Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser / DNS Hijack


  • This topic is locked This topic is locked
12 replies to this topic

#1 sheepshagger

sheepshagger

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 11 June 2009 - 09:53 PM

I have been infected with some form of DNS hijack, but it doesn't look similar to others I have read about.
It came through IE, and none of my tools picked it up. Also blocked autoupdate in AVG.

It seems to have hijacked DNS entries, so when you click a link / go to a URL, sometimes it will take you to the appropriate place, and other times some random website. It seems to get it's random websites from advanced-search.ru, and use this for some from of DNS resolving. But since it's random, it's very hard to track down. I have blocked advanced-search.ru in my network firewall rules (URL filter), and that seems to have stopped the random websites coming up, so now the browser just times out when this virus/hijack thing kicks in.

It effects the whole computer, so both IE, Firefox & other network apps, and seems to have the ability to close IE randomly as well. It has not changed any standard DNS entries of hosts files on the computer, all are normal. So I can only assume it's hacked into the windows service "Client DNS" or something like that.

Attached are my logs. I'd really appreciate some help on this, Thanks.

Attached Files


Edited by sheepshagger, 11 June 2009 - 09:56 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 12 June 2009 - 04:20 AM

Hi sheepshagger,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files. Please configure them not to startup with Windows and avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: In case you could not run Spybot to disable teatimer you may either uninstall Spybot or open Task Manager, make sure TeaTimer.exe
    is not running then apply ResetTeaTimer.exe.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Rename the installer to moon.exe while choosing C: drive to save in.
    • Double Click moon.exe to install the application to its default location.
    • Make sure no checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
    • Wait until it opens up.
    • Update it. When you get the message that it is updated successfully check under Update tab the Database version should read 2256 or above.
    • Select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 sheepshagger

sheepshagger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 13 June 2009 - 08:21 AM

Here is the log


Malwarebytes' Anti-Malware 1.37
Database version: 2270
Windows 5.1.2600 Service Pack 2

6/13/2009 8:12:54 AM
mbam-log-2009-06-13 (08-12-54).txt

Scan type: Quick Scan
Objects scanned: 91216
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 13 June 2009 - 08:57 AM

  • Go to start > Run copy/paste the following line in the run box and click OK after each line.

    notepad C:\windows\system32\drivers\etc\hosts

    A text file opens. Please post its content to your reply.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.


#5 sheepshagger

sheepshagger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 13 June 2009 - 07:04 PM

It isn't any of thoes, since it's only seems to change the DNS every so often, so it's not a static change. it seems to be able to do it on the fly.
But, here are the files you requested.

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
127.0.0.1 www.123simsen.com
127.0.0.1 123simsen.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 125sms.co.uk
127.0.0.1 www.125sms.co.uk
127.0.0.1 125sms.com
127.0.0.1 www.125sms.com
127.0.0.1 132.com
127.0.0.1 www.132.com
127.0.0.1 1337crew.info
127.0.0.1 www.1337crew.info
127.0.0.1 www.1337-crew.to
127.0.0.1 1337-crew.to
127.0.0.1 136136.net
127.0.0.1 www.136136.net
127.0.0.1 150freesms.de
127.0.0.1 www.150freesms.de
127.0.0.1 163ns.com
127.0.0.1 www.163ns.com
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 1800searchonline.com
127.0.0.1 www.1800searchonline.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 www.181.365soft.info
127.0.0.1 181.365soft.info
127.0.0.1 1987324.com
127.0.0.1 www.1987324.com
127.0.0.1 1-domains-registrations.com
127.0.0.1 www.1-domains-registrations.com
127.0.0.1 www.1sexparty.com
127.0.0.1 1sexparty.com
127.0.0.1 www.1sms.de
127.0.0.1 1sms.de
127.0.0.1 www.1stantivirus.com
127.0.0.1 1stantivirus.com
127.0.0.1 www.1stpagehere.com
127.0.0.1 1stpagehere.com
127.0.0.1 www.1stsearchportal.com
127.0.0.1 1stsearchportal.com
127.0.0.1 2.82211.net
127.0.0.1 2006ooo.com
127.0.0.1 www.2006ooo.com
127.0.0.1 2007-download.com
127.0.0.1 www.2007-download.com
127.0.0.1 www.2008search-destroy.com
127.0.0.1 2008search-destroy.com
127.0.0.1 www.2008-search-destroy.com
127.0.0.1 2008-search-destroy.com
127.0.0.1 2009--access.com
127.0.0.1 www.2009--access.com
127.0.0.1 www.2020search.com
127.0.0.1 2020search.com
127.0.0.1 20x2p.com
127.0.0.1 2-2005-search.com
127.0.0.1 www.2-2005-search.com
127.0.0.1 www.24.365soft.info
127.0.0.1 24.365soft.info
127.0.0.1 24-7pharmacy.info
127.0.0.1 www.24-7pharmacy.info
127.0.0.1 24-7searching-and-more.com
127.0.0.1 www.24-7searching-and-more.com
127.0.0.1 www.24teen.com
127.0.0.1 24teen.com
127.0.0.1 2ndpower.com
127.0.0.1 www.2search.com
127.0.0.1 2search.com
127.0.0.1 www.2search.org
127.0.0.1 2search.org
127.0.0.1 www.2squared.com
127.0.0.1 2squared.com
127.0.0.1 www.3-2005-search.com
127.0.0.1 3-2005-search.com
127.0.0.1 www.321-gratis-sms.com
127.0.0.1 321-gratis-sms.com
127.0.0.1 www.3322.org
127.0.0.1 3322.org
127.0.0.1 365soft.info
127.0.0.1 www.36site.com
127.0.0.1 36site.com
127.0.0.1 3721.com
127.0.0.1 39-93.com
127.0.0.1 www.3bay.it
127.0.0.1 3bay.it
127.0.0.1 www.3xclipsonline.com
127.0.0.1 3xclipsonline.com
127.0.0.1 www.3xcurves.com
127.0.0.1 3xcurves.com
127.0.0.1 www.3xfestival.com
127.0.0.1 3xfestival.com
127.0.0.1 3x-festival.com
127.0.0.1 www.3x-festival.com
127.0.0.1 3x-galls.com
127.0.0.1 www.3x-galls.com
127.0.0.1 www.3xmiracle.com
127.0.0.1 3xmiracle.com
127.0.0.1 www.3xmoviesblog.com
127.0.0.1 3xmoviesblog.com
127.0.0.1 404dns.com
127.0.0.1 www.404dns.com
127.0.0.1 4199.com
127.0.0.1 www.4199.com
127.0.0.1 www.4-2005-search.com
127.0.0.1 4-2005-search.com
127.0.0.1 www.4corn.net
127.0.0.1 4corn.net
127.0.0.1 www.4ebay.it
127.0.0.1 4ebay.it
127.0.0.1 4klm.com
127.0.0.1 www.4mpg.com
127.0.0.1 4mpg.com
127.0.0.1 www.5-2005-search.com
127.0.0.1 5-2005-search.com
127.0.0.1 www.59cn.cn
127.0.0.1 59cn.cn
127.0.0.1 www.5starsblog.com
127.0.0.1 5starsblog.com
127.0.0.1 www.5zgmu7o20kt5d8yq.com
127.0.0.1 5zgmu7o20kt5d8yq.com
127.0.0.1 www.6000vornamen.de
127.0.0.1 6000vornamen.de
127.0.0.1 www.6700.cn
127.0.0.1 6700.cn
127.0.0.1 www.680180.net
127.0.0.1 680180.net
127.0.0.1 www.69loadz.com
127.0.0.1 69loadz.com
127.0.0.1 www.6sek.com
127.0.0.1 6sek.com
127.0.0.1 www.70-music.com
127.0.0.1 70-music.com
127.0.0.1 www.7322.com
127.0.0.1 7322.com
127.0.0.1 www.745970.com
127.0.0.1 745970.com
127.0.0.1 75tz.com
127.0.0.1 www.777search.com
127.0.0.1 777search.com
127.0.0.1 www.777top.com
127.0.0.1 777top.com
127.0.0.1 www.7939.com
127.0.0.1 7939.com
127.0.0.1 80gw6ry3i3x3qbrkwhxhw.032439.com
127.0.0.1 www.80-music.com
127.0.0.1 80-music.com
127.0.0.1 82211.net
127.0.0.1 8866.org
127.0.0.1 www.88sms.ch
127.0.0.1 88sms.ch
127.0.0.1 www.88vcd.com
127.0.0.1 88vcd.com
127.0.0.1 www.8ad.com
127.0.0.1 8ad.com
127.0.0.1 www.90-music.com
127.0.0.1 90-music.com
127.0.0.1 www.9505.com
127.0.0.1 9505.com
127.0.0.1 www.971searchbox.com
127.0.0.1 971searchbox.com
127.0.0.1 www.99downloads.de
127.0.0.1 99downloads.de
127.0.0.1 9mmporn.com
127.0.0.1 a.bestmanage.org
127.0.0.1 www.aaabesthomepage.com
127.0.0.1 aaabesthomepage.com
127.0.0.1 aaasexypics.com
127.0.0.1 aaawebfinder.com
127.0.0.1 www.aaawebfinder.com
127.0.0.1 www.aantivir.de
127.0.0.1 aantivir.de
127.0.0.1 www.aaqadarsztriv.com
127.0.0.1 aaqadarsztriv.com
127.0.0.1 www.aaqada-rsztriv.com
127.0.0.1 aaqada-rsztriv.com
127.0.0.1 aaqadaueorn.com
127.0.0.1 www.aaqadaueorn.com
127.0.0.1 www.aaqada-ueorn.com
127.0.0.1 aaqada-ueorn.com
127.0.0.1 www.aaqada-ygco.com
127.0.0.1 aaqada-ygco.com
127.0.0.1 aaqada-ymct.com
127.0.0.1 www.aaqada-ymct.com
127.0.0.1 aaszxy.ru
127.0.0.1 www.aaszxy.ru
127.0.0.1 aav2008.com
127.0.0.1 www.aav2008.com
127.0.0.1 aavc.com
127.0.0.1 aavira.de
127.0.0.1 www.aavira.de
127.0.0.1 www.abccodec.com
127.0.0.1 abccodec.com
127.0.0.1 abcdperformance.com
127.0.0.1 www.abcdperformance.com
127.0.0.1 abc-find.info
127.0.0.1 www.abc-find.info
127.0.0.1 abcsearch.com
127.0.0.1 www.abcsearch.com
127.0.0.1 www.abcways.com
127.0.0.1 abcways.com
127.0.0.1 abetterinternet.com
127.0.0.1 www.abetterinternet.com
127.0.0.1 abnetsoft.info
127.0.0.1 www.abnetsoft.info
127.0.0.1 abntivir.de
127.0.0.1 www.abntivir.de
127.0.0.1 www.about-adult.net
127.0.0.1 about-adult.net
127.0.0.1 aboutclicker.com
127.0.0.1 www.aboutclicker.com
127.0.0.1 abrp.net
127.0.0.1 www.abrp.net
127.0.0.1 absolutee.com
127.0.0.1 www.absolutee.com
127.0.0.1 www.abvira.de
127.0.0.1 abvira.de
127.0.0.1 ac66.cn
127.0.0.1 www.ac66.cn
127.0.0.1 access.navinetwork.com
127.0.0.1 access.rapid-pass.net
127.0.0.1 accessactivexvideo.com
127.0.0.1 www.accessactivexvideo.com
127.0.0.1 accessclips.com
127.0.0.1 www.accessclips.com
127.0.0.1 access-dvd.com
127.0.0.1 www.access-dvd.com
127.0.0.1 accesskeygenerator.com
127.0.0.1 www.accesskeygenerator.com
127.0.0.1 accessthefuture.net
127.0.0.1 www.accessthefuture.net
127.0.0.1 www.accessvid.net
127.0.0.1 accessvid.net
127.0.0.1 acemedic.com
127.0.0.1 www.acemedic.com
127.0.0.1 www.ace-webmaster.com
127.0.0.1 ace-webmaster.com
127.0.0.1 acjp.com
127.0.0.1 acrobat-2007.com
127.0.0.1 www.acrobat-2007.com
127.0.0.1 acrobat-8.com
127.0.0.1 www.acrobat-8.com
127.0.0.1 acrobat-center.com
127.0.0.1 www.acrobat-center.com
127.0.0.1 acrobat-hq.com
127.0.0.1 www.acrobat-hq.com
127.0.0.1 acrobatreader-8.com
127.0.0.1 www.acrobatreader-8.com
127.0.0.1 www.acrobat-reader-8.de
127.0.0.1 acrobat-reader-8.de
127.0.0.1 www.acrobat-stop.com
127.0.0.1 acrobat-stop.com
127.0.0.1 actionbreastcancer.org
127.0.0.1 www.actionbreastcancer.org
127.0.0.1 activesearcher.info
127.0.0.1 www.activesearcher.info
127.0.0.1 activexaccessobject.com
127.0.0.1 www.activexaccessobject.com
127.0.0.1 www.activexaccessvideo.com
127.0.0.1 activexaccessvideo.com
127.0.0.1 activexemedia.com
127.0.0.1 www.activexemedia.com
127.0.0.1 www.activexmediaobject.com
127.0.0.1 activexmediaobject.com
127.0.0.1 activexmediapro.com
127.0.0.1 www.activexmediapro.com
127.0.0.1 activexmediasite.com
127.0.0.1 www.activexmediasite.com
127.0.0.1 activexmediasoftware.com
127.0.0.1 www.activexmediasoftware.com
127.0.0.1 activexmediasource.com
127.0.0.1 www.activexmediasource.com
127.0.0.1 www.activexmediatool.com
127.0.0.1 activexmediatool.com
127.0.0.1 activexmediatour.com
127.0.0.1 www.activexmediatour.com
127.0.0.1 activexsoftwares.com
127.0.0.1 www.activexsoftwares.com
127.0.0.1 www.activexsource.com
127.0.0.1 activexsource.com
127.0.0.1 activexupdate.com
127.0.0.1 www.activexupdate.com
127.0.0.1 www.activexvideo.com
127.0.0.1 activexvideo.com
127.0.0.1 activexvideotool.com
127.0.0.1 www.activexvideotool.com
127.0.0.1 acvira.de
127.0.0.1 www.acvira.de
127.0.0.1 www.ad.marketingsector.com
127.0.0.1 ad.marketingsector.com
127.0.0.1 ad.mokead.com
127.0.0.1 www.ad.mokead.com
127.0.0.1 ad.oinadserver.com
127.0.0.1 ad.outerinfoads.com
127.0.0.1 www.ad25.com
127.0.0.1 ad25.com
127.0.0.1 www.ad45.com
127.0.0.1 ad45.com
127.0.0.1 www.ad77.com
127.0.0.1 ad77.com
127.0.0.1 www.ad86.com



The command failed, but below is the complete result. I ran this a few times, just to see if I could catch it changing the DNS entries, but I couldn't.

C:\WINDOWS\temp>cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

Server: adventurer.feakes.lan
Address: 192.168.144.1

Non-authoritative answer:
Name: google.com
Addresses: 74.125.67.100, 74.125.127.100, 74.125.45.100


Pinging google.com [74.125.127.100] with 32 bytes of data:

Reply from 74.125.127.100: bytes=32 time=71ms TTL=241
Reply from 74.125.127.100: bytes=32 time=73ms TTL=241

Ping statistics for 74.125.127.100:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 71ms, Maximum = 73ms, Average = 72ms

Manipulates network routing tables.

ROUTE [-f] [-p] [command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]

-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. Ignored for all other commands,
which always affect the appropriate persistent routes. This
option is not supported in Windows 95.
command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination.

All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '*' matches any string,
and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.

Examples:

> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
If IF is not given, it tries to find the best interface for a given
gateway.
> route PRINT
> route PRINT 157* .... Only prints those matching 157*
> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

CHANGE is used to modify gateway and/or metric only.
> route PRINT
> route DELETE 157.0.0.0
> route PRINT

C:\WINDOWS\temp>


Here is the output from the commands separately.

C:\WINDOWS\temp>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : rocket
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : feakes.lan

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : feakes.lan
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-11-09-BA-0F-71
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.144.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.144.1
DHCP Server . . . . . . . . . . . : 192.168.144.1
DNS Servers . . . . . . . . . . . : 192.168.144.1
Lease Obtained. . . . . . . . . . : Saturday, June 13, 2009 6:52:53 PM
Lease Expires . . . . . . . . . . : Saturday, June 13, 2009 10:52:53 PM



C:\WINDOWS\temp>ping -n 2 google.com&route print

Pinging google.com [74.125.127.100] with 32 bytes of data:

Reply from 74.125.127.100: bytes=32 time=72ms TTL=241
Reply from 74.125.127.100: bytes=32 time=74ms TTL=241

Ping statistics for 74.125.127.100:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 72ms, Maximum = 74ms, Average = 73ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 09 ba 0f 71 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.144.1 192.168.144.14 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.144.0 255.255.255.0 192.168.144.14 192.168.144.14 20
192.168.144.14 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.144.255 255.255.255.255 192.168.144.14 192.168.144.14 20
224.0.0.0 240.0.0.0 192.168.144.14 192.168.144.14 20
255.255.255.255 255.255.255.255 192.168.144.14 192.168.144.14 1
Default Gateway: 192.168.144.1
===========================================================================
Persistent Routes:
None

Edited by sheepshagger, 13 June 2009 - 07:08 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 14 June 2009 - 11:02 AM

C:\WINDOWS\temp>ipconfig /all


Why the command is running from C:\WINDOWS\temp ?

=========
=========

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 sheepshagger

sheepshagger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 14 June 2009 - 04:10 PM

C:\WINDOWS\temp>ipconfig /all


Why the command is running from C:\WINDOWS\temp ?


That just happened to be the directory I was in, when I ran the command.

Here is the ComboFix log.

ComboFix 09-06-13.09 - sf 06/14/2009 15:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.121 [GMT -5:00]
Running from: c:\documents and settings\sf\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{1E9F2759-6B6A-4F95-93A7-2FF287785517}\RP1455\A0125297.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-12 02:36 . 2009-06-12 01:37 359893 ----a-w- c:\temp\dds.scr
2009-06-12 01:24 . 2009-06-12 01:24 186880 ----a-w- c:\temp\LSPFix.exe
2009-06-12 00:02 . 2009-06-12 00:02 -------- d-----w- c:\temp\backups
2009-06-11 16:05 . 2009-06-11 16:07 -------- d-----w- c:\temp\AVG updat
2009-06-11 16:00 . 2009-06-11 16:02 16409960 ----a-w- c:\temp\spybotsd162.exe
2009-06-11 13:08 . 2009-06-11 18:53 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-11 12:11 . 2009-06-11 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-11 12:11 . 2009-06-11 12:11 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 12:11 . 2009-06-11 12:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 12:11 . 2009-06-11 16:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-11 12:11 . 2009-06-11 12:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-11 12:11 . 2009-06-11 12:11 -------- d-----w- c:\program files\AVG
2009-06-11 12:11 . 2009-06-14 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-11 12:07 . 2009-06-11 12:08 65778464 ----a-w- c:\temp\avg_free_stf_en_85_364a1545.exe
2009-06-11 04:08 . 2009-06-11 04:08 94208 ----a-w- c:\temp\GooredFix.exe
2009-06-11 03:28 . 2009-06-11 03:28 401720 ----a-w- c:\temp\HiJackThis.exe
2009-06-11 03:20 . 2009-06-11 03:20 251392 ----a-w- c:\temp\hijackthis_sfx.exe
2009-06-11 03:08 . 2009-06-11 03:08 1152 ----a-w- c:\windows\system32\windrv.sys
2009-06-11 03:08 . 2009-06-11 03:08 3783768 ----a-w- c:\temp\spynomore.exe
2009-06-11 02:28 . 2009-06-11 02:28 3021373 ----a-r- c:\temp\ComboFix.exe
2009-06-11 02:07 . 2009-06-11 02:07 50688 ----a-w- c:\temp\ATF-Cleaner.exe
2009-06-11 01:41 . 2009-06-11 01:41 -------- d-----w- c:\documents and settings\sf\Application Data\Malwarebytes
2009-06-11 01:41 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 01:41 . 2009-06-11 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 01:41 . 2009-06-13 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 01:41 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 01:41 . 2009-06-11 01:41 3371384 ----a-w- c:\temp\mbam-setup.exe
2009-06-11 01:18 . 2009-06-11 01:18 3012768 ----a-w- c:\temp\spywareblastersetup42.exe
2009-05-22 02:12 . 2009-05-22 02:12 17566231 ----a-w- c:\temp\ebcd-0_6_1-pro-sfx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 20:49 . 2005-02-12 02:01 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-14 20:49 . 2005-02-12 02:56 -------- d-----w- c:\program files\SpeedFan
2009-06-14 20:48 . 2006-04-14 02:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-14 20:34 . 2005-02-12 01:38 -------- d-----w- c:\program files\SpywareGuard
2009-06-11 20:50 . 2008-03-30 14:15 -------- d-----w- c:\documents and settings\sf\Application Data\uTorrent
2009-06-11 19:20 . 2005-02-12 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 19:15 . 2005-02-12 02:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-11 01:21 . 2009-01-04 19:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-11 01:18 . 2005-02-12 01:37 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 22:37 . 2005-07-22 13:59 -------- d-----w- c:\program files\eMule
2009-05-07 15:44 . 2001-08-23 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-01-08 21:23 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2001-08-23 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-02-12 03:43 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2007-05-10 10:50 . 2007-05-10 10:50 107593 ----a-w- c:\program files\ShopSafe.zip
2005-05-13 23:12 . 2005-05-13 23:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 17:13 . 2005-10-24 17:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 03:27 . 2005-10-14 03:27 422400 --sha-r- c:\windows\x2.64.exe
2005-07-14 18:31 . 2005-07-14 18:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2005-06-26 21:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2005-06-22 04:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 06:00 . 2004-01-25 06:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 16:24 . 2006-04-27 16:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 19:16 . 2005-02-28 19:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 06:00 . 2004-01-25 06:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-11_02.43.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 05:46 . 2006-12-02 05:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:26 . 2006-12-02 05:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 03:56 . 2006-12-02 03:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
- 2009-06-10 23:54 . 2004-08-04 07:56 82944 c:\windows\system32\dllcache\ws2_32.dll
+ 2001-08-23 12:00 . 2004-08-04 07:56 82944 c:\windows\system32\dllcache\ws2_32.dll
+ 2006-12-02 03:54 . 2006-12-02 03:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 03:54 . 2006-12-02 03:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54 . 2006-12-02 03:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2009-06-14 20:42 . 2009-06-14 20:42 388608 c:\windows\system32\CF28980.exe
+ 2006-12-02 05:25 . 2006-12-02 05:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-27 344064]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

c:\documents and settings\sf\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2005-2-11 8500328]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2006-10-1 2618880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NetSarang\\Xmanager Enterprise\\Xmanager.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\xbox-tools\\AvaControl\\AvaControl.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\xbox-tools\\Qwix\\Qwix.exe"=
"c:\\Program Files\\SecureFX\\SecureFX.EXE"=
"c:\\Program Files\\Smarthome\\Smarthome Manager\\Smarthome Manager.exe"=
"c:\\Program Files\\SmartXX\\RemoteFlasher\\smartxx.exe"=
"c:\\Program Files\\TyTool9r18\\TyTool9r18.exe"=
"c:\\Program Files\\UltraEdit\\uedit32.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 acpispy;ACPI Spy CPU Filter Driver;c:\windows\system32\drivers\acpispy.sys [2/17/2005 11:31 AM 13056]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2/17/2005 11:31 AM 20480]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2009 7:11 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2009 7:11 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/11/2009 7:11 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/11/2009 7:11 AM 298776]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [8/31/2006 4:55 PM 5152]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/6/2008 2:10 PM 5365]
S3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\PC Alert 4\NTGLM7X.SYS [2/17/2005 12:47 PM 22048]
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\cleanmgr.job
- c:\windows\System32\cleanmgr.exe [2001-08-23 07:56]

2009-06-14 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2001-08-23 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: advmaps.com\www
Trusted Zone: cc-hubwoo.com\webmail.fr
Trusted Zone: chase.com
Trusted Zone: chase.com\chaseonline
Trusted Zone: google.com
Trusted Zone: ktmimages.com\www
Trusted Zone: mbnanetaccess.com\www
Trusted Zone: mbnashopsafe.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com \*.update
Trusted Zone: rr.com
Trusted Zone: ticketmaster.com
Trusted Zone: ticketmaster.com\www
Trusted Zone: turbotax.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 15:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-484061587-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E2EE7D0D-D69E-DB43-5468-6270BD7016C6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3940)
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Logitech\iTouch\iTchHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CF28980.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-14 15:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 20:53
ComboFix2.txt 2009-06-11 02:46

Pre-Run: 31,169,077,248 bytes free
Post-Run: 31,158,337,536 bytes free

210 --- E O F --- 2009-06-10 08:05



Thanks for your help on this. It's been puzzling me for days.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 14 June 2009 - 04:27 PM

C:\WINDOWS\temp>ipconfig /all


Why the command is running from C:\WINDOWS\temp ?


That just happened to be the directory I was in, when I ran the command.


Please give more feedback on this. How did you run the command? How come you were in a temp directory.

In case you are not clear about it please do the following:

Go to Start > Run and type in Notepad
Copy/paste the following text inside the code box into a new notepad document. Make sure that under Format menu Word Wrap is unchecked.

regedit /e look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
notepad look.txt
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate and double-click look.bat on the desktop.
  • Notepad will open with some txt in it. Copy and paste the contents in your next reply.
Tell me also if you still get redirected.

#9 sheepshagger

sheepshagger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 14 June 2009 - 06:52 PM

C:\WINDOWS\temp>ipconfig /all


Why the command is running from C:\WINDOWS\temp ?


That just happened to be the directory I was in, when I ran the command.


Please give more feedback on this. How did you run the command? How come you were in a temp directory.



The script you gave me to run that had the ipconfig, nslookup & ping commands didn't run correctly, so I looked at the commands you were trying to execute, and ran them manually. So the dos window I had open just happened to be in \windows\temp.

Below command would now execute correctly.
cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt


Here is the extract from the environment.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"ComSpec"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,6d,00,64,00,2e,00,65,00,78,00,65,00,00,00
"Path"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,3b,00,25,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,00,3b,00,25,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,65,00,6d,\
00,3b,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,\
46,00,69,00,6c,00,65,00,73,00,5c,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,53,00,61,00,72,00,\
61,00,6e,00,67,00,3b,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,\
00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,41,00,54,00,49,00,20,00,\
54,00,65,00,63,00,68,00,6e,00,6f,00,6c,00,6f,00,67,00,69,00,65,00,73,00,5c,\
00,41,00,54,00,49,00,20,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,20,00,\
50,00,61,00,6e,00,65,00,6c,00,3b,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\
00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,55,00,6c,00,\
74,00,72,00,61,00,45,00,64,00,69,00,74,00,3b,00,43,00,3a,00,5c,00,50,00,72,\
00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,\
51,00,75,00,69,00,63,00,6b,00,54,00,69,00,6d,00,65,00,5c,00,51,00,54,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,00,00
"windir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,00,00
"OS"="Windows_NT"
"PROCESSOR_ARCHITECTURE"="x86"
"PROCESSOR_LEVEL"="15"
"PROCESSOR_IDENTIFIER"="x86 Family 15 Model 31 Stepping 0, AuthenticAMD"
"PROCESSOR_REVISION"="1f00"
"NUMBER_OF_PROCESSORS"="1"
"PATHEXT"=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"
"TEMP"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,54,00,45,00,4d,00,50,00,00,00
"TMP"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,\
25,00,5c,00,54,00,45,00,4d,00,50,00,00,00
"FP_NO_HOST_CHECK"="NO"
"CLASSPATH"=".;C:\\Program Files\\Java\\jre1.5.0_01\\lib\\ext\\QTJava.zip"
"QTJAVA"="C:\\Program Files\\Java\\jre1.5.0_01\\lib\\ext\\QTJava.zip"


---------------------------------------------

I think Combofix may have solved my issues. I have not re-booted since Combofix produced this log, but my problem seems to have stopped.
Below is the output that from Combofix that caught me eye, and ws2_32.dll is something on the socket layer. which could easily change DNS stuff on the fly.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{1E9F2759-6B6A-4F95-93A7-2FF287785517}\RP1455\A0125297.dll

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 15 June 2009 - 01:25 AM

The path is OK.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Please post a Hijackthis log for a final review.


#11 sheepshagger

sheepshagger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 15 June 2009 - 09:43 AM

Thanks very much for the help.

Below is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:38 AM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
\Tiger\sf\hijack tools\HJ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O15 - Trusted Zone: www.advmaps.com
O15 - Trusted Zone: http://www.ktmimages.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.rr.com
O15 - Trusted Zone: *.ticketmaster.com
O15 - Trusted Zone: http://*.turbotax.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 3891 bytes

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 15 June 2009 - 11:29 AM

  • Please open HiJackThis and choose do a system scan only.

    Optional: The following sites are set to the safe zone. It means that the traffic created by these sites won't be checked by security checkpoints any more. While these site might be safe to visit they might not be safe all the time and their traffic better pass through the security checkpoint. If you decided to remove these sites from the trusted zone check the boxes next to the following entries:

    O15 - Trusted Zone: www.advmaps.com
    O15 - Trusted Zone: http://www.ktmimages.com
    O15 - Trusted Zone: *.rr.com
    O15 - Trusted Zone: *.ticketmaster.com
    O15 - Trusted Zone: http://*.turbotax.com



    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /u

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.
Optional Recommendations:
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    Also I recommend updating to Internet explorer 7 as it has more functionality and is much safer.

    You can update by going to start > All Programs > Windows update > click on Custom button.

    Note: Download Service Pack 3 but before installing it disable your antivirus real-time protection.

  • Install Javacoolsİ SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.
    After each update click on Protection Status in the left pane. Then click on Enable All Protection (bottom left of the right pane).

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Please let me know if you have any question.

Happy Surfing!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:54 PM

Posted 23 June 2009 - 03:51 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users