Results 1 to 10 of 40

Thread: Zlob.DNSChanger

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2008-09-27, 11:08 #1
    grimblegromble
    grimblegromble is offline
    Junior Member
    Join Date
    Sep 2008
    Posts
    21

    Unhappy Zlob.DNSChanger

    - Tried to remove it with Spybot. Spybot in safe mode always finds it again.

    - Norman Antivirus says nothing.

    - HiJackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:56:58, on 2008-09-27
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16711)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE
    C:\Program Files\Norman\Npm\Bin\Zanda.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
    C:\Program Files\Norman\Npm\Bin\Zlh.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Norman\Nvc\BIN\NIP.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Personal\bin\Personal.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\CTsvcCDA.exe
    C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\tcpsvcs.exe
    C:\Windows\system32\svchost.exe
    C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Norman\Nvc\bin\nvcoas.exe
    C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
    C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Norman\Nvc\bin\cclaw.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazetawyborcza.pl/0,0.html?p=4
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Keyboard Manager Utility] "c:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\WinampPro\winampa.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [6AD.tmp] C:\Windows\temp\6AD.tmp
    O4 - HKLM\..\Run: [C:\Windows\system32\kdryz.exe] C:\Windows\system32\kdryz.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdypv.exe] C:\Windows\system32\kdypv.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdwhq.exe] C:\Windows\system32\kdwhq.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdvim.exe] C:\Windows\system32\kdvim.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdwvt.exe] C:\Windows\system32\kdwvt.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdceu.exe] C:\Windows\system32\kdceu.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdfvl.exe] C:\Windows\system32\kdfvl.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdocl.exe] C:\Windows\system32\kdocl.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdoww.exe] C:\Windows\system32\kdoww.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdpib.exe] C:\Windows\system32\kdpib.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdowr.exe] C:\Windows\system32\kdowr.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdqry.exe] C:\Windows\system32\kdqry.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdnev.exe] C:\Windows\system32\kdnev.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdhnc.exe] C:\Windows\system32\kdhnc.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdjho.exe] C:\Windows\system32\kdjho.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdjls.exe] C:\Windows\system32\kdjls.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdrri.exe] C:\Windows\system32\kdrri.exe
    O4 - HKLM\..\Run: [C:\Windows\system32\kdxth.exe] C:\Windows\system32\kdxth.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
    O4 - Global Startup: BankID Security Application.lnk = C:\Program Files\Personal\bin\Personal.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
    O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0ED44734-A45E-42A2-8A1D-3AB12BDFE18D}: NameServer = 85.255.115.45,85.255.112.110
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6860D4F3-36CF-47B9-B290-5629C8784CAD}: NameServer = 85.255.115.45,85.255.112.110
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ACE160B2-7C7B-451E-8A73-D5EBAE05A9F7}: NameServer = 85.255.115.45,85.255.112.110
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0ED44734-A45E-42A2-8A1D-3AB12BDFE18D}: NameServer = 85.255.115.45,85.255.112.110
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs:
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
    O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdltm.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 11134 bytes



    Please, help me getting rid of this.
  2. 2008-09-28, 11:15 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi grimblegromble

    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Full Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


    Post:

    - mbam log
    - rsit logs (taken after mbam run)
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2008-09-28, 19:42 #3
    grimblegromble
    grimblegromble is offline
    Junior Member
    Join Date
    Sep 2008
    Posts
    21

    Default

    Hi Shaba, and thanks a lot for helping me out!

    1) The scan is done.

    2) The log file you requested:


    Malwarebytes' Anti-Malware 1.28
    Database version: 1219
    Windows 6.0.6000

    2008-09-28 19:29:09
    mbam-log-2008-09-28 (19-29-09).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 195995
    Time elapsed: 2 hour(s), 18 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 18
    Registry Data Items Infected: 14
    Folders Infected: 1
    Files Infected: 139

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdryz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdypv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdwhq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdvim.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdwvt.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdceu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdfvl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdocl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdoww.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdpib.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdowr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdqry.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdnev.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdhnc.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdjho.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdjls.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdrri.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\windows\system32\kdxth.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0ed44734-a45e-42a2-8a1d-3ab12bdfe18d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6860d4f3-36cf-47b9-b290-5629c8784cad}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6860d4f3-36cf-47b9-b290-5629c8784cad}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0ed44734-a45e-42a2-8a1d-3ab12bdfe18d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6860d4f3-36cf-47b9-b290-5629c8784cad}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6860d4f3-36cf-47b9-b290-5629c8784cad}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0ed44734-a45e-42a2-8a1d-3ab12bdfe18d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6860d4f3-36cf-47b9-b290-5629c8784cad}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ace160b2-7c7b-451e-8a73-d5ebae05a9f7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.45,85.255.112.110 -> Quarantined and deleted successfully.

    Folders Infected:
    C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Windows\System32\kdryz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdypv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwhq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdvim.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwvt.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdceu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdfvl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdocl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdoww.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdpib.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdowr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqry.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdnev.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhnc.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjho.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjls.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrri.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxth.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdahp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdahr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdajz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdapf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbdi.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbou.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbsw.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbvn.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbxj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdbxy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdcvf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdcwq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhxo.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdomk.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhzw.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdiiv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdipd.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdiva.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjcp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjlp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjmm.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdjuj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdkbb.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdkhm.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdkjj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdkmo.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdkqz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdksf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdksu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdlhh.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdlky.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdltm.exe (Trojan.DNSChanger) -> Delete on reboot.
    C:\Windows\System32\kdlvy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdmex.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdmpl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdmul.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdmvy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdnkg.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdnxu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdodx.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdofv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdoju.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdokr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdokv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwaq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwfc.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwhz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwiv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwju.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwlt.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwsf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdwxj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxch.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxgz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxkt.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxnp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxxl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdxyu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdyec.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdyei.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdygy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdyqp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzae.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzgg.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzld.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzmp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzpy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdztu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzue.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzvd.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdzyf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kddku.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kddwd.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdeao.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdefe.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdehq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdeld.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdepr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdfaw.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdfdn.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdffn.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdfgv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdfzm.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgdx.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgep.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgfj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdggv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgjb.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgms.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgqw.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdguq.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdgxa.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhdc.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhfr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhgf.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhim.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdhtj.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdprv.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdpsl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqef.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqrm.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqtc.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqud.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdqzb.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrab.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdral.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrdn.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrrp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrsg.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrsy.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdrzp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdscw.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdsto.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdtbl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdtqz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdttr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdtyu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdunu.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\System32\kdutz.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    D:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
  4. 2008-09-28, 19:48 #4
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please post also RSIT logs
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2008-09-28, 20:39 #5
    grimblegromble
    grimblegromble is offline
    Junior Member
    Join Date
    Sep 2008
    Posts
    21

    Default

    Sorry, somehow i forgot it...

    However RSIT isn't working properly. After half the process this dialogue pops up:

    "Line- 1:

    Error: Subscript used with non-Array variable."



    When i click OK RSIT is shut down.
  6. 2008-09-28, 20:44 #6
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Ok, we use then this instead:

    1. Please download OTViewIt by OldTimer and save it to your Desktop.
    2. Close all applications and windows.
    3. Double-click on the OTViewIt.exeto start OTViewIt.
    4. Place a checkmark in the blue-colored "Scan All Users" checkbox.
    5. Click the blue Run Scan button.
    6. OTViewIt will now start its scan.
    7. When the scan is complete, two text files will be created, OTViewIt.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
    8. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt to your post.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules