Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.DNSChanger 85.255.112.89 and 85.255.112.97


  • This topic is locked This topic is locked
22 replies to this topic

#1 Kunal Shah

Kunal Shah

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 14 August 2009 - 07:09 AM

I am unable to connect to internet (LAN is enabled but cant browse or update any software) after removing the following the following trojans:-

Scan by Malwarebytes's Anti-malware 1.40:
(Part of the log)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.


Fortunately i took a backup of registry (14-08-09) and after restoring through Registry Clean Expert i CAN connect to the internet.
BEFORE scanning via Malwarebytes' anti-malware i did a full scan from Bitdefender Total Security 2009 (fully updated)
and i could only find 1 infection : sccfg.sys (which is due to folder lock i think) and NO action was taken.


Problems i am having:
1) Can't access www.malwarebytes.org hence cant update Malwarebytes Anti-Malware. Also cant access www.safer-networking.org (spybot site) although i can access websites of super-antispyware, spyware doctor........ also NO problems opening antivirus sites.
2) Vimax ads on some sites.
3) Cant download microsoft products like netframework 3.5 as i cant to server at download.microsoft.com.

Here is my HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:46 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender 2009\BitDefender 2009\vsserv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
D:\Program Files\BitDefender 2009\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\cisvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\svchost.exe
D:\Program Files\BitDefender 2009\BitDefender 2009\seccenter.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\cidaemon.exe
D:\Z-Others\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ERBHOMasterObject Class - {5A15CA85-DAB9-456c-95ED-06C6E3885C2A} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender 2009\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender 2009\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender 2009\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Visit in 3D - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\windows\system32\shdocvw.dll (HKCU)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1EF8C4A-5C7F-4371-A82F-0BF4EB418581}: NameServer = 85.255.112.89;85.255.112.97
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skyline - {3A4F9195-65A8-11D5-85C1-0001023952C1} - C:\Program Files\Skyline\TerraExplorer\TerraExplorerX.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C:\WINDOWS\system32\Bhsrv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender 2009\BitDefender 2009\vsserv.exe

--
End of file - 5683 bytes


I can u provide u with malwarebytes anti-malware logs if u want

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:40 AM

Posted 25 August 2009 - 03:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 26 August 2009 - 05:10 AM

Before talking about the topic i am extremely sorry and would like to apologize that i have already created another topic with the same content but different name 'Problem removing trojan.dnschanger'.

This is because i have already posted in other topics of bleepingcomputer.com where i got reply in 5 hours but this is first time i am posting in HijackThis logs so i had no idea that it may take 10-12 days for a response. Hence kindly delete or redirect my topic 'Problem removing trojan.dnschanger'.

Coming back to the main topic

I thought i had explained my problem clearly.

When i remove the 5 trojans (trojan.dnschanger which are in the registry as mentioned above) by Malwarebytes Anti-Malware 1.40 then AFTER restarting the computer i cannot access any website (Firefox, ie cannot connect to any server) nor update any software !!

I had a backup of registry (14-08-09) and after restoring through Registry Clean Expert i CAN access websites.

I tried this two to three times:
1) Just before deleting the 5 trojans i took a registry backup.
2) After deleting the trojans via Malwarebytes Anti-Malware i am still able to access websites but AFTER rebooting the PC i cannot access any website nor update any software !!
3) So i restored the registry and i can access websites.
4) This means that the trojans are still in the registry !!

Why i am trying to remove these trojans is because i think they are responsible for the following problems :-
1) Can't access www.malwarebytes.org hence cant update Malwarebytes Anti-Malware.
(i downloaded Malwarebytes Anti-Malware from another site)
Also cant access www.safer-networking.org (spybot site) although i can access websites of super-antispyware, spyware doctor........ also NO problems opening antivirus sites.
2) Vimax ads on some sites.
3) Cant download microsoft products like netframework 3.5 as i cant connect to server at download.microsoft.com.

Here is my DDS log:-
DDS (Ver_09-07-30.01) - NTFSx86
Run by ADMIN at 14:56:11.26 on Wed 08/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.116 [GMT 5.5:30]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender 2009\BitDefender 2009\vsserv.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\ctfmon.exe
D:\Program Files\BitDefender 2009\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\svchost.exe -k imgsvc
D:\Program Files\BitDefender 2009\BitDefender 2009\seccenter.exe
C:\windows\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ADMIN\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Tensons.Application.DownloadAcceleratorManager.BHO: {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ERBHOMasterObject Class: {5a15ca85-dab9-456c-95ed-06c6e3885c2a} - ERBHOMasterObject Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - d:\program files\bitdefender 2009\bitdefender 2009\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BDAgent] "d:\program files\bitdefender 2009\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "d:\program files\bitdefender 2009\bitdefender 2009\IEShow.exe"
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: &Download with DAM - d:\program files\download accelerator manager\\addUrl.htm
IE: Download &All with DAM - d:\program files\download accelerator manager\\addAllUrls.htm
IE: Download FLV &Video with DAM - d:\program files\download accelerator manager\\addDocUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Run DAM Media&Grabber - d:\program files\download accelerator manager\\runMg.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\chessmaster challenge\images\stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\chessmaster challenge\images\armhelper.ocx
TCP: {B1EF8C4A-5C7F-4371-A82F-0BF4EB418581} = 85.255.112.89;85.255.112.97
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skyline - {3a4f9195-65a8-11d5-85c1-0001023952c1} - c:\program files\skyline\terraexplorer\TerraExplorerX.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\tno0tz8b.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tno0tz8b.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: d:\program files\download accelerator manager\\damfirefox\components\dammz.dll
FF - component: d:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tno0tz8b.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\k-lite codec\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-8-25 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-8-25 27656]
R2 BDVEDISK;BDVEDISK;d:\program files\bitdefender 2009\bitdefender 2009\BDVEDISK.sys [2008-7-2 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 BHsrv;BHCP Service;c:\windows\system32\bhsrv.exe --> c:\windows\system32\Bhsrv.exe [?]
S4 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-8-25 4368952]

=============== Created Last 30 ================

2009-08-25 11:29 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-08-25 11:29 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-08-25 11:29 <DIR> --d----- c:\program files\Prevx
2009-08-25 11:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-08-25 11:28 64 a------- c:\windows\wininit.ini
2009-08-22 18:34 <DIR> --d----- C:\Downloads
2009-08-15 21:41 <DIR> --d----- c:\program files\Yahoo!
2009-08-14 12:26 <DIR> --d----- c:\docume~1\admin\applic~1\Skyline
2009-08-14 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Skyline
2009-08-14 12:08 <DIR> --d----- c:\program files\Skyline
2009-08-12 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-12 20:07 <DIR> --d----- c:\docume~1\admin\applic~1\Adblock Pro
2009-08-07 14:55 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-08-07 14:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 14:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-07 14:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-03 14:41 <DIR> --d----- C:\!KillBox

==================== Find3M ====================

2009-08-26 09:38 81,984 a------- c:\windows\system32\bdod.bin
2009-07-21 19:59 28,400 a------- c:\windows\system32\drivers\secdrv.sys
2009-07-07 13:20 132 a------- C:\httpdwl.dat
2009-07-07 10:48 192,512 a------- c:\windows\system32\txmlutil.dll
2009-07-07 10:47 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2009-07-07 10:47 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-07-07 10:47 111,112 a------- c:\windows\system32\drivers\bdfm.sys
2009-07-07 10:47 82,696 a------- c:\windows\system32\drivers\BDVEDISK.sys
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-02 21:41 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-30 03:07 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-05-30 03:01 881,664 a------- c:\windows\system32\xvidcore.dll
2009-02-23 12:39 362 a------- c:\program files\Program Files.lnk

============= FINISH: 14:58:40.04 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 01 September 2009 - 02:55 PM

Hi Kunal Shah,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back when I receive your reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 02 September 2009 - 09:37 AM

What do you mean by 'subscribe to this topic'?
I am there and checking daily for a response.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 02 September 2009 - 01:25 PM

What do you mean by 'subscribe to this topic'?
I am there and checking daily for a response.


That's okay. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Let's first get your internet connection back.

We Need to Repair Your Internet Connection
  • Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  • Copy the file to the desktop on the non working machine.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot.
Please let me know if your connection is restored in your next reply

Then we should be able to clean you up :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 03 September 2009 - 06:09 AM

Thanks for replying quickly.

I scanned my pc through Malwarebytes Anti-Malware

MBAM log 03-09-2009:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

9/3/2009 10:58:58 AM
mbam-log-2009-09-03 (10-58-58).txt

Scan type: Quick Scan
Objects scanned: 101030
Time elapsed: 17 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{b1ef8c4a-5c7f-4371-a82f-0bf4eb418581}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


EARLIER i wasnt able to connect to the internet after restart.

But this time i am able access the internet !!! (without using WinsockXPFix)

This maybe because i used startup analyser of REGRUN a couple of days back.
I deleted some of the bad files detected by startup analyser of REGRUN (others were false positive).
After that i had to uninstall REGRUN because the computer would become almost unresponsive at startup due to overload of REGRUN's processes.

After removing the trojans (6 trojan.dnschangers this time) the earlier problems i described are gone !!
1. I am able to access malwarebytes.org hence updated it. Able to access spybot site.
2. No vimax ads
3. Can download microsoft products like net framework 3.5
4. Also i can access bitdefender default update location 'http://upgrade.bitdefender.com/'
Earlier i was using 'http://upgrade1.bitdefender.com/' to update bitdefender.
Also i have upgraded to Bitdefender total security 2010 from 2009.

So no problems now !!

Can u suggest a good registry cleaner/mechanic?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 03 September 2009 - 04:54 PM

Bleeping Computer and I don't recommend regcleaners. They can damage your PC and removing registry entries does not speed up your PC. Here's the full text that we use to warn users about this software.


Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
If you are happy that you are clean then that's great but I would still like to see the following logs before I could definitely confirm it.

Please post a new MBAM log

Please also post a new DDS log.

Thanks
Posted Image
m0le is a proud member of UNITE

#9 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 05 September 2009 - 06:48 AM

MBAM log:
Malwarebytes' Anti-Malware 1.40
Database version: 2744
Windows 5.1.2600 Service Pack 2

9/5/2009 1:06:19 PM
mbam-log-2009-09-05 (13-06-19).txt

Scan type: Quick Scan
Objects scanned: 103746
Time elapsed: 18 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by ADMIN at 17:02:28.41 on Sat 09/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.137 [GMT 5.5:30]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\spoolsv.exe
D:\Program Files\BitDefender Total Security 2010\BitDefender 2010\bdagent.exe
D:\Program Files\BitDefender Total Security 2010\BitDefender 2010\seccenter.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\svchost.exe -k imgsvc
D:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\NOTEPAD.EXE
D:\Program Files\BitDefender Total Security 2010\BitDefender 2010\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Documents and Settings\ADMIN\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Tensons.Application.DownloadAcceleratorManager.BHO: {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ERBHOMasterObject Class: {5a15ca85-dab9-456c-95ed-06c6e3885c2a} - ERBHOMasterObject Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - d:\program files\bitdefender total security 2010\bitdefender 2010\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BitDefender Antiphishing Helper] "d:\program files\bitdefender total security 2010\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "d:\program files\bitdefender total security 2010\bitdefender 2010\bdagent.exe"
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: &Download with DAM - d:\program files\download accelerator manager\\addUrl.htm
IE: Download &All with DAM - d:\program files\download accelerator manager\\addAllUrls.htm
IE: Download FLV &Video with DAM - d:\program files\download accelerator manager\\addDocUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Run DAM Media&Grabber - d:\program files\download accelerator manager\\runMg.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\chessmaster challenge\images\stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\chessmaster challenge\images\armhelper.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skyline - {3a4f9195-65a8-11d5-85c1-0001023952c1} - c:\program files\skyline\terraexplorer\TerraExplorerX.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\tno0tz8b.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tno0tz8b.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: d:\program files\download accelerator manager\\damfirefox\components\dammz.dll
FF - component: d:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tno0tz8b.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\k-lite codec\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: d:\program files\quicktime alternative\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-8-25 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-8-25 27656]
R2 BDVEDISK;BDVEDISK;d:\program files\bitdefender total security 2010\bitdefender 2010\bdvedisk.sys [2009-4-1 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 152328]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-8-6 110728]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 CSIScanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service --> c:\program files\prevx\prevx.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-25 176128]
S3 BHsrv;BHCP Service;c:\windows\system32\bhsrv.exe --> c:\windows\system32\Bhsrv.exe [?]

=============== Created Last 30 ================

2009-09-03 15:02 <DIR> --d----- c:\program files\BitDefender
2009-09-03 14:21 <DIR> --d----- c:\docume~1\admin\applic~1\BitDefender
2009-09-03 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-09-03 14:15 <DIR> --d----- c:\program files\common files\BitDefender
2009-09-03 12:20 <DIR> --d----- c:\docume~1\admin\applic~1\BD_TEMP
2009-09-01 20:04 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-09-01 19:43 <DIR> --d----- c:\docume~1\admin\applic~1\Regrun
2009-09-01 19:37 57,556 a------- c:\windows\guard.bmp
2009-08-31 17:06 0 a------- c:\windows\system32\wsbl.dat
2009-08-31 17:06 0 a------- c:\windows\system32\ph_summ.dat
2009-08-31 17:06 0 a------- c:\windows\system32\ph_spoof.sig
2009-08-31 17:06 0 a------- c:\windows\system32\ph_sign.slf
2009-08-31 17:06 0 a------- c:\windows\system32\ph_fuzzy.sig
2009-08-31 17:06 0 a------- c:\windows\system32\ph_white.dat
2009-08-31 17:06 0 a------- c:\windows\system32\ph_black.dat
2009-08-31 17:06 0 a------- c:\windows\system32\pcwords2.dat
2009-08-31 17:06 0 a------- c:\windows\system32\pcwords.dat
2009-08-31 17:06 0 a------- c:\windows\system32\pc_sign.slf
2009-08-31 17:06 0 a------- c:\windows\system32\ab_sbl.sig
2009-08-30 20:37 132 a------- c:\windows\system32\rezumatenoi.dat
2009-08-30 13:02 4 a------- c:\windows\system32\aspdict-en.dat
2009-08-30 13:02 0 a------- c:\windows\system32\ab_bl.sig
2009-08-30 13:02 16 a------- c:\windows\system32\asdict.dat
2009-08-25 11:29 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-08-25 11:29 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-08-25 11:28 64 a------- c:\windows\wininit.ini
2009-08-22 18:34 <DIR> --d----- C:\Downloads
2009-08-15 21:41 <DIR> --d----- c:\program files\Yahoo!
2009-08-14 12:26 <DIR> --d----- c:\docume~1\admin\applic~1\Skyline
2009-08-14 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Skyline
2009-08-14 12:08 <DIR> --d----- c:\program files\Skyline
2009-08-12 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-12 20:07 <DIR> --d----- c:\docume~1\admin\applic~1\Adblock Pro
2009-08-07 14:55 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-08-07 14:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 14:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-07 14:55 19,096 a------- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2009-09-01 19:54 114 a------- C:\sccfg.sys
2009-08-30 11:56 81,984 a------- c:\windows\system32\bdod.bin
2009-08-06 16:34 110,728 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-07-24 12:26 285,704 -------- c:\windows\system32\drivers\bdfsfltr.sys
2009-07-21 19:59 28,400 a------- c:\windows\system32\drivers\secdrv.sys
2009-07-07 13:20 132 a------- C:\httpdwl.dat
2009-02-23 12:39 362 a------- c:\program files\Program Files.lnk

============= FINISH: 17:03:50.41 ===============


Bitdefender has an in-built registry cleaner so should i use it?
Is folder lock safe to use?
Do i need any software other than BDTS 2010, MBAM for further prevention?

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 05 September 2009 - 02:25 PM

Before I answer those questions there's still a bad driver showing up and a few files.

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Next, we'll deal with the rest of the malware

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    BHsrv
    :files
    c:\windows\system32\Bhsrv.exe
    c:\windows\system32\rezumatenoi.dat
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 07 September 2009 - 05:13 AM

ATF Cleaner
I emptied all files under main but i am not able to select the firefox button(cant be highlighted)

OTM log
========== SERVICES/DRIVERS ==========

Service\Driver BHsrv deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\Bhsrv.exe not found.
c:\windows\system32\rezumatenoi.dat moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09072009_153709

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 07 September 2009 - 12:03 PM

Hi Kunal Shah,

Follow these instructions to clear your Firefox mess.

In Firefox (this differs but if you get to the Privacy window you should see the tabs/buttons required. Just look for Cookies and Cache and clear them)

1. Select "Tools"
2. Select "Options".
3. Select "Privacy".
4. In Private area click "Clear Now".
5. In "Clear Private Data" window put the check mark for "Cookies" and click "Clear Private Data Now".
6. Click OK.


Now we need to do an online scan to clear up.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 08 September 2009 - 10:18 AM

I cleared the firefox mess as you told.

I dont understand why you are telling me to do an online antivirus scan as i have already told that i have bitdefender.

I am posting log file of a recent scan: Malwarebytes anti-malware (full scan) and bitdefender (full scan)

MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2744
Windows 5.1.2600 Service Pack 2

9/6/2009 6:43:36 PM
mbam-log-2009-09-06 (18-43-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 259022
Time elapsed: 4 hour(s), 47 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{96715F35-1A33-4087-A38C-5419BFB349B9}\RP124\A0147520.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Bitdefender total security 2010

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 08 September 2009 - 05:31 PM

The MBAM shows nothing to worry about. I didn't think it would which is why I didn't ask for it.

Online scans are used so that we can be sure that the results haven't been skewed. On board antiviruses can be unreliable in an infected PC.

The link you provided didn't show any report.

Please use the BitDefender online scanner.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 Kunal Shah

Kunal Shah
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 09 September 2009 - 09:45 AM

I am able to view log files of bitdefender (in .xml format) but still figuring out how to export it. I'll see if any xml to other extension converters help.

Meanwhile i am posting screenshots of the recent full scan log file. Also please answer my above questions.

Attached Files

  • Attached File  1.jpg   92.94KB   4 downloads
  • Attached File  2.JPG   99.52KB   3 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users