All websites work fine but when i try and get onto the microsoft update website 'update.microsoft.com'
i automatically get redirected to msn.com. Any fixes for this?
All websites work fine but when i try and get onto the microsoft update website 'update.microsoft.com'
i automatically get redirected to msn.com. Any fixes for this?
done a scan with malware bytes?
Yes and a few trojans came up in scan but they have been deleted and the problem still persists after reboot.
Database version: 1240
Windows 5.1.2600 Service Pack 3
09/10/2008 20:38:10
mbam-log-2008-10-09 (20-38-03).txt
Scan type: Custom Scan
Objects scanned: 46139
Time elapsed: 1 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3929bbe4-2181-45db-a4ad-8e5015967fc1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3929bbe4-2181-45db-a4ad-8e5015967fc1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
what about HOST file? and maybe some sort of proxy, check your internet explorer settings if that is what you are using, and see if some software has enable a proxy
Registry Data Items Infected:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersDhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces{3929bbe4-2181-45db-a4ad-8e5015967fc1}DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersDhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersInterfaces{3929bbe4-2181-45db-a4ad-8e5015967fc1}DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
This is interesting - no action taken, go and manually delete these registry entries, DNSchanger is the culprit
I now know what the file is that is causing the problem. It is 'Zlob. DNSChanger'
any ideas how to get rid of this?
spybot SD picks it up and says it has deleted it but the problem still persists.
u deleted the registry entries yet?
you got vnc access or something like logmein? i could probably clear it for you
check out this - http://forums.techguy.org/malware-re...nschanger.html
Last edited by Undertaker; 10th October 2008 at 07:27 PM.
download combofix and run that. Fixs lots of problems like this.
http://www.bleepingcomputer.com/comb...o-use-combofix
Last edited by dibbler; 10th October 2008 at 07:40 PM. Reason: to add link
'Sausages! Hot sausages! Inna bun! Meat pies! Get them while they're hot!'
... Hole food! Hole food! Rat! Rat! Rat-onna-stick! Rat-in-a-bun! Get them while they're dead!'
Whoops forogt to multiquote. Sadly i do not have either of them but if the problem still persists after downloading combofix from another link (if i can find it) i may well have to download it so thanks for the offer. Any experienced fixwareout and hijackthis people? IF so these are the logfiles.
FIXWARE OUT
Username "Edward Berrecloth" - 13/10/2008 12:44:24 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="\"C:\\Program Files\\NOD32\\egui.exe\" /hide /waitservice"
"CTHelper"="CTHELPER.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"GrooveMonitor"="\"F:\\Microsoft office\\Office12\\GrooveMonitor.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\Itunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SetDefaultMIDI"="MIDIDef.exe"
"RogueMonitor"="C:\\Program Files\\Rogue remover pro\\Update\\RogueRemover PRO\\RogueRemoverPRO.exe /monitor"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:57, on 13/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Itunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Itunes\iTunes.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 6680 bytes
Cheers
Last edited by Greyfox; 11th October 2008 at 01:22 PM.
Just uploaded it for you
http://w17.easy-share.com/1701940528.html
'Sausages! Hot sausages! Inna bun! Meat pies! Get them while they're hot!'
... Hole food! Hole food! Rat! Rat! Rat-onna-stick! Rat-in-a-bun! Get them while they're dead!'
Sadly after running combofix the problem is still there with websites being redirected. Thanks for the upload thoguh as it did fix one minor problem not to do with the trojan
dl this then let undertaker help you oot http://www.crossloop.com/landing.htm
I think it may be your host file
go to C:\WINDOWS\SYSTEM32\DRIVERS\ETC
find HOST file and edit it notepad
let us know what is in there
or copy this into firefox file:///C:/WINDOWS/SYSTEM32/DRIVERS/ETC/hosts
Here you go, this should sort you out:
http://www.spywareinfoforum.com/inde...&hl=dnschanger
I typed what you said in firefox and the list is huge. So big that even in a text document exceeds digital forum upload limit. Heres a link to screenshot of the C:\WINDOWS\SYSTEM32\DRIVERS\ETC
http://i194.photobucket.com/albums/z...eenShot002.jpg
replace it with this
obviously extract it out
Social Networking Bookmarks