Can't get rid of Zlob.DNS changer

3

3.1415

New member
I keep deleting this with either spybot or malwarebytes antimalware but it keeps coming back.

It is causing me to not be able to use windows update, have viamax ad's everywhere, and have random pop-ups on normal websites.

here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:01 PM, on 1/14/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runescape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a6dd3134\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 2855 bytes
 
Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log. Let me also know if you're connected with a router.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
here is the combo fix report:

ComboFix 09-01-19.01 - Sean 2009-01-19 12:32:37.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2045.1425 [GMT -8:00]
Running from: c:\users\Sean\Desktop\New Folder\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-13 18:07 . 2009-01-13 18:08 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-13 18:07 . 2009-01-13 18:08 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-01-13 18:07 . 2009-01-13 18:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-13 17:20 . 2009-01-13 17:20 <DIR> d-------- C:\rsit
2009-01-13 17:20 . 2009-01-14 19:14 <DIR> d-------- c:\program files\trend micro
2009-01-05 20:34 . 2009-01-05 20:35 <DIR> d-------- c:\program files\VstPlugins
2009-01-05 20:34 . 2009-01-05 20:34 <DIR> d-------- c:\program files\ASIO4ALL v2
2009-01-05 20:34 . 2006-06-20 00:56 225,280 --a------ c:\windows\System32\rewire.dll
2009-01-05 20:33 . 2009-01-05 20:33 <DIR> d-------- c:\program files\Outsim
2009-01-05 20:33 . 2002-07-07 14:14 1,294,336 --a------ c:\windows\System32\vorbis.acm
2009-01-05 20:30 . 2009-01-05 20:35 <DIR> d-------- c:\program files\Image-Line
2008-12-26 12:38 . 2008-12-26 12:38 <DIR> d-------- c:\program files\Haali
2008-12-25 14:17 . 2008-12-25 14:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 14:17 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-25 14:17 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-25 07:57 . 2008-12-25 07:57 1,024 --a------ c:\windows\System32\gncontent.cch
2008-12-25 07:54 . 2008-12-25 08:20 <DIR> d-------- c:\users\Sean\AppData\Roaming\Sony
2008-12-25 07:54 . 2008-12-25 07:54 <DIR> d-------- c:\users\All Users\Sony
2008-12-25 07:54 . 2008-12-25 07:54 <DIR> d-------- c:\programdata\Sony
2008-12-25 07:52 . 2008-12-25 07:52 <DIR> d-------- c:\program files\Sony Setup
2008-12-25 07:52 . 2008-12-25 07:52 <DIR> d-------- c:\program files\Common Files\Sony Shared
2008-12-23 08:45 . 2008-12-23 08:45 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-23 08:44 . 2008-12-23 08:44 <DIR> d-------- c:\program files\eRightSoft
2008-12-23 08:44 . 2005-02-22 07:55 81,920 -r-hs---- c:\windows\System32\aac_parser.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 17:57 --------- d-----w c:\users\Sean\AppData\Roaming\.purple
2009-01-19 17:27 --------- d-----w c:\users\Sean\AppData\Roaming\uTorrent
2009-01-17 19:48 34 ----a-w c:\users\Sean\jagex_runescape_preferences.dat
2009-01-09 07:19 --------- d-----w c:\users\Sean\AppData\Roaming\MxBoost
2009-01-07 05:22 --------- d-----w c:\users\Sean\AppData\Roaming\gtk-2.0
2008-12-22 17:54 --------- d---a-w c:\programdata\TEMP
2008-12-22 17:53 --------- d-----w c:\program files\SpywareBlaster
2008-12-21 16:48 --------- d-----w c:\program files\Steam
2008-12-17 00:25 --------- d-----w c:\users\Sean\AppData\Roaming\Media Player Classic
2008-12-16 23:49 --------- d-----w c:\program files\Combined Community Codec Pack
2008-12-13 02:11 --------- d-----w c:\program files\Common Files\Steam
2008-12-12 07:41 --------- d-----w c:\program files\QuickTime
2008-12-12 07:40 --------- d-----w c:\programdata\Apple Computer
2008-12-12 07:40 --------- d-----w c:\programdata\Apple
2008-12-12 07:40 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 07:40 --------- d-----w c:\program files\Apple Software Update
2008-12-12 07:36 --------- d-----w c:\program files\Winamp
2008-12-04 06:33 --------- d-----w c:\programdata\NOS
2008-12-04 06:33 --------- d-----w c:\program files\NOS
2008-12-04 05:29 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-04 05:28 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 05:35 --------- d-----w c:\program files\Java
2008-12-02 05:58 --------- d-----w c:\users\Sean\AppData\Roaming\Maxthon2
2008-11-26 23:31 21,371,392 ----a-w c:\windows\System32\imageres.dll
2008-11-26 23:29 --------- d-----w c:\programdata\Stardock
2008-11-26 23:28 --------- d-----w c:\program files\Stardock
2008-11-25 06:31 --------- d-----w c:\program files\Opera
2008-11-25 06:23 --------- d-----w c:\programdata\comodo
2008-11-25 06:23 --------- d-----w c:\program files\COMODO
2008-11-25 05:32 249,592 ----a-w c:\windows\System32\cssdll32.dll
2008-11-25 04:14 --------- d-----w c:\users\Sean\AppData\Roaming\Malwarebytes
2008-11-25 04:14 --------- d-----w c:\programdata\Malwarebytes
2008-11-22 02:06 --------- d-----w c:\programdata\Avg8
2008-11-22 01:22 --------- d-----w c:\programdata\MailFrontier
2008-11-21 20:25 --------- dc-h--w c:\programdata\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-21 20:07 --------- dc-h--w c:\programdata\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-11-21 20:07 --------- d-----w c:\users\Sean\AppData\Roaming\Uniblue
2008-11-21 20:06 --------- d-----w c:\program files\Uniblue
2008-11-21 19:58 --------- d-----w c:\program files\Intel
2008-11-21 19:56 --------- d-----w c:\program files\IDT
2008-11-21 19:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 19:54 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-21 19:49 --------- dc-h--w c:\programdata\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-11-21 19:49 --------- d-----w c:\programdata\DriverScanner
2008-11-20 06:29 --------- d-----w c:\users\Sean\AppData\Roaming\OpenOffice.org
2008-11-19 02:28 --------- d-----w c:\users\Sean\AppData\Roaming\Winamp
2008-11-16 23:55 174 --sha-w c:\program files\desktop.ini
2008-11-10 13:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_20.54.47.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-14 03:15:09 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-19 19:01:26 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-01-14 03:15:09 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-01-19 19:01:26 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-01-13 23:27:40 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2009-01-19 09:44:04 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2009-01-14 03:17:41 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-19 19:03:00 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-01-13 23:27:41 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2009-01-19 09:44:04 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2009-01-14 04:54:05 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-19 20:34:53 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-01-13 23:27:40 262,144 ----a-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2009-01-19 09:44:04 262,144 ----a-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
- 2009-01-14 04:51:56 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-01-19 20:32:26 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-01-14 03:21:38 103,818 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-19 19:07:59 103,818 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-14 03:21:38 618,410 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-19 19:07:59 618,410 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-14 03:18:40 7,612 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3525572901-3789064050-1755406554-1000_UserData.bin
+ 2009-01-19 17:41:10 7,926 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3525572901-3789064050-1755406554-1000_UserData.bin
- 2009-01-14 03:18:38 50,686 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-19 17:41:10 50,868 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-14 03:18:36 26,074 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-19 19:03:20 26,262 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-12-03 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Users^Sean^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-12 18:10 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 05:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
--a------ 2008-05-22 17:31 442467 c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 08:48 99624 c:\program files\Uniblue\RegistryBooster\StartRegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-11 07:26 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E9DF9952-4E22-4773-B475-EFBDEF1C0470}c:\\users\\sean\\desktop\\utorrent.exe"= UDP:c:\users\sean\desktop\utorrent.exe:utorrent.exe
"UDP Query User{79E5F092-0D54-4791-AC19-A2A54AC87761}c:\\users\\sean\\desktop\\utorrent.exe"= TCP:c:\users\sean\desktop\utorrent.exe:utorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [2008-12-25 15504]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-12-25 170640]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\System32\drivers\Icam3.sys [2008-11-21 141056]
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Sean.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-03 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://runescape.com/
FF - ProfilePath - c:\users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\86l4yxbh.default\
FF - prefs.js: browser.startup.homepage - myspace.com
FF - prefs.js: network.proxy.type - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:34:58
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-19 12:37:41
ComboFix-quarantined-files.txt 2009-01-19 20:37:35
ComboFix2.txt 2009-01-14 04:56:33

Pre-Run: 264,545,189,888 bytes free
Post-Run: 264,521,515,008 bytes free

191


Here's a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:19 PM, on 1/19/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runescape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a6dd3134\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 2840 bytes
 
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\users\Sean\AppData\Roaming\uTorrent

and files:

c:\users\sean\desktop\utorrent.exe


Empty Recycle Bin.

After that:

Reset your router to factory default settings (change password something more difficult to discover than the default one).


Start hjt (by right clicking HijackThis.exe and select 'run as administrator'), do a system scan, check (if found):
O20 - AppInit_DLLs:

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\users\sean\desktop\utorrent.exe

Folder::
c:\users\Sean\AppData\Roaming\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E9DF9952-4E22-4773-B475-EFBDEF1C0470}c:\\users\\sean\\desktop\\utorrent.exe"=-
"UDP Query User{79E5F092-0D54-4791-AC19-A2A54AC87761}c:\\users\\sean\\desktop\\utorrent.exe"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
 
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top