they only appear when I connect my internet. I already done more 2 fullscans with avira and zlob isn appearing anymore, only on spybot. Well thatīs pretty much what I did, I used malwarebytes and combofix too, but no good results yet...

Now Iīll send the DDS log and attach the attach log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by User at 4:26:05,60 on sex 16/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.540 [GMT -2:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Internet Download Manager\IDMan.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.terra.com.br/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\arquivos de programas\internet download manager\IDMIECC.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: GetRight IE Download Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\arquivos de programas\getright\xx2gr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\arquiv~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\arquivos de programas\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\arquivos de programas\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\arquivos de programas\google\googletoolbar4.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
TB: {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - No File
uRun: [msnmsgr] "c:\arquivos de programas\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\arquivos de programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [IDMan] c:\arquivos de programas\internet download manager\IDMan.exe /onboot
mRun: [SoundMAXPnP] c:\arquivos de programas\analog devices\soundmax\SMax4PNP.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [avgnt] "c:\arquivos de programas\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [TkBellExe] "c:\arquivos de programas\arquivos comuns\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\arquivos de programas\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Download all links with IDM - c:\arquivos de programas\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\arquivos de programas\internet download manager\IEGetVL.htm
IE: Download with GetRight Pro - c:\arquivos de programas\getright\GRdownload.htm
IE: Download with IDM - c:\arquivos de programas\internet download manager\IEExt.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\arquivos de programas\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~1\SDHelper.dll
TCP: {0C6A0E80-7AD5-45C3-8003-05C4448BB44D} = 85.255.115.236 85.255.112.186
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\arquiv~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\dadosd~1\mozilla\firefox\profiles\dgrvlfbu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipédia
FF - prefs.js: browser.startup.homepage - hxxp://www.terra.com.br/capa/
FF - component: c:\arquivos de programas\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\documents and settings\user\dados de aplicativos\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\NPGetRt.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\arquivos de programas\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\arquivos de programas\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\arquivos de programas\real\realone player\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-1-7 17920]
R1 avgio;avgio;c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys [2009-1-9 11840]
R3 avgntflt;avgntflt;c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys [2009-1-9 52032]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\arquivos de programas\avira\antivir personaledition classic\sched.exe [2009-1-9 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe [2009-1-9 151297]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\arquivos de programas\mcafee\siteadvisor\McSACore.exe [2009-1-15 206096]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-11 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-11 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-11 42112]
S3 XDva009;XDva009; [x]
S3 XDva033;XDva033; [x]
S3 XDva074;XDva074;\??\c:\windows\system32\xdva074.sys --> c:\windows\system32\XDva074.sys [?]
S3 XDva120;XDva120;\??\c:\windows\system32\xdva120.sys --> c:\windows\system32\XDva120.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva168;XDva168;\??\c:\windows\system32\xdva168.sys --> c:\windows\system32\XDva168.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva200;XDva200;\??\c:\windows\system32\xdva200.sys --> c:\windows\system32\XDva200.sys [?]
S3 XDva212;XDva212;\??\c:\windows\system32\xdva212.sys --> c:\windows\system32\XDva212.sys [?]
S3 XDva221;XDva221;\??\c:\windows\system32\xdva221.sys --> c:\windows\system32\XDva221.sys [?]
S3 XDva223;XDva223;\??\c:\windows\system32\xdva223.sys --> c:\windows\system32\XDva223.sys [?]

=============== Created Last 30 ================

2009-01-15 07:12 <DIR> a-dshr-- C:\cmdcons
2009-01-15 05:55 <DIR> --d----- c:\arquivos de programas\arquivos comuns\McAfee
2009-01-15 05:53 <DIR> --d----- c:\arquivos de programas\McAfee
2009-01-15 05:53 282 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-01-15 05:05 <DIR> --d----- C:\MSNCleaner
2009-01-15 04:01 <DIR> --d----- c:\arquivos de programas\CCleaner
2009-01-15 02:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-13 02:00 <DIR> --d----- c:\docume~1\user\dadosd~1\Malwarebytes
2009-01-13 02:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 02:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 02:00 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
2009-01-13 02:00 <DIR> --d----- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-01-09 18:27 268 a---h--- C:\sqmdata10.sqm
2009-01-09 18:27 244 a---h--- C:\sqmnoopt10.sqm
2009-01-09 18:24 268 a---h--- C:\sqmdata09.sqm
2009-01-09 18:24 244 a---h--- C:\sqmnoopt09.sqm
2009-01-09 18:10 268 a---h--- C:\sqmdata08.sqm
2009-01-09 18:10 244 a---h--- C:\sqmnoopt08.sqm
2009-01-09 03:19 <DIR> --d----- c:\arquivos de programas\Trend Micro
2009-01-09 01:44 <DIR> --d----- c:\arquivos de programas\Avira
2009-01-09 01:40 268 a---h--- C:\sqmdata07.sqm
2009-01-09 01:40 244 a---h--- C:\sqmnoopt07.sqm
2009-01-09 01:35 268 a---h--- C:\sqmdata06.sqm
2009-01-09 01:35 244 a---h--- C:\sqmnoopt06.sqm
2009-01-09 01:34 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\Avg8
2009-01-09 00:40 268 a---h--- C:\sqmdata05.sqm
2009-01-09 00:40 244 a---h--- C:\sqmnoopt05.sqm
2009-01-08 11:31 268 a---h--- C:\sqmdata04.sqm
2009-01-08 11:31 244 a---h--- C:\sqmnoopt04.sqm
2009-01-08 11:25 268 a---h--- C:\sqmdata03.sqm
2009-01-08 11:25 244 a---h--- C:\sqmnoopt03.sqm
2009-01-08 10:57 268 a---h--- C:\sqmdata02.sqm
2009-01-08 10:57 244 a---h--- C:\sqmnoopt02.sqm
2009-01-08 10:44 <DIR> --d----- c:\windows\SHELLNEW
2009-01-08 10:16 268 a---h--- C:\sqmdata01.sqm
2009-01-08 10:16 244 a---h--- C:\sqmnoopt01.sqm
2009-01-08 09:08 268 a---h--- C:\sqmdata00.sqm
2009-01-08 09:08 244 a---h--- C:\sqmnoopt00.sqm
2009-01-08 09:08 67 a------- c:\windows\DVDRegionFree.INI
2009-01-07 17:29 <DIR> --d----- C:\Temp
2009-01-07 17:25 59,904 a------- c:\windows\system32\wbemdisp.tlb
2009-01-07 17:18 17,920 a------- c:\windows\system32\drivers\xfilt.sys
2009-01-07 17:18 9,216 a------- c:\windows\system32\drivers\videX32.sys
2009-01-07 17:01 161,792 a------- c:\windows\SWREG.exe
2009-01-07 17:01 98,816 a------- c:\windows\sed.exe
2009-01-07 16:43 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2009-01-07 16:43 180,224 -c------ c:\windows\system32\dllcache\scrobj.dll
2009-01-07 16:43 172,032 -c------ c:\windows\system32\dllcache\scrrun.dll
2009-01-07 16:43 90,112 -c------ c:\windows\system32\dllcache\wshext.dll
2009-01-07 16:43 430,080 -c------ c:\windows\system32\dllcache\vbscript.dll
2009-01-07 16:43 155,648 -c------ c:\windows\system32\dllcache\wscript.exe
2009-01-07 16:43 135,168 -c------ c:\windows\system32\dllcache\cscript.exe
2009-01-07 15:59 27,672 a------- c:\windows\system32\wuapi.dll.mui
2009-01-07 14:34 221,184 a------- c:\windows\system32\wmpns.dll
2009-01-07 14:21 397,312 -------- c:\windows\system32\mmcex.dll
2009-01-07 14:16 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-07 14:11 19,569 a------- c:\windows\002897_.tmp
2009-01-07 13:55 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-07 13:55 1,846,528 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-07 13:54 2,149,376 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 13:54 2,070,272 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 13:54 2,193,408 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 13:54 2,028,032 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 13:53 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 13:52 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-07 13:51 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-01-07 13:45 <DIR> --d----- c:\arquivos de programas\AVG
2009-01-07 13:39 <DIR> --d----- c:\windows\system32\pt-br
2009-01-07 13:34 <DIR> --d----- c:\windows\network diagnostic
2009-01-07 13:28 1,024,000 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-07 13:28 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-07 13:28 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-07 13:28 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-07 13:28 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-07 13:28 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-07 13:28 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-07 13:28 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-07 13:28 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-07 11:30 208,896 a------- c:\windows\system32\NVUNINST.EXE
2009-01-07 11:19 12,288 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-01-07 11:19 12,288 a------- c:\windows\system32\drivers\mouhid.sys
2009-01-07 11:18 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2008-12-27 02:42 <DIR> --d----- c:\documents and settings\user\PATCH
2008-12-26 06:30 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-12-26 06:30 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-12-26 06:16 716,800 a------- c:\windows\system32\Wibuke32.cpl
2008-12-26 06:16 57,552 a------- c:\windows\system32\WKDOS.EXE
2008-12-26 06:16 29,696 a------- c:\windows\system32\drivers\Wibukey2.sys
2008-12-26 06:16 139,264 a------- c:\windows\system32\WkWin32.dll
2008-12-26 06:16 67,072 a------- c:\windows\system32\drivers\Wibukey.sys
2008-12-26 06:16 52,736 a------- c:\windows\system\WkWin.dll
2008-12-26 06:16 <DIR> --d----- c:\arquivos de programas\WIBUKEY
2008-12-26 06:16 <DIR> --d----- c:\arquivos de programas\WIBU-SYSTEMS
2008-12-26 06:16 37,760 a------- c:\windows\system32\drivers\P2k.sys
2008-12-26 06:16 244,024 a------- c:\windows\system32\msflxgrd.ocx
2008-12-26 06:16 77,895 a------- c:\windows\system32\unibus_tcutil.dll
2008-12-26 06:02 <DIR> --d----- C:\digitalvideoconverter
2008-12-26 06:02 <DIR> --d----- c:\arquivos de programas\Digital Video Converter

==================== Find3M ====================

2009-01-15 02:46 433,250 a------- c:\windows\system32\perfh016.dat
2009-01-15 02:46 69,374 a------- c:\windows\system32\perfc016.dat
2009-01-07 14:32 96,384 a------- c:\windows\system32\drivers\sptd0573.sys
2008-12-23 04:29 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-10 11:32 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-12-10 11:32 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-07 23:20 3,532 a------- C:\drmHeader.bin
2008-11-21 13:18 40,678 a------- c:\windows\DIIUnin.dat
2008-11-21 13:12 94,208 a------- c:\windows\DIIUnin.exe
2008-11-21 13:12 2,829 a------- c:\windows\DIIUnin.pif
2008-11-10 16:06 85,977 a------- c:\windows\War3Unin.dat
2008-11-10 16:05 139,264 a------- c:\windows\War3Unin.exe
2008-11-10 16:05 2,829 a------- c:\windows\War3Unin.pif
2008-10-23 10:37 286,720 a------- c:\windows\system32\gdi32.dll
2005-03-31 22:17 40,960 a------- c:\arquivos de programas\Uninstall_CDS.exe

============= FINISH: 4:26:37,79 ===============

Attached Files


Edited by Ashlock, 16 January 2009 - 02:31 PM.


BC AdBot (Login to Remove)

 


#2 Ashlock

Ashlock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 16 January 2009 - 04:34 AM

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:33:04, on 16/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Internet Download Manager\IDMan.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 64.56.67.239 nprotect.battlelands.net
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Arquivos de programas\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Arquivos de programas\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\ARQUIV~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\ARQUIV~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IDMan] C:\Arquivos de programas\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download all links with IDM - C:\Arquivos de programas\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Arquivos de programas\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Arquivos de programas\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231351131968
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://189.1.180.117:2100/ActiveView.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231351114421
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6A0E80-7AD5-45C3-8003-05C4448BB44D}: NameServer = 85.255.115.236 85.255.112.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{0C6A0E80-7AD5-45C3-8003-05C4448BB44D}: NameServer = 85.255.115.236 85.255.112.186
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\ARQUIV~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9858 bytes

#3 Ashlock

Ashlock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 16 January 2009 - 08:24 PM

hmm bump? ;/

#4 Ashlock

Ashlock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 18 January 2009 - 03:43 AM

3rd day bump...

#5 Ashlock

Ashlock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 22 January 2009 - 10:42 PM

Hmm guys, can someone help me pls?
Already tried to remove it by myself so many times and I just canīt! ;/
I know u guys are busy, but...

Well thanks anyway!

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:06:00 AM

Posted 29 January 2009 - 11:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scans:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


If you have a router, then when the computer is restarting, unhook the router from the internet, then do a reset of the router, and then when the computer and router are back up, make sure you change the default password with a strong password. If you have just an external modem, just unplug the power from it, wait 2 minutes, then plug it back in.


* Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif

* Double click on the DDS icon, allow it to run.
* A small box will open, with an explaination about the tool. No input is needed, the scan is running.
* Notepad will open with the results, click no to the Optional_Scan
* Follow the instructions that pop up for posting the results.
* Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:06:00 AM

Posted 07 February 2009 - 09:39 PM

This thread is closed due to inactivity.
If you need this topic reopened, please send me a PM. This applies to the thread originator only, all others start a new thread.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users