Results 1 to 10 of 10

Thread: Zlob dns changer

  1. #1
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default Zlob dns changer

    Hello,

    Zlob dnschanger keeps appearing on my computer. I would appreciate your help.

    Here are the reports:

    CA Virusscan

    Scan Results: Scan Completed. 81437 files scanned. No viruses found.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:08:15, on 10-8-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\PCVEIL~1\backweb\9743894\Program\SERVIC~1.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fsgk32st.exe
    C:\Program Files\PC Veilig\backweb\9743894\program\fsbwsys.exe
    C:\Program Files\PC Veilig\Anti-Virus\FSGK32.EXE
    C:\Program Files\PC Veilig\Common\FSMA32.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\PC Veilig\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\PC Veilig\backweb\9743894\Program\fspex.exe
    C:\Program Files\PC Veilig\Common\FCH32.EXE
    C:\Program Files\PC Veilig\Common\FAMEH32.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fsqh.exe
    C:\Program Files\PC Veilig\Anti-Virus\fsrw.exe
    C:\Program Files\PC Veilig\FSPC\fspc.exe
    C:\Program Files\PC Veilig\FWES\Program\fsdfwd.exe
    C:\Program Files\PC Veilig\Anti-Virus\fsav32.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\PC Veilig\Common\FSM32.EXE
    C:\Program Files\PC Veilig\FSGUI\ispnews.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\PROGRA~1\PCVEIL~1\ANTI-S~1\fsaw.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\PC Veilig\FSGUI\fsguidll.exe
    C:\Program Files\FinePixViewerS\QuickDCF2.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\PC Veilig\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\PC Veilig\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\PC Veilig\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\PC Veilig\FSGUI\ispnews.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PC Veilig.lnk = C:\Program Files\PC Veilig\backweb\9743894\Program\fspex.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O8 - Extra context menu item: &Deze pop-up blokkeren - C:\Program Files\PC Veilig\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra button: IE-shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE-shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184903179718
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Music Manager) - http://img.od2.com/installation/plug...agerPlugin.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4876C233-014E-4A21-A4AA-B3EBFF377AC1}: NameServer = 85.255.116.90 85.255.112.219
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: PC Veilig (BackWeb Plug-in - 9743894) - F-Secure Corp. - C:\PROGRA~1\PCVEIL~1\backweb\9743894\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\PC Veilig\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\PC Veilig\backweb\9743894\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PC Veilig\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\PC Veilig\FSPC\fshttps\fshttps.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\PC Veilig\Common\FSMA32.EXE
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 9308 bytes


    Thank you,

    Charles van Kampen

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Charles ,

    Welcome to Safer Networking

    Your computer has been hijacked by the lovely people in the Ukraine, you are infected with Wareout.

    85.255.112.200 - 85.255.127.255
    Inhoster hosting company
    OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    FixWareout Subratam
    FixWareout Lonny
    • Save it to your desktop and run it.
    • Click Next, then Install,
    • Then make sure "Run fixit" is checked and click Finish.
    • The fix will begin; follow the prompts.
    • You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • At the end of the fix, you may need to restart your computer again.

    Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.

    Now lets check some settings on your system. For (2000/XP) Only)

    • Go to Start > control panel.
    • If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
    • Then right click on your default connection, usually local area connection for cable and dsl.
    • Left click on properties.
    • Click the Networking tab.
    • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    • Press OK twice to get out of the properties screen and reboot if it asks.
      That option might not be available on some systems




    • Next Go start> Run type cmd and hit OK
    • Type in ipconfig /flushdns then hit enter
      (that space between g and / is needed)
    • Type exit hit enter


    Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4876C233-014E-4A21-A4AA-B3EBFF377AC1}: NameServer = 85.255.116.90 85.255.112.219


    To be on the safe side, do this and post a new HJT log along with the Wareout report.

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default

    Dear Ken,

    Thanks soo far. I've reset the radio dial on automatic. Here are the reports you've asked for:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:22:06, on 11-8-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\PCVEIL~1\backweb\9743894\Program\SERVIC~1.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fsgk32st.exe
    C:\Program Files\PC Veilig\backweb\9743894\program\fsbwsys.exe
    C:\Program Files\PC Veilig\Anti-Virus\FSGK32.EXE
    C:\Program Files\PC Veilig\Common\FSMA32.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\PC Veilig\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\PC Veilig\backweb\9743894\Program\fspex.exe
    C:\Program Files\PC Veilig\Common\FCH32.EXE
    C:\Program Files\PC Veilig\Common\FAMEH32.EXE
    C:\Program Files\PC Veilig\Anti-Virus\fsqh.exe
    C:\Program Files\PC Veilig\Anti-Virus\fsrw.exe
    C:\Program Files\PC Veilig\FSPC\fspc.exe
    C:\Program Files\PC Veilig\FWES\Program\fsdfwd.exe
    C:\Program Files\PC Veilig\Anti-Virus\fsav32.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\PC Veilig\Common\FSM32.EXE
    C:\Program Files\PC Veilig\FSGUI\ispnews.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\FinePixViewerS\QuickDCF2.exe
    C:\PROGRA~1\PCVEIL~1\ANTI-S~1\fsaw.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\PC Veilig\FSGUI\fsguidll.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\PC Veilig\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\PC Veilig\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\PC Veilig\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\PC Veilig\FSGUI\ispnews.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PC Veilig.lnk = C:\Program Files\PC Veilig\backweb\9743894\Program\fspex.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O8 - Extra context menu item: &Deze pop-up blokkeren - C:\Program Files\PC Veilig\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Veilig\FSPC\fspcmsie.dll
    O9 - Extra button: IE-shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE-shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Veilig\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184903179718
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Music Manager) - http://img.od2.com/installation/plug...agerPlugin.CAB
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: PC Veilig (BackWeb Plug-in - 9743894) - F-Secure Corp. - C:\PROGRA~1\PCVEIL~1\backweb\9743894\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\PC Veilig\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\PC Veilig\backweb\9743894\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PC Veilig\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\PC Veilig\FSPC\fshttps\fshttps.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\PC Veilig\Common\FSMA32.EXE
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 9046 bytes

    and:

    Username "Compaq_Eigenaar" - 2007-08-11 2:08:49 [Fixwareout edited 2007/07/05]

    »»»»»Prerun check

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4876C233-014E-4A21-A4AA-B3EBFF377AC1}
    "nameserver"="85.255.116.90" <Value cleared.

    De DNS-omzettingscache is leeggemaakt.


    System was rebooted successfully.

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    »»»»» Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
    "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "KBD"="C:\\HP\\KBD\\KBD.EXE"
    "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
    "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    "VTTimer"="VTTimer.exe"
    "SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
    "AGRSMMSG"="AGRSMMSG.exe"
    "PS2"="C:\\WINDOWS\\system32\\ps2.exe"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "AlcxMonitor"="ALCXMNTR.EXE"
    "LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
    "Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
    "PE2CKFNT SE"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 2 SE\\ChkFont.exe"
    "F-Secure Manager"="\"C:\\Program Files\\PC Veilig\\Common\\FSM32.EXE\" /splash"
    "F-Secure TNB"="\"C:\\Program Files\\PC Veilig\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
    "F-Secure Startup Wizard"="\"C:\\Program Files\\PC Veilig\\FSGUI\\FSSW.EXE\" /reboot"
    "News Service"="\"C:\\Program Files\\PC Veilig\\FSGUI\\ispnews.exe\""
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»

  4. #4
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default

    By the way,

    De DNS-omzettingscache is leeggemaakt.
    in the second report is Dutch (as you might have noticed). It means as much as "The DNS changer cache has been emptied".

    Charles

  5. #5
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default

    Before I started this thread, I followed the "Before you post"-guidelines and as a part of that I ran Spybot in the save mode of my computer. In this mode it checked just 29 files (or possible entries?) instead of the ... thousand it used to.

    I've just noticed that, when running a Spybot scan now, it still checks those 29. What should I do?

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Charles,

    It looks like we got rid of Wareout. Still a little more to do.

    Fix these with HJT.

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    If this is something you use and know to be safe than leave it alone.
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Music Manager) - http://img.od2.com/installation/plug...agerPlugin.CAB


    • Your Java is out of date and leaving your system vulnerable.
    • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
    • It should have an icon next to it:

      Select it and click Remove.
    • Reboot your system.
    • Then go to the Sun Microsystems and install the update
    • Java Runtime Environment Version 6 Update 1 <--This is what you need to download and install.
    • If you chose the online installation, it will prompt you to run the program.
    • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
    • Then after install you can verify your installation here Sun Java Verify
    I like to to do the offline installation and save the setup file in case I may need it in the future


    Please download CCleaner
    Save it to the Desktop:
    • Run the CCleaner installer.
    • During installation process, uncheck: Add CCleaner Yahoo! Toolbar and use CCleaner from within IE
    • Once installed, run CCleaner and click the Windows tab
    • Scroll to the Advanced section:
    • Check only: Old Prefetch data

Caution: Please do not use the Issues button in the left pane. This is a built-in Registry cleaner and may cause irreparable damage to the system if used incorrectly.Aaflac

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!


I've just noticed that, when running a Spybot scan now, it still checks those 29. What should I do?
I don't know what items your talking about.

Open Spybot , check for updates.
Make sure your in Advanced Mode ( Mode> Advanced Mode)
Go to Tools> View Report and check just "Include Results of last Check in Report "
Run a Full System Scan removing what it finds
Go back to Tools> View Report and copy and paste the report for me to see.

  • #7
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default

    Hello Ken,

    Fixed items 04 and 016 in HJT.
    Installed Java Runtime Environment Version 6 Update 2.
    Ran Ccleaner.

    Wat I meant about those items was that it usually took Spybot about 10 to 15 minutes to run a complete scan during which a meter at the bottom counted from 1 to ... thousand. Now it runs just to 29.

    Here's the latest Spybot report:


    --- Search result list ---
    Gefeliciteerd !: Er werden geen onmiddellijke bedreigingen aangetroffen. ()



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2007-07-18 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-05-23 advcheck.dll (1.5.3.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-07-31 Tools.dll (2.1.2.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-08-08 Includes\Cookies.sbi
    2007-07-25 Includes\Dialer.sbi
    2007-08-08 Includes\DialerC.sbi
    2007-07-11 Includes\Hijackers.sbi
    2007-08-08 Includes\HijackersC.sbi
    2007-07-25 Includes\Keyloggers.sbi
    2007-08-08 Includes\KeyloggersC.sbi
    2007-08-01 Includes\Malware.sbi
    2007-08-08 Includes\MalwareC.sbi
    2007-08-08 Includes\PUPS.sbi
    2007-08-08 Includes\PUPSC.sbi
    2007-08-08 Includes\Revision.sbi
    2007-05-30 Includes\Security.sbi
    2007-08-08 Includes\SecurityC.sbi
    2007-08-01 Includes\Spybots.sbi
    2007-08-08 Includes\SpybotsC.sbi
    2005-02-17 Includes\Tracks.uti
    2007-08-01 Includes\Trojans.sbi
    2007-08-08 Includes\TrojansC.sbi
    2007-06-06 Plugins\TCPIPAddress.dll

  • #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Are you sure you had it set to Full System Scan ? Is it stopping the scan at 29?

    Also, open Spybot and in Avanced Mode, go to Tools> File Sets and make sure everything is checked

    What I Would do is post to the Spybot forum and they will be better equipped to help you with that issue.

    http://forums.spybot.info/forumdisplay.php?f=4


    How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.


    Ken
    Last edited by ken545; 2007-08-11 at 17:19.

  • #9
    Junior Member
    Join Date
    Aug 2007
    Location
    Middelburg NL
    Posts
    12

    Default

    Yes, Spybot is set to the advanced mode and then I run the scan. I assume this automatically is the Full System Scan, because I see no other options. But I'll post to the Spybot forum for that.

    I understand that we've solved the problem I had on my computer. Thanks very much for your help!

    I think you people at Spybot are doing very good work and I made a donation to support it.

    Kind regards,

    Charles van Kampen

  • #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Thank you Charles, it was a pleasure helping you, here is a tutorial for Spybot to look through.

    http://www.safer-networking.org/en/tutorial/index.html

    Ken

  • Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •