Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dns hijack


  • Please log in to reply
1 reply to this topic

#1 dan200988

dan200988

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 08 March 2009 - 01:46 PM

i cant open my c drive because it says can find the name. i tryed to check it with malewarebytes anti maleware but that wont load so i checked it with smitfruadfix i think it was calld and here were the results please can someone help
SmitFraudFix v2.400

Scan done at 18:26:12.62, Sat 03/07/2009
Run from C:\Documents and Settings\dan new\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

Process

C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\ALCXMNTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Documents and Settings\dan new\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS.1\system32\cmd.exe

hosts


C:\

C:\autorun.inf FOUND !

C:\WINDOWS.1

C:\WINDOWS.1\k.txt FOUND !

C:\WINDOWS.1\system


C:\WINDOWS.1\Web


C:\WINDOWS.1\system32


C:\Documents and Settings\dan new


C:\DOCUME~1\DANNEW~1\LOCALS~1\Temp


C:\Documents and Settings\dan new\Application Data


Start Menu


C:\DOCUME~1\DANNEW~1\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Applications\ FOUND !
C:\Program Files\MSX\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS.1\\system32\\userinit.exe,"
"System"=""


RK



DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 85.255.112.186
DNS Server Search Order: 85.255.112.124

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: DhcpNameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: NameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: DhcpNameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: NameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E0B3FC16-6BC8-46D2-B3F6-2A4B9843AC60}: NameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.186,85.255.112.124
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.186,85.255.112.124


Scanning for wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:54 PM

Posted 08 March 2009 - 02:56 PM

Hello please run SmitfraudFix again.

Disconnect from the Internet and reset your router with a strong logon/password so the malware cannot gain control before connect again. Many users seldom change the default username/password on the router and are prone to this type of infection.

Double-click smitfraudfix.exe to start the tool again.
Select option #5 - Search and clean DNS Hijack by typing 5 and press "Enter".
After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive at C:\rapport.txt.
Copy/Paste that report into your next reply.


Now run part 2 of SmitFraudFix,Cleaning.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Can we run MBAM now?

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users