Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Hijacked by Ukrainians!


  • Please log in to reply
3 replies to this topic

#1 nova52

nova52

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 20 January 2009 - 04:01 PM

I don't know what I am infected with, but by DNS server settings keep changing to 85.255.something. I looked up the address I am being redirected to and it is based in the Ukraine. Currently, I cannot connect to the internet unless I use HJT to remove the offending entries, twice consecutively. Then I can log onto my university's network, but the entries change back within a few minutes.
Here's my stuff:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Nova52 at 12:51:12.34 on Tue 01/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.734 [GMT -8:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nova52\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nova52\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://storefront.steampowered.com/v/index.php?area=screenshots&id=1872&s=0,1,636,469,219&i=0,10,30,70,130,220,240,380,400,420,440,3483,4000&cc=US&client=1&size=1024
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\nova52\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\nova52\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\nova52\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nova52\applic~1\mozilla\firefox\profiles\v3va81dl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\nova52\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [2008-2-8 463872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-22 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-22 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-22 168776]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-22 104000]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R4 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2008-6-10 980312]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-1-27 20160]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-3-14 16896]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]
S3 XDva078;XDva078;\??\c:\windows\system32\xdva078.sys --> c:\windows\system32\XDva078.sys [?]
S3 XDva081;XDva081;\??\c:\windows\system32\xdva081.sys --> c:\windows\system32\XDva081.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]

=============== Created Last 30 ================

2009-01-20 12:23 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-19 23:33 <DIR> --d----- c:\windows\McAfee.com
2009-01-19 21:46 3,593,216 a------- c:\windows\system32\SET1B.tmp
2009-01-19 21:24 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-19 21:24 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-19 21:24 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-19 21:24 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-19 21:24 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-19 21:24 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-19 21:24 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-19 21:24 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-19 21:24 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-19 20:38 294,912 -c------ c:\windows\system32\dllcache\msaud32.acm
2009-01-14 15:35 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-14 15:34 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-14 15:34 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-14 15:34 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-14 15:34 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-14 15:34 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-14 15:34 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-14 15:33 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-01-14 15:33 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-14 15:32 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-14 15:32 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-13 17:30 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-01-13 17:30 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-01-13 17:30 9,216 ac------ c:\windows\system32\dllcache\wamps51.dll
2009-01-13 17:30 73,728 ac------ c:\windows\system32\dllcache\w3ext.dll
2009-01-13 17:30 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-01-13 17:30 5,632 ac------ c:\windows\system32\dllcache\w3svapi.dll
2009-01-13 17:30 4,608 ac------ c:\windows\system32\dllcache\w3ctrs51.dll
2009-01-13 17:30 14,336 ac------ c:\windows\system32\dllcache\tsprof.exe
2009-01-13 17:30 455,168 ac------ c:\windows\system32\dllcache\tintsetp.exe
2009-01-13 17:30 44,032 ac------ c:\windows\system32\dllcache\tintlphr.exe
2009-01-13 17:30 10,240 ac------ c:\windows\system32\dllcache\tmigrate.dll
2009-01-13 17:30 571,392 ac------ c:\windows\system32\dllcache\tintlgnt.ime
2009-01-13 17:28 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-01-13 17:27 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-01-13 17:26 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-13 17:26 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-13 17:26 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-13 17:26 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-13 17:26 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-13 17:26 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-13 17:26 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-13 16:45 14,573 a----r-- c:\windows\SETA3.tmp
2009-01-13 16:45 13,753 a----r-- c:\windows\SET67.tmp
2009-01-13 16:45 1,086,058 a----r-- c:\windows\SET5B.tmp
2009-01-13 16:45 1,042,903 a----r-- c:\windows\SET58.tmp
2009-01-13 15:57 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-01-13 15:57 13,312 a------- c:\windows\system32\irclass.dll
2009-01-13 15:57 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-01-13 15:57 24,661 a------- c:\windows\system32\spxcoins.dll
2009-01-13 15:57 14,573 a----r-- c:\windows\SETA2.tmp
2009-01-13 15:57 13,753 a----r-- c:\windows\SET66.tmp
2009-01-13 15:57 1,086,058 a----r-- c:\windows\SET5A.tmp
2009-01-13 15:57 1,042,903 a----r-- c:\windows\SET57.tmp
2009-01-13 15:28 14,573 a----r-- c:\windows\SETA1.tmp
2009-01-13 15:28 13,753 a----r-- c:\windows\SET65.tmp
2009-01-13 15:28 1,086,058 a----r-- c:\windows\SET59.tmp
2009-01-13 15:28 1,042,903 a----r-- c:\windows\SET56.tmp
2009-01-13 15:00 14,573 a----r-- c:\windows\SETD1.tmp
2009-01-13 15:00 399,645 ac------ c:\windows\system32\dllcache\MAPIMIG.CAT
2009-01-13 15:00 37,484 ac------ c:\windows\system32\dllcache\MW770.CAT
2009-01-13 15:00 13,472 ac------ c:\windows\system32\dllcache\HPCRDP.CAT
2009-01-13 15:00 8,574 ac------ c:\windows\system32\dllcache\IASNT4.CAT
2009-01-13 15:00 7,382 ac------ c:\windows\system32\dllcache\OEMBIOS.CAT
2009-01-13 15:00 1,042,903 ac------ c:\windows\system32\dllcache\SP2.CAT
2009-01-13 15:00 797,189 ac------ c:\windows\system32\dllcache\NT5IIS.CAT
2009-01-13 15:00 13,753 a----r-- c:\windows\SET95.tmp
2009-01-13 15:00 1,086,058 a----r-- c:\windows\SET89.tmp
2009-01-13 15:00 1,042,903 a----r-- c:\windows\SET86.tmp
2009-01-13 07:59 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-13 07:45 195,096 a------- c:\windows\system32\lvci11901262.dll
2009-01-12 12:42 <DIR> --d----- c:\program files\Bonjour
2009-01-08 13:23 <DIR> --d----- c:\program files\tazti
2009-01-08 13:23 <DIR> --d----- c:\docume~1\nova52\applic~1\tazti
2009-01-08 12:11 57,398 ac------ c:\windows\system32\dllcache\imjpdadm.exe
2009-01-06 19:59 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-06 19:59 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-06 14:47 <DIR> --d----- C:\VundoFix Backups
2009-01-06 14:09 <DIR> --d----- C:\fixwareout
2009-01-06 13:59 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 18:06 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-04 20:37 <DIR> --d----- C:\UT2004

==================== Find3M ====================

2009-01-20 11:37 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-20 11:37 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-01-13 17:25 22,748 a------- c:\windows\system32\emptyregdb.dat
2009-01-06 14:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-16 22:02 23,832 a------- c:\windows\system32\drivers\lvuvcflt.sys
2008-12-16 22:01 6,364,440 a------- c:\windows\system32\drivers\lvuvc.sys
2008-12-16 22:01 41,752 a------- c:\windows\system32\drivers\LVUSBSta.sys
2008-12-16 22:01 432,664 a------- c:\windows\system32\LVUI2RC.dll
2008-12-16 22:00 494,104 a------- c:\windows\system32\LVUI2.dll
2008-12-16 22:00 768,024 a------- c:\windows\system32\drivers\lvrs.sys
2008-12-16 21:58 25,624 a------- c:\windows\system32\drivers\LVPr2Mon.sys
2008-12-16 21:55 416,280 a------- c:\windows\system32\lvcodec2.dll
2008-12-16 21:50 13,584 a------- c:\windows\system32\drivers\iKeyLgFT.dll
2008-12-16 21:38 227,172 a------- c:\windows\system32\drivers\LVFeL000.cfg
2008-12-16 21:38 146,680 a------- c:\windows\system32\drivers\LVFeL001.cfg
2008-12-16 21:38 85,302 a------- c:\windows\system32\drivers\LVFeL002.cfg
2008-12-16 21:38 69,592 a------- c:\windows\system32\drivers\LVFaL000.cfg
2008-12-16 21:37 29,562 a------- c:\windows\system32\Repository.reg
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-23 12:05 88,064 a------- c:\windows\system32\AudioExCtl.dll
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll

============= FINISH: 12:51:20.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:35 AM

Posted 25 January 2009 - 04:00 PM

hi,

Still need help? Do you use a router to connect to the internet? Do this:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?


#3 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 26 January 2009 - 09:58 PM

ran malwarebytes... found 21 infected items!

upon startup, i ran a quick HJT scan to see if the offending registry entries had returned and they have not so far.

I am using a wireless router to connect, but my other computers have no problem connecting so far. I scanned them with HJT and they all came out clean.

I noticed extravideo as being listed in malwarebytes' report. I downloaded this to convert a few youtube movies between different formats before uploading. How can I make sure I don't install another infected homebrew program? Mcafee didnt catch this one.

here's the log you asked for:

Malwarebytes' Anti-Malware 1.33
Database version: 1696
Windows 5.1.2600 Service Pack 3

1/26/2009 6:43:16 PM
mbam-log-2009-01-26 (18-43-16).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 140572
Time elapsed: 49 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 14
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{395ab894-e10e-4207-bfb0-cdb03280cac8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{457554db-506f-481b-b3f3-e582ebcf3acb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{395ab894-e10e-4207-bfb0-cdb03280cac8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{457554db-506f-481b-b3f3-e582ebcf3acb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{395ab894-e10e-4207-bfb0-cdb03280cac8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{457554db-506f-481b-b3f3-e582ebcf3acb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{885b93ba-63b1-46ab-9777-6e240f7d60f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.146;85.255.112.173 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxlrvdhrxr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxmqltoiqt.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-F37.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:35 AM

Posted 27 January 2009 - 06:05 AM

hi nova52,

ok good. thanks for the info.


I am using a wireless router

This trojan or a variation of it can change the DNS settings in routers. MBAM can remove and restore settings on your computer but not your router. If you are using the default log in/password for the router (you shouldn't be)then you will still get page re-directs. If you are not using the default log in/password then all should be ok.

Check MBAM for any updates and do another full scan with it and post the log along with a new hjt log.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users