Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seems infected with DNSchanger Trojan...


  • This topic is locked This topic is locked
18 replies to this topic

#1 biplab7

biplab7

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 09 June 2009 - 11:40 AM

Hi,
It seems that my computer has been infected with DNSchanger Trojan. Any microsoft download/update related sites are saying "Link Broken" / goes to google.com. some spyware/malware removal sites also shows similar behaviour.
Please find the hijacthis log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:37 PM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WordWeb\wweb32.exe
C:\webserver\bin\httpd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\webserver\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.wyndhamworldwide.com/d...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5E74BA0-F572-4BA1-B7DB-11A8B8B88E4D}: NameServer = 85.255.116.114 85.255.112.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\webserver\bin\httpd.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8412 bytes


Previously tried deleting entries similar to line O17(85.255.116.114 85.255.112.91) but after restart/connecting to Internet similar entries reappears in the log.
Please help me to get rid of this problem.

Thanks,
Biplab.

BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 09 June 2009 - 07:05 PM

Hi biplab7,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • I see Spyblocker toolbar is installed and this is not highly recommended. See here to find out why.

    I recommend you to uninstall ZoneAlarm Spyblocker toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    ZoneAlarm Spyblocker

  • Please download Malwarebytes' Anti-Malware from one of these ocations:
    malwarebytes.org
    majorgeeks.com
    • Rename the installer to moon.exe while choosing C: drive to save in.
    • Double Click moon.exe to install the application to its default location.
    • Make sure no checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
    • Wait until it opens up.
    • Update it. When you get the message that it is updated successfully check under Update tab the Database version should read 2256 or above.
    • Select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please copy and paste a fresh Hijackthis log to your reply.

Edited by farbar, 09 June 2009 - 07:08 PM.


#3 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 10 June 2009 - 02:48 PM

Hi,
Performed the following steps as adviced:
1. Unistalled ZoneAlarm spyblocker.
2. installed malwarebyte.
3. updation failed.
4. Performed Quick scan. The attached log() can be seen.
5. removed the single finding and restarted the machine as adviced by malware.
6. Please find attached the HijackIT log(hijackthis.log).
7. connected to broadband and took another hijack it log which can be seen below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:35 AM, on 6/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\webserver\bin\httpd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\webserver\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.wyndhamworldwide.com/d...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5E74BA0-F572-4BA1-B7DB-11A8B8B88E4D}: NameServer = 85.255.116.114 85.255.112.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\webserver\bin\httpd.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7403 bytes


Please advice.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 10 June 2009 - 03:59 PM

Well done and thanks for the feedback.
:thumbup2:

3. updation failed.

7. connected to broadband and took another hijack it log which can be seen below:


Please copy and paste the logs instead of attaching unless it is so requested. Also no need to post extra logs. Thank you.

What do you mean updating failed? How did you try to update?
What do you mean connected to broadband and took another hijackthis log? Were you not connected when updating?

Note: You need to be connected to perform the following scan.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

Edited by farbar, 10 June 2009 - 04:17 PM.


#5 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 10 June 2009 - 09:16 PM

Hi,
Thank you very much for the response.
1. For "updation failed": I was connected to internet while I tried to update. Don't know why but a error window appeared with something like "u need to be connected to the net or ur firewall should allow antimalware to pass through. Error code 732". But bit defender never asked me whether i should allow or block.
2. fOR "cONECTED TO BROADBAND " i meant After malwarebyte removed the entry and I have done a restart , without connecting to internet I took a hijackthis log and another after connecting to the internet. This is all after malwarebyte said it has removed the entry.
I took two log because I observed before, that everytime after this registry entry is deleted and I restart at first those nameservers won't be there but as soon as I connect to the internet those nameserver reapears in the registry.
3. Please find below the log.txt as adviced:


Windows IP Configuration



Host Name . . . . . . . . . . . . : mitslint-x

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : local.lan



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : local.lan

Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-19-DB-D6-E8-EC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Thursday, June 11, 2009 7:07:38 AM

Lease Expires . . . . . . . . . . : Thursday, June 11, 2009 7:07:38 PM



Ethernet adapter Network Connect Adapter:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Juniper Network Connect Virtual Adapter

Physical Address. . . . . . . . . : 00-FF-68-1D-DE-82



PPP adapter Broadband Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 117.194.224.247

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 117.194.224.247

DNS Servers . . . . . . . . . . . : 85.255.116.114

85.255.112.91

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: MyDslModem.local.lan
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.


Pinging google.com [74.125.127.100] with 32 bytes of data:



Reply from 74.125.127.100: bytes=32 time=578ms TTL=241

Reply from 74.125.127.100: bytes=32 time=573ms TTL=241



Ping statistics for 74.125.127.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 573ms, Maximum = 578ms, Average = 575ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 db d6 e8 ec ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
0x10004 ...00 ff 68 1d de 82 ...... Juniper Network Connect Virtual Adapter
0x30005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 117.194.224.247 117.194.224.247 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 21
117.194.224.1 255.255.255.255 117.194.224.247 117.194.224.247 1
117.194.224.247 255.255.255.255 127.0.0.1 127.0.0.1 50
117.255.255.255 255.255.255.255 117.194.224.247 117.194.224.247 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 117.194.224.247 117.194.224.247 1
255.255.255.255 255.255.255.255 117.194.224.247 117.194.224.247 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.1.2 10004 1
Default Gateway: 117.194.224.247
===========================================================================
Persistent Routes:
None

Edited by biplab7, 10 June 2009 - 09:40 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 11 June 2009 - 01:21 AM

Thanks for the feedback.
  • Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot if you had to change any setting.
  • Try to update MBAM, if you still couldn't tell me about it.
    If you couldn't update, update MBAM manually. To do that download mbam-rules.exe.
    Double-click mbam-rules.exe to run it.
    Then run MBAM, let remove what it finds, reboot if needed and post the log.

  • Please copy and paste a fresh Hijackthis log to your reply while you are connected to the broadband.

Edited by farbar, 11 June 2009 - 01:24 AM.


#7 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 11 June 2009 - 11:01 AM

Hi,
1. The network connection options were as usual and as suggested by you.
2. Updation of mbm failed again.
3. Downloaded mbam.exe and executed it but not sure whether it really updated anything database version is still 2202.
Please find the log for mbam below:
Malwarebytes' Anti-Malware 1.37
Database version: 2202
Windows 5.1.2600 Service Pack 2

6/11/2009 9:01:41 PM
mbam-log-2009-06-11 (21-01-41).txt

Scan type: Quick Scan
Objects scanned: 101998
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f5e74ba0-f572-4ba1-b7db-11a8b8b88e4d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.114 85.255.112.91 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


4. Please find the hijack log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:02 PM, on 6/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\webserver\bin\httpd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\webserver\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyBa.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.wyndhamworldwide.com/d...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5E74BA0-F572-4BA1-B7DB-11A8B8B88E4D}: NameServer = 85.255.116.114 85.255.112.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\webserver\bin\httpd.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7222 bytes

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 11 June 2009 - 12:41 PM

1. The network connection options were as usual and as suggested by you.


When you open Network Connections what do you see inside it?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 11 June 2009 - 01:10 PM

In addition to previous post please do the following:

If you could not run ComboFix rename it to bip.exe and run it.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

  • Please go to start -> Run.
    • Copy and paste the bold line in the run-box and click OK: "C:\Qoobox\Add-Remove Programs.txt"
    • A text file opens up, copy and paste the content to your reply.


#10 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 11 June 2009 - 02:33 PM

1. on Network connection->properties->general tab after double clicking on Internet Protocol (TCP/IP).
both options
"Obtain an IP address automatically". and
"Obtain DNS server address automatically". were already checked. I didnot change anything on it.
2. Please find the combofix log below:
ComboFix 09-06-11.05 - pROMETHEUS 06/12/2009 0:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.201 [GMT 5.5:30]
Running from: c:\documents and settings\pROMETHEUS\Desktop\bip.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
C:\smp.bat
c:\windows\system32\aastykhr.ini
c:\windows\system32\abodboym.ini
c:\windows\system32\agshhtfs.ini
c:\windows\system32\bapxosgv.ini
c:\windows\system32\bbgmyvar.ini
c:\windows\system32\bxfirdlx.ini
c:\windows\system32\chreeyql.ini
c:\windows\system32\dnwmjsqr.ini
c:\windows\system32\esvjuxfu.ini
c:\windows\system32\fswrspcc.ini
c:\windows\system32\ghxeimip.ini
c:\windows\system32\hseyevph.ini
c:\windows\system32\hsljuygx.ini
c:\windows\system32\htfrgxke.ini
c:\windows\system32\ivnbnryi.ini
c:\windows\system32\jttasuaa.ini
c:\windows\system32\kwjjajwd.ini
c:\windows\system32\ljucmsah.ini
c:\windows\system32\lwdgkvir.ini
c:\windows\system32\mdm.exe
c:\windows\system32\msbgbqhb.ini
c:\windows\system32\nwotunei.ini
c:\windows\system32\nwsawipu.ini
c:\windows\system32\oamfnbxm.ini
c:\windows\system32\oeabofce.ini
c:\windows\system32\pawcudvw.ini
c:\windows\system32\pmgnsbur.ini
c:\windows\system32\pogtlypa.ini
c:\windows\system32\rlvtyhti.ini
c:\windows\system32\rrrrvorl.ini
c:\windows\system32\rvuingso.ini
c:\windows\system32\shhelhdm.ini
c:\windows\system32\tclmrblp.ini
c:\windows\system32\tmp32.tmp
c:\windows\system32\tvbwgfbd.ini
c:\windows\system32\uovitcjq.ini
c:\windows\system32\uqagbhov.ini
c:\windows\system32\vovqnfrs.ini
c:\windows\system32\vssymntv.ini
c:\windows\system32\vsydgaeb.ini
c:\windows\system32\wcwnbcow.ini
c:\windows\system32\xnqqtcta.ini
c:\windows\system32\ydaxsgfg.ini
c:\windows\system32\ywefccjy.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_HOSTS_CONTROLLER


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:01 . 2009-06-11 19:05 -------- d-s---w- C:\ComboFix
2009-06-09 15:33 . 2009-06-09 15:33 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\Malwarebytes
2009-06-09 15:33 . 2009-05-26 07:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 15:33 . 2009-06-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 15:33 . 2009-05-26 07:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 15:33 . 2009-06-10 19:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 15:16 . 2009-06-09 15:18 3371384 ----a-w- C:\moon.exe
2009-06-08 19:05 . 2009-06-11 19:21 117760 ----a-w- c:\documents and settings\pROMETHEUS\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 19:05 . 2009-06-08 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 19:04 . 2009-06-08 19:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 19:04 . 2009-06-08 19:04 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\SUPERAntiSpyware.com
2009-06-07 07:56 . 2009-06-02 09:30 3007352 ----a-w- c:\documents and settings\pROMETHEUS\Application Data\Simply Super Software\Trojan Remover\mpr76.exe
2009-06-07 06:50 . 2009-06-07 06:51 -------- d-----w- C:\Antivirus
2009-06-07 05:20 . 2009-06-07 09:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-07 05:20 . 2006-06-19 07:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-07 05:20 . 2006-05-25 10:22 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-07 05:20 . 2005-08-25 20:20 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-07 05:20 . 2003-02-02 14:36 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-07 05:20 . 2002-03-05 19:30 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-07 05:20 . 2009-06-07 05:20 -------- d-----w- c:\program files\Trojan Remover
2009-06-07 05:20 . 2009-06-07 05:20 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\Simply Super Software
2009-06-07 05:20 . 2009-06-07 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-05-30 11:33 . 2009-05-30 11:33 -------- d-----w- c:\documents and settings\pROMETHEUS\Local Settings\Application Data\PCHealth
2009-05-28 19:21 . 2009-05-28 19:21 -------- d-----w- c:\program files\Universal Reader
2009-05-28 18:31 . 2009-05-28 18:31 -------- d-----w- c:\program files\Vocaboly Software
2009-05-27 19:08 . 2009-05-27 19:11 -------- d-----w- c:\documents and settings\pROMETHEUS\Local Settings\Application Data\myBabylon_English
2009-05-27 19:08 . 2009-05-27 19:08 -------- d-----w- c:\program files\Conduit
2009-05-27 19:08 . 2009-05-27 19:08 -------- d-----w- c:\documents and settings\pROMETHEUS\Local Settings\Application Data\Conduit
2009-05-27 19:08 . 2009-05-27 19:08 -------- d-----w- c:\program files\myBabylon_English
2009-05-27 19:08 . 2009-05-27 19:08 -------- d-----w- c:\program files\Babylon
2009-05-27 18:53 . 2009-05-27 18:53 -------- d-----w- c:\program files\GameHouse
2009-05-27 18:51 . 2009-05-27 18:51 -------- d-----w- c:\program files\Vocaboly
2009-05-27 03:54 . 2009-05-27 03:54 -------- d--h--w- c:\windows\PIF
2009-05-26 16:47 . 1999-02-25 01:02 122880 ----a-w- c:\windows\system32\fxtls532.dll
2009-05-26 16:47 . 2009-05-26 17:15 -------- d-----w- c:\program files\Kap.GMT
2009-05-17 15:43 . 2009-05-17 15:43 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-17 15:43 . 2009-03-29 16:58 38200 ----a-w- c:\documents and settings\pROMETHEUS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-15 20:44 . 2009-05-15 20:44 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\Apple Computer
2009-05-15 20:09 . 2009-05-15 20:09 -------- d-----w- c:\program files\FDRLab
2009-05-15 18:04 . 2009-05-15 18:04 132 ----a-w- C:\httpdwl.dat
2009-05-15 18:03 . 2009-06-10 18:38 81984 ----a-w- c:\windows\system32\bdod.bin
2009-05-13 13:30 . 2009-05-13 13:30 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 18:57 . 2008-05-15 14:47 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\uTorrent
2009-06-09 15:17 . 2008-07-28 17:24 -------- d-----w- c:\program files\Trend Micro
2009-06-08 19:04 . 2008-01-19 06:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-30 11:50 . 2007-12-25 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-28 18:42 . 2008-09-07 07:57 -------- d-----w- c:\program files\DAP
2009-05-28 17:30 . 2007-12-22 20:37 91776 -c--a-w- c:\documents and settings\pROMETHEUS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 02:47 . 2009-05-09 16:15 -------- d-----w- c:\program files\FxClub
2009-05-26 16:49 . 2008-10-15 18:36 -------- d-----w- c:\program files\GMATPrep
2009-05-17 14:25 . 2009-04-04 10:47 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\U3
2009-05-16 18:09 . 2009-05-10 04:24 -------- d-----w- c:\program files\OurToolbar
2009-05-14 18:51 . 2008-04-23 13:04 192512 ----a-w- c:\windows\system32\txmlutil.dll
2009-05-14 18:50 . 2008-08-12 13:10 242184 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2009-05-14 18:50 . 2008-08-14 13:24 104328 ----a-w- c:\windows\system32\drivers\bdfndisf.sys
2009-05-14 18:50 . 2008-08-12 13:10 111112 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-05-14 18:50 . 2008-07-02 07:37 82696 ----a-w- c:\windows\system32\drivers\BDVEDISK.sys
2009-05-12 18:01 . 2009-05-12 18:01 1152 ----a-w- C:\reregisterie.cmd
2009-05-10 14:55 . 2009-05-10 14:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 14:54 . 2007-12-23 15:48 -------- d-----w- c:\program files\Java
2009-05-10 14:53 . 2009-05-10 14:53 152576 ----a-w- c:\documents and settings\pROMETHEUS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-10 08:55 . 2008-03-05 18:03 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\Corel
2009-05-10 08:41 . 2007-12-23 15:34 -------- d-----w- c:\program files\Ahead
2009-05-10 06:23 . 2009-05-10 06:23 4096 ----a-w- c:\windows\d3dx.dat
2009-05-10 06:13 . 2009-05-10 06:13 20987471 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2009_05_10_10_16_31_full.dmp.zip
2009-05-10 06:13 . 2009-05-10 06:12 21029340 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2009_05_10_10_11_13_full.dmp.zip
2009-05-10 04:38 . 2009-05-10 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-05-10 04:34 . 2009-05-10 04:34 -------- d-----w- c:\documents and settings\pROMETHEUS\Application Data\BitDefender
2009-05-10 04:33 . 2009-05-10 04:31 -------- d-----w- c:\program files\BitDefender
2009-05-10 04:33 . 2009-05-10 04:28 -------- d-----w- c:\program files\Common Files\BitDefender
2009-05-09 17:00 . 2009-05-09 16:59 -------- d-----w- c:\program files\QuickTime
2009-05-09 16:59 . 2009-05-09 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-14 18:47 . 2008-08-13 13:32 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-09-05 16:09 . 2008-02-10 06:13 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-03 19:26 . 2007-12-30 17:55 93184 -csha-w- c:\windows\BricoPacks\SysFiles\68_iexplore.exe
2004-08-03 19:26 . 2007-12-30 17:55 60416 -csha-w- c:\windows\BricoPacks\SysFiles\69_msimn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-05-18 06:24 2094616 ----a-w- c:\program files\myBabylon_English\tbmyBa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Google Update"="c:\documents and settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-05-14 69632]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-05-14 778240]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-01 1059720]

c:\documents and settings\pROMETHEUS\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-12-25 20992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1013:TCP"= 1013:TCP:BS
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"59596:TCP"= 59596:TCP:FD

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Apache2.2;Apache2.2;c:\webserver\bin\httpd.exe [6/13/2008 4:05 AM 24635]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [7/2/2008 1:07 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [8/12/2008 6:40 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [8/14/2008 6:54 PM 104328]
R3 LRMINIPORT;LanRoad PPPoE Adapter;c:\windows\system32\drivers\lrpppoe.sys [1/2/2008 10:27 PM 23552]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 1:06 PM 118784]
S3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [12/23/2007 9:01 PM 28160]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/10/2008 11:43 AM 29744]
S3 LRPPPOE;LanRoad PPPoE Protocol;c:\windows\system32\drivers\lrpppoe.sys [1/2/2008 10:27 PM 23552]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [12/23/2007 9:01 PM 49152]
S4 OracleOraHome90TNSListener;OracleOraHome90TNSListener;e:\oracle\ora90\BIN\TNSLSNR --> e:\oracle\ora90\BIN\TNSLSNR [?]
S4 OracleOraHome90TNSListenerLISTENER_ALT;OracleOraHome90TNSListenerLISTENER_ALT;e:\oracle\ora90\BIN\TNSLSNR --> e:\oracle\ora90\BIN\TNSLSNR [?]
S4 OracleServiceutopians;OracleServiceutopians;e:\oracle\ora90\bin\ORACLE.EXE utopians --> e:\oracle\ora90\bin\ORACLE.EXE utopians [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-162531612-682003330-1003.job
- c:\documents and settings\pROMETHEUS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 16:07]

2009-06-11 c:\windows\Tasks\User_Feed_Synchronization-{16FECB5F-A7BC-4689-952E-32308DDF063F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 13:06]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\OracleOraHome90TNSListener]
"ImagePath"="e:\oracle\ora90\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\OracleOraHome90TNSListenerLISTENER_ALT]
"ImagePath"="e:\oracle\ora90\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-162531612-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1160)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(428)
c:\windows\system32\mslbui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\CF15906.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-06-11 0:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 19:25

Pre-Run: 2,379,538,432 bytes free
Post-Run: 2,237,820,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
279 --- E O F --- 2008-07-28 18:15



3. Please find add-remove programs.txt as below:

Torrent
7-Zip 4.57
ACE Mega CoDecS Pack
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.1
Apache HTTP Server 2.2.9
Bengali Font Trial by biplab
BitComet 0.70
BitDefender Total Security 2009
Codec Pack - All In 1 6.0.2.6
DFX for MUSICMATCH
DivX
DivX Web Player
DSL Two Ports Modem
DualCoreCenter
EditPlus 2
Google Chrome
Google Desktop
Google Talk (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Informix Client-SDK
InstallShield for Microsoft Visual C++ 6
Intel® Graphics Media Accelerator Driver
iolo technologies' System Mechanic
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12
Java DB 10.3.1.4
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 4
Java™ SE Development Kit 6 Update 4
Juniper Networks Host Checker
Juniper Networks Network Connect 5.5.0
K-Lite Codec Pack 2.46 Full
LanRoad PPPoE Client
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework SDK (English) 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Professional Edition
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
myBabylon_English Toolbar
MySQL Server 5.0
Nero 6
Nero Media Player
NeroVision Express 2
Nuclear Coffee - VideoGet
OpenAL
Opera 9.0
PHP 5.2.6
PowerDVD
Python 2.5.2
Quest SQL Tuning
QuickTime
Realtek High Definition Audio Driver
Sarmsoft Resume Builder
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB942831)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sentinel System Driver
Super Word Power
SUPERAntiSpyware Free Edition
TextPad 4.7
Total Overdose
Trojan Remover 6.7.9
Universal Reader 2.3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VLC media player 0.9.8a
Vocaboly 2.1
Vocaboly Speech Engine for Windows XP
WebFldrs XP
Winamp
WinCvs 2.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
WordWeb
XP Codec Pack
Yahoo! Messenger

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 11 June 2009 - 02:52 PM

1. The network connection options were as usual and as suggested by you.


When you open Network Connections what do you see inside it?


1. on Network connection->properties->general tab after double clicking on Internet Protocol (TCP/IP).
both options
"Obtain an IP address automatically". and
"Obtain DNS server address automatically". were already checked. I didnot change anything on it.


The question was when you go to start => Control Panel => Network Connections.
Then you double-click Network Connections to open it. What do you see inside it? Is Local Area Connection is the only icon inside it?

#12 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 13 June 2009 - 12:33 AM

Hi,

There were altogether 5 icons:
Broadband:
1. Broadband Connection :status: Connected,firewaled. checked the tcp/ip configuration for this. And it was suspicious , the "use the following DNS server addresses were checked" and those two ip addresses were given '85.255.116.114 85.255.112.91'. this is also the connection which I use to connect to the internet.
2.Broadband:status - disconnected. I don't use this.
Dialup:
3.Biplab:Status - disconected. I don't use this.
4.LanRoad on Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - disconected. I don't use this.
Lan:
5.Local Area Connection :Status - connected.TCP/IP properties were as expected.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2009 - 03:38 AM

1. Broadband Connection :status: Connected,firewaled. checked the tcp/ip configuration for this. And it was suspicious , the "use the following DNS server addresses were checked" and those two ip addresses were given '85.255.116.114 85.255.112.91'. this is also the connection which I use to connect to the internet.


Well done. :thumbup2:
This is not just suspicious, this is a DNS-Hijacker server in Ukraine. This is what I saw on the log before before and when I asked to reset your default connection I meant this connection. Local Area Connection is not your default connection. Therefore apply the setting I suggested in post 6 for this connection. After that reboot and see if MBAM updates. Also do the following to make sure the setting is what suppose to be:

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

Edited by farbar, 13 June 2009 - 03:46 AM.


#14 biplab7

biplab7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 13 June 2009 - 06:15 AM

:thumbup2:
thanks Farbar,
I checked the 'Obtain DNS server address automatically' in the Network connection and restarted the PC.
MBAM updates perfectly and the database version changed to 2271.
Also Please find the ipconfig log below:


Windows IP Configuration



Host Name . . . . . . . . . . . . : mitslint-x

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : local.lan



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : local.lan

Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-19-DB-D6-E8-EC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Saturday, June 13, 2009 4:04:50 PM

Lease Expires . . . . . . . . . . : Sunday, June 14, 2009 4:04:50 AM



Ethernet adapter Network Connect Adapter:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Juniper Network Connect Virtual Adapter

Physical Address. . . . . . . . . : 00-FF-F0-6A-EB-82



PPP adapter Broadband Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 117.194.229.112

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 117.194.229.112

DNS Servers . . . . . . . . . . . : 218.248.255.162

218.248.255.194

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: MyDslModem.local.lan
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.


Pinging google.com [74.125.67.100] with 32 bytes of data:



Reply from 74.125.67.100: bytes=32 time=284ms TTL=51

Reply from 74.125.67.100: bytes=32 time=285ms TTL=51



Ping statistics for 74.125.67.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 284ms, Maximum = 285ms, Average = 284ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 db d6 e8 ec ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
0x10004 ...00 ff f0 6a eb 82 ...... Juniper Network Connect Virtual Adapter
0x30005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 117.194.229.112 117.194.229.112 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 31
117.194.224.1 255.255.255.255 117.194.229.112 117.194.229.112 1
117.194.229.112 255.255.255.255 127.0.0.1 127.0.0.1 50
117.255.255.255 255.255.255.255 117.194.229.112 117.194.229.112 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 30
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 30
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 30
224.0.0.0 240.0.0.0 117.194.229.112 117.194.229.112 1
255.255.255.255 255.255.255.255 117.194.229.112 117.194.229.112 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.1.2 10004 1
Default Gateway: 117.194.229.112
===========================================================================
Persistent Routes:
None



All the sites which used to say that 'link is broken' previously also has started to work.MBAM scan also said it to be clean. Thank you very much.
And one thing more while scanning through this and other sites related to spyware & malware I also got quite interested in this domain of diagnosing and removing malwares and do want to know more. Any advice from you regarding it will also be helpful for me.

Let me know of any other things that I might need to do.
Thanks & Regard,
Biplab

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2009 - 06:31 AM

Great. :thumbup2:

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files.

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    FixCSet::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Also tell me how is your computer running and if you have any question before we uninstall ComboFix and round off. I'll give you some recommendations.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users