Win32.DNSChanger PLEASE HELP ME!!!!!!!!

Viruses and worms
1

I apparently have this virus and I desperately need to get rid of it. It won’t allow me to open any of my documents and I have important documents that need to be turned in tomorrow!

I’ve scanned several times using spybot, ad-aware, as well a windows malicious software repair program, and nothing has taken care of it yet. My symantec antivirus software won’t run a scan (it keeps saying there’s an error). I’ve just installed and run the latest version of hijacthis. Here is the log it gave me:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:02 AM, on 2/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Common Files\AOL\1162077762\ee\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aim6.exe

2

Here’s the rest…

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Faye Rojas\Desktop\windows-kb890830-v2.7.exe
c:\362d1abf510b7a267d422f1b522d46\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766b-9f49-4854-8034-f6ee26fcb1ec} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Win32-DNSChanger - {930e7881-d9f3-4293-a24b-23a80c013378} - C:\WINDOWS\system32\fejokt.dll
O2 - BHO: MyIdentityDefender - {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Documents and Settings\Faye Rojas\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {e3215f20-3212-11d6-9f8b-00d0b743919d} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Faye Rojas\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Djapari] rundll32.exe “C:\WINDOWS\ifepowije.dll”,e
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM..\RunOnce: [SpybotDeletingC1965] cmd.exe /c del “C:\Documents and Settings\Faye Rojas\Application Data\AdwareAlert\Log\2009 Feb 14 - 06_58_52 PM_625.log”
O4 - HKLM..\RunOnce: [SpybotDeletingA1255] command.com /c del “C:\Documents and Settings\Faye Rojas\Application Data\AdwareAlert\Log\2009 Feb 14 - 07_08_01 PM_062.log”
O4 - HKLM..\RunOnce: [SpybotDeletingC7473] cmd.exe /c del “C:\Documents and Settings\Faye Rojas\Application Data\AdwareAlert\Log\2009 Feb 14 - 07_08_01 PM_062.log”
O4 - HKLM..\RunOnce: [SpybotDeletingA7355] command.com /c del “C:\Documents and Settings\Faye Rojas\Application Data\AdwareAlert\Settings\ScanResults.pie”
O4 - HKLM..\RunOnce: [SpybotDeletingC7112] cmd.exe /c del “C:\Documents and Settings\Faye Rojas\Application Data\AdwareAlert\Settings\ScanResults.pie”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [My Web Search Community Tools] “C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

What do I do!!!

3

Well there seems to be a rather large part of HJT log missing,the last part. See the link I posted, download MBAM aND SAS. if the malware blocks the download, updating or running of either program,post back ASAP.If you run them successfully post back with the results/logs and a complete hjt log

http://www.malwarebytes.org/forums/index.php?showtopic=5398

MBAM http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

SAS http://www.superantispyware.com/

4

This one is suspicious.

O4 - HKLM..\Run: [Djapari] rundll32.exe “C:\WINDOWS\ifepowije.dll”,e

Your problem is coming from MyWebSearch.

O4 - HKCU..\Run: [My Web Search Community Tools] “C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe”

I don’t mind you using BitTorrent. But you don’t seem to have a firewall, you are one service pack down, and you need to update java to Version 6 Update 12.

Uninstall java with JavaRa and install the latest version here.

5

How can you analyze half a log

6

Hi folks,

Naturally one can not analyze only part of the HJT log. Remember that this rootkit trojan can come with a random name. Locating this malware (manually)

As the bot doesn’t copy its body to the system, the name of the malicious file can vary. The name of the malicious file depends on the installer used to infect the system with the bot. However, it is possible to detect the presence of the bot by checking the system registry.
Make a copy of the registry before making changes!

How to run regedit see picture attached below>

Users can check the system registry by running regedit.exe and checking the following registry value:

HKEY_CLASSES_ROOT.htc\Content Type

System administrators of large networks can do this remotely using the reg.exe command as shown below:

The default system registry value (checked on Windows XP Pro SP2) for HKEY_CLASSES_ROOT.htc\Content Type is “text/x-component”. If there is a different value such as “{space}” in the registry, this may mean the machine is infected with Shadow bot malware.

You can also check another registry hive that enables the bot to make outbound network connections by changing Windows Firewall rules:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List.

The bot adds an item to the list of Authorized Applications. The rule may be identified as “Flash Media” as shown below, but the name can vary.

This enables you to see the actual path to where the malicious file is stored on the infected system. The path to the malicious file can also be found in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry value. The bot appends the path to its file to the legitimate userinit.exe as shown below:

The filename and location may vary.

Network administrators can identify infected machines on the local network by checking outbound network connections to elena.ccpower.ru on port 3306, or by using address/port independent detection based on filtering network traffic for the patterns shown below:

Removing malware (manually)

The bot patches winlogon.exe process in memory. This allows the malicious code to gain local system privileges and protects the original malicious file against removal. It also protects registry settings against modification by restoring them frequently. If the malicious process is not running, the patched winlogon.exe will restart it.

Once you have identified the malicious executable, follow the instructions below to remove the malware and restore system settings:

  1. Deny the current user all access to the malicious file. To do this, navigate to the file using Windows Explorer.

Make sure that you disable “Use simple file sharing” (for NTFS users) in Windows Explorer (Go to Windows Explorer windows menu → Tools → Folder Option → View):

Right click the malicious file and select “Properties”:

Go to the “Security” tab and adjust file access control. You will need to add the current user to the list of “Group or user names”:

Click “Add” button and enter the current user name. Check all checkboxes in the Deny column for the current user:

  1. Reboot your system.

  2. Navigate to the malicious file again. Now you will be able to remove it.

  3. Run regedit.exe and restore registry keys to default system values. The values may vary depending on your system installation path. Typical values are listed below (key=value):

“HKCR.htc\Content Type” = “text/x-component”
“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” = “C:\WINDOWS\system32\userinit.exe”

  1. Delete the following values:

“HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Media”
“HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”

  1. Update your antivirus databases and run a full scan of your computer,

polonus