Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Changer? Help.


  • This topic is locked This topic is locked
2 replies to this topic

#1 ingenium

ingenium

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 24 March 2009 - 02:46 PM

EDIT: UPDATE

UPDATE: Confirmed this workstation as rogue dhcp through wireshark. Modified startup/shortcut for mbam and successfully restarted. Mbam caught Trojan.Agent and DNSChanger and supposedly removed. Again, tested (from a clean workstation within the same domain) DHCP and came back with
this workstation as the rogue again. Suspect nameserver identified as 64.86.133.51. Mbam still came back with nothing.


Hello,

I am having issues with, what may be, the new DNSChanger. I have checked online and did a compare with the, supposed, corrupt DNS IPs from a few sources. Bleow is my DDS.txt and attached is the attach.zip. Any help would be wonderful as NOD32 is not picking anything up. Also, the hosts file seems to have been blanked or empty file copied over and MBam will not run (blinks and then nothing) and I can't install SuperAntiSpyware as it goes into some debug mode.

Thanks,


DDS (Ver_09-03-16.01) - NTFSx86
Run by BonitaL at 12:32:35.07 on Tue 03/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2843 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\bonital\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: constructionpoints.com\www
Trusted Zone: microsoft.com\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229936942843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231196194658&h=49df7d26d3bfa9ed1ed9b0eb39552fc1/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.120,85.255.112.83
TCP: {49CA5C40-70D1-45BC-94C5-DEDAA2C105EE} = 192.168.200.71,192.168.200.72
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bonital\applic~1\mozilla\firefox\profiles\yokrhvqy.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 MSSQL$LOCALDB;SQL Server (LOCALDB);c:\program files\microsoft sql server\mssql.4\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2006-4-14 203552]
S3 msftesql$LOCALDB;SQL Server FullText Search (LOCALDB);c:\program files\microsoft sql server\mssql.4\mssql\binn\msftesql.exe [2006-2-14 92880]
S3 MSOLAP$LOCALDB;SQL Server Analysis Services (LOCALDB);c:\program files\microsoft sql server\mssql.5\olap\bin\msmdsrv.exe [2006-4-14 14623008]
S3 ReportServer$LOCALDB;SQL Server Reporting Services (LOCALDB);c:\program files\microsoft sql server\mssql.6\reporting services\reportserver\bin\ReportingServicesService.exe [2006-4-14 14624]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2006-4-14 14624]
S3 SQLAgent$LOCALDB;SQL Server Agent (LOCALDB);c:\program files\microsoft sql server\mssql.4\mssql\binn\SQLAGENT90.EXE [2006-4-14 319776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-03-20 13:52 <DIR> --d----- c:\program files\CCleaner
2009-03-19 10:51 244 a---h--- C:\sqmnoopt00.sqm
2009-03-19 10:51 232 a---h--- C:\sqmdata00.sqm
2009-03-19 10:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 10:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 10:43 <DIR> --d----- c:\program files\Malwarebytes Anti-Malware
2009-03-19 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-17 07:16 6,144 a---h--- c:\windows\system32\svchost.suo
2009-03-17 07:16 203 a------- c:\windows\system32\svchost.sln
2009-03-13 16:10 430 ---shr-- C:\autorun.inf
2009-03-11 03:00 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-10 15:32 <DIR> --d----- c:\windows\pss
2009-03-10 14:43 5,009 a------- c:\windows\UEDIT32.INI

==================== Find3M ====================

2009-03-16 09:00 12 a------- C:\break.bat
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-06 17:34 39,992 a------- c:\docume~1\bonital\applic~1\GDIPFONTCACHEV1.DAT
2009-01-05 15:56 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 12:32:40.32 ===============

Attached Files


Edited by ingenium, 24 March 2009 - 04:31 PM.


BC AdBot (Login to Remove)

 


#2 ingenium

ingenium
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 24 March 2009 - 05:27 PM

Do not worry obout this thread. The workstation has been considered easily replacable and I will not be needing the help.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:37 PM

Posted 25 March 2009 - 02:33 AM

Thanks for informing us.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users