Hijacked?

[Greyfox]

All websites work fine but when i try and get onto the microsoft update website 'update.microsoft.com'
i automatically get redirected to msn.com. Any fixes for this?

[Undertaker]

done a scan with malware bytes?

[Greyfox]

Yes and a few trojans came up in scan but they have been deleted and the problem still persists after reboot.



Database version: 1240
Windows 5.1.2600 Service Pack 3

09/10/2008 20:38:10
mbam-log-2008-10-09 (20-38-03).txt

Scan type: Custom Scan
Objects scanned: 46139
Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3929bbe4-2181-45db-a4ad-8e5015967fc1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3929bbe4-2181-45db-a4ad-8e5015967fc1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Undertaker]

what about HOST file? and maybe some sort of proxy, check your internet explorer settings if that is what you are using, and see if some software has enable a proxy

[Undertaker]

Registry Data Items Infected:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersDhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces{3929bbe4-2181-45db-a4ad-8e5015967fc1}DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersDhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersInterfaces{3929bbe4-2181-45db-a4ad-8e5015967fc1}DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> No action taken.

This is interesting - no action taken, go and manually delete these registry entries, DNSchanger is the culprit

[Greyfox]

I now know what the file is that is causing the problem. It is 'Zlob. DNSChanger'

any ideas how to get rid of this?

spybot SD picks it up and says it has deleted it but the problem still persists.

[Undertaker]

u deleted the registry entries yet?

[Greyfox]

u deleted the registry entries yet?

Sorry yeah done that but still same thing happens and after deleting them they come up again in a repeated malwarebytes scan. Still have problem of tryign to get onto websites such as windows updater and beign directed to completely irrelevant sites

[Undertaker]

you got vnc access or something like logmein? i could probably clear it for you



check out this - http://forums.techguy.org/malware-re...nschanger.html

[dibbler]

download combofix and run that. Fixs lots of problems like this.

http://www.bleepingcomputer.com/comb...o-use-combofix

[Greyfox]

download combofix and run that. Fixs lots of problems like this.

http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks but i have already tried to install it from there but this dns,changer is preventing me from getting onto bleeping computer also. Does anyone have another link to download?

[Greyfox]

you got vnc access or something like logmein? i could probably clear it for you



check out this - http://forums.techguy.org/malware-re...nschanger.html

Whoops forogt to multiquote. Sadly i do not have either of them but if the problem still persists after downloading combofix from another link (if i can find it) i may well have to download it so thanks for the offer. Any experienced fixwareout and hijackthis people? IF so these are the logfiles.


FIXWARE OUT
Username "Edward Berrecloth" - 13/10/2008 12:44:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="\"C:\\Program Files\\NOD32\\egui.exe\" /hide /waitservice"
"CTHelper"="CTHELPER.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"GrooveMonitor"="\"F:\\Microsoft office\\Office12\\GrooveMonitor.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\Itunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SetDefaultMIDI"="MIDIDef.exe"
"RogueMonitor"="C:\\Program Files\\Rogue remover pro\\Update\\RogueRemover PRO\\RogueRemoverPRO.exe /monitor"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:57, on 13/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Itunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Itunes\iTunes.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6680 bytes


Cheers

[dibbler]

Thanks but i have already tried to install it from there but this dns,changer is preventing me from getting onto bleeping computer also. Does anyone have another link to download?

Just uploaded it for you

http://w17.easy-share.com/1701940528.html

[Greyfox]

Just uploaded it for you

http://w17.easy-share.com/1701940528.html

Thanks very much! Downloading now and will give it a go shortly. Lets hope it sorts the problem out but im not sure, this thing is a hard bastad to get rid of!

[Greyfox]

Sadly after running combofix the problem is still there with websites being redirected. Thanks for the upload thoguh as it did fix one minor problem not to do with the trojan

[pumpman]

dl this then let undertaker help you oot http://www.crossloop.com/landing.htm

[Undertaker]

I think it may be your host file

go to C:\WINDOWS\SYSTEM32\DRIVERS\ETC

find HOST file and edit it notepad


let us know what is in there

or copy this into firefox file:///C:/WINDOWS/SYSTEM32/DRIVERS/ETC/hosts

[ZX7R]

Here you go, this should sort you out:

http://www.spywareinfoforum.com/inde...&hl=dnschanger

[Greyfox]

I think it may be your host file

go to C:WINDOWSSYSTEM32DRIVERSETC

find HOST file and edit it notepad


let us know what is in there

or copy this into firefox file:///C:/WINDOWS/SYSTEM32/DRIVERS/ETC/hosts

I typed what you said in firefox and the list is huge. So big that even in a text document exceeds digital forum upload limit. Heres a link to screenshot of the C:\WINDOWS\SYSTEM32\DRIVERS\ETC


http://i194.photobucket.com/albums/z...eenShot002.jpg

[Undertaker]

replace it with this


obviously extract it out