Possible Trojan, DNS problem, Redirecting!!! Despr8

[lizbette]

PROBLEMS:
-windows update redirects to msn.com in regular mode.
-in safe mode, windows update does not redirect, but it says a version of "this page cannot be displayed" (all other pages, like google, yahoo, etc. can be displayed)
-when i troubleshoot it, it says something about how my dns is not found or not connected or something like that.
-when i use wiggio.com (kind of like a discussion group board) it says "We notice that you're using Internet Explorer 6, which is an out of date version. A few things may look or behave strangely. ". However, i am using internet explorer 7!!! confused?
-furthermore, when i try to do a mcafee free virus scan, it says "To download and install McAfee software, your computer must be running Microsoft Internet Explorer 5.0 or later." I am using IE7!!!!
-i downloaded avg free 8, it refuses to update, no matter what i try, saying "the connection with update server has failed"

*this wiggio/mcafee thing has been going on for a while now, whereas i have only recently noticed the windows update redirect/avg updating thing. Whether that's because i never thought to use windows update in the past when using this computer, or because they are separate unlinked problems, i have no idea.

THINGS I HAVE TRIED TO DO TO RESOLVE PROBLEM:
-i have used ad-aware, which found zlob trojan, and removed it. after i removed it, windows update worked just long enough for me to download the latest security updates, including the most recent ie critical security update (thnk god) but after that download was finished and i tried updating again, windows update started redirecting to msn again. zlobdnschanger is still there, no matter what i do.
-i downloaded spybot, which updates perfectly, but it does not solve my problem.
-this is my father's work computer, and he's on a business trip currently, so i'm using it, and it is messed up. i have noticed he had installed some chinese chat programs like QQ, and this weird alipay.com Bank of something or other, which i promptly deleted. Still doesn't solve my problem.

*no matter what i cannot reinstall windows xp sp3 on this computer, because everything that is crucial is on here.

*i attached the logfiles from gmer--i didn't do the ones from dss, because of the suspected rootkit infection tetonbob posted a sticky about.

[amateur]

Hello and welcome to TSF.

Quote:

-i didn't do the ones from dss, because of the suspected rootkit infection tetonbob posted a sticky about.

tetonbob's post is about DSS, i.e. Deckard's System Scanner, and has nothing to do with the DDS logs which we require in our pre-posting page. We need those logs for the analysis of any potential malware.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Please run DDS and post back both of the logs it produced.

[lizbette]

sorry...i skim through what i read before i have the chance to digest it clearly. here's the dds.txt, and i attached the "attach.txt"

i have noticed that both my windows xp sp3 computer and my toshiba laptop windows xp sp3 (wi-fi) redirect their windows update to msn, and both seem to be running extremely slow. furthermore, my other computer, a windows 2000 no longer can run mcafee freescan, saying my internet explorer is not supported when it really is. i'm guessing this virus/trojan problem has spread to all computers in the house.

*the logs i have posted came from my windows xp sp3 computer.

DDS (Version 1.1.0) - NTFSx86
Run by Owner at 19:59:34.71 on 01/05/2009 Mon
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.26 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dds.com
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - c:\progra~1\e-book~1\flipvi~1\fplaunch.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TPP Auto Loader] c:\windows\TPPALDR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PerfectOptimizer] c:\program files\perfect optimizer\PerfectOptimizer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: ìí?óμ?QQ±í?é
IE: ìí?óμ?QQ±í?é - c:\program files\tencent\qq\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - {EC4548D7-1F09-4FC2-BB95-E34724CF3D60} http://uk.trendmicro-europe.com/ente...secall_pre.php

- http://uk.trendmicro-europe.com/ente...inprocserver32 does not exist!
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S3 Alidevice;Alidevice; [x]
S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-3-7 43269]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-01-03 23:21 <DIR> --d----- c:\program files\Perfect Optimizer
2009-01-03 23:01 <DIR> --d----- c:\program files\RegistryFix7
2009-01-01 17:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-01 16:59 0 a------- c:\windows\system32\REN79.tmp
2009-01-01 16:59 0 a------- c:\windows\system32\REN78.tmp
2009-01-01 14:18 <DIR> --d----- c:\program files\fxsolutions
2009-01-01 01:24 <DIR> --d----- c:\program files\common files\Tencent
2009-01-01 01:23 <DIR> --d----- c:\program files\Tencent
2009-01-01 01:23 <DIR> --d----- c:\docume~1\owner\applic~1\Tencent
2008-12-30 13:33 <DIR> --d-h--- c:\program files\InstallJammer Registry
2008-12-30 12:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Marlin
2008-12-30 12:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kinoma
2008-12-28 21:57 0 a------- c:\windows\NSREX.INI
2008-12-28 21:53 <DIR> --d----- c:\windows\system32\Viewers
2008-12-28 21:51 <DIR> --d----- c:\program files\Snapshot Viewer
2008-12-28 21:51 <DIR> --d----- c:\windows\Twain32
2008-12-26 16:30 <DIR> --d----- c:\windows\ShellNew
2008-12-24 17:21 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-24 17:21 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-24 17:21 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-24 17:21 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-24 12:30 63 a------- c:\windows\system\SysSD.dll
2008-12-21 17:38 <DIR> --d----- C:\KAV
2008-12-19 12:20 3,538 a------- c:\windows\system32\tmp.reg
2008-12-19 12:17 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-12-19 12:17 82,432 a------- c:\windows\system32\404Fix.exe
2008-12-19 12:17 80,384 a------- c:\windows\system32\o4Patch.exe
2008-12-19 12:17 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-19 12:17 87,552 a------- c:\windows\system32\VACFix.exe
2008-12-19 12:17 82,944 a------- c:\windows\system32\IEDFix.exe
2008-12-19 12:17 79,360 a------- c:\windows\system32\swxcacls.exe
2008-12-19 12:17 288,417 a------- c:\windows\system32\SrchSTS.exe
2008-12-19 12:17 135,168 a------- c:\windows\system32\swreg.exe
2008-12-19 12:17 51,200 a------- c:\windows\system32\dumphive.exe
2008-12-18 20:52 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-18 19:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-10 12:52 <DIR> --d----- c:\program files\VTTrader 2

==================== Find3M ====================

2009-01-01 17:03 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 16:33 5,058 a------- c:\windows\help\hhcolreg.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-03-14 18:00 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2001-10-05 11:53 21,866 a------- c:\program files\common files\tppupd2k.dll
1998-12-08 21:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 21:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 21:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 21:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 21:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 21:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL
2008-08-19 13:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820

\index.dat

============= FINISH: 20:00:51.75 ===============

[amateur]

Hi lizbette,

You have these programs installed:

PerfectOptimizer
RegistryFix7
InstallJammer Registry

We do not recommend the use of any registry cleaning/tweaking/optimizing software, unless you know very well what you're doing. Please read these two articles about them:

http://miekiemoes.blogspot.com/2008/...eaking_13.html

http://aumha.net/viewtopic.php?t=28099

===========================

I don't see any sign of infection in the log, just some orphaned registry entries none of which is malware.

Looks like you used SmitfraudFix a while back on December 19th. Was it in relation to the present issue? Is that how Zlob was removed?

Let's run this tool for a deeper look.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

[lizbette]

here's the log.
combofix ran in chinese, and i had no idea how to change that. i had enough chinese in my vocab to understand what it was doing though.

apparently windows recovery console could not be installed because there was something wrong with the internet connection? therefore i stopped combofix and tried opening internet explorer but every page was "this page cannot be displayed"
after i restarted, the internet connection was restored, so i tried to manually install windows recovery console through the microsoft website, but the download page had a "this page cannot be displayed"--virus at work?? since windows recovery console would not be installed no matter what, i just ran combofix without it

thank you for the info about the registry cleaners. i have uninstalled them.

as for smitfraudfix, yes i used it to try to get rid of zlob, but as this whole windows update-msn redirecting thing is still occuring on both my laptop and computer, i concluded that it did not work and that zlob was still on the computers, and had in fact spread.

ComboFix 09-01-05.05 - Owner 2009-01-06 17:39:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.97 [GMT -5:00]
执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mdm.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( 2008-12-06 至 2009-01-06 的新的档案 )))))))))))))))))))))))))))))))
.

2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer
2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7
2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp
2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions
2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent
2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent
2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent
2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry
2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI
2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer
2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew
2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders
2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll
2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV
2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-01 18:38 --------- d-----w c:\program files\fxsgts
2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems
2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 03:08 --------- d-----w c:\program files\Google
2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems
2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2
2008-11-12 00:27 --------- d-----w c:\program files\MetaTrader - Alpari (US)
2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5425:TCP"= 5425:TCP:ppLive
"6152:UDP"= 6152:UDP:ppLive
"1950:TCP"= 1950:TCP:fx trader
"1999:TCP"= 1999:TCP:Port1
"3020:TCP"= 3020:TCP:Port2
"2020:TCP"= 2020:TCP:Port3
"1000:TCP"= 1000:TCP:Port4

S3 Alidevice;Alidevice; [x]
S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d70f482-42ce-11dc-b952-000bdbc46caf}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
\Shell\Open\command - g:\resycled\boot.com g:
.
‘计划任务’ 文件夹 里的内容

2009-01-06 c:\windows\Tasks\PerfectOptimzier_OneClick.job
- c:\program files\Perfect Optimizer\PerfectOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-PerfectOptimizer - c:\program files\Perfect Optimizer\PerfectOptimizer.exe


.
------- 而外的扫描 -------
.
IE: ìí?óμ?QQ±í?é
IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm

c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714}
hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
.
.
------- 文件类型 -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 17:44:47
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢*NULL**NULL*鉺*NULL*\InfFile]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1*NULL*]
"value"="?\04\00\02\12\05\1f?"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm"
.
完成时间: 2009-01-06 17:48:28
ComboFix-quarantined-files.txt 2009-01-06 22:47:50

Pre-Run: 44,097,908,736 bytes free
Post-Run: 44,268,527,616 bytes free

171 --- E O F --- 2008-12-25 22:26:38

[amateur]

Hi,

Quote:

combofix ran in chinese, and i had no idea how to change that. i had enough chinese in my vocab to understand what it was doing though.

Probably the Regional Language settings were set to Chinese via Control Panel. If you wish to reverse it, you can do so. Since this is your father's computer, you may not want to change it though. As far as I am concerned, it's not a problem. If you still want to change it, go to Start>Control Panel>Regional and Language Options>Languages tab and click on the "Details" button. It will open a new window where you can make the changes. It will probably require a reboot.

========================

Please have your g drive inserted during the next scan with Combofix.

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

File::
g:\resycled\boot.com
c:\windows\Tasks\PerfectOptimzier_OneClick.job

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d70f482-42ce-11dc-b952-000bdbc46caf}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

===================================

Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text an pressing CTRL and C at the same time

HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt

• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

===================================

Please post back the Combofix.txt and the RegQuery text in your next reply. Let me know if you're still being redirected.

[lizbette]

here's the regquery log:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt]

windows recovery console still would not install because of some connection problem.
the annoying redirecting still occurs, only now it directs me to google, but the address bar is correct, reading http://windowsupdate.microsoft.com/.

here's the combofix log (left in chinese).

ComboFix 09-01-07.01 - Owner 2009-01-07 21:14:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.60 [GMT -5:00]
执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* 成功创造新还原点

注意 - 这台电脑没有安装恢复控制台 ！！

FILE ::
c:\windows\Tasks\PerfectOptimzier_OneClick.job
g:\resycled\boot.com
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
F:\autorun.inf
F:\resycled
G:\autorun.inf
G:\resycled
.
---- Previous Run -------
.
C:\Autorun.inf
C:\resycled
c:\resycled\boot.com
c:\windows\Tasks\PerfectOptimzier_OneClick.job
F:\autorun.inf
F:\resycled
f:\resycled\boot.com
G:\autorun.inf
G:\resycled
g:\resycled\boot.com

.
((((((((((((((((((((((((( 2008-12-08 至 2009-01-08 的新的档案 )))))))))))))))))))))))))))))))
.

2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer
2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7
2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp
2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions
2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent
2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent
2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent
2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry
2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI
2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer
2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew
2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders
2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll
2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV
2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 13:21 --------- d-----w c:\program files\MetaTrader - Alpari (US)
2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-01 22:03 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-01 18:38 --------- d-----w c:\program files\fxsgts
2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems
2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 03:08 --------- d-----w c:\program files\Google
2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems
2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_17.45.58.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-08 02:09:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5425:TCP"= 5425:TCP:ppLive
"6152:UDP"= 6152:UDP:ppLive
"1950:TCP"= 1950:TCP:fx trader
"1999:TCP"= 1999:TCP:Port1
"3020:TCP"= 3020:TCP:Port2
"2020:TCP"= 2020:TCP:Port3
"1000:TCP"= 1000:TCP:Port4

S3 Alidevice;Alidevice; [x]
S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269]
.
.
------- 而外的扫描 -------
.
IE: ìí?óμ?QQ±í?é
IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm

c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714}
hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 21:18:00
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢*NULL**NULL*鉺*NULL*\InfFile]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1*NULL*]
"value"="?\04\00\02\12\05\1f?"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm"
.
完成时间: 2009-01-07 21:21:19
ComboFix-quarantined-files.txt 2009-01-08 02:20:41
ComboFix2.txt 2009-01-06 22:48:31

Pre-Run: 45,545,353,216 bytes free
Post-Run: 45,535,031,296 bytes free

187 --- E O F --- 2008-12-25 22:26:38

[amateur]

Hi,

Are you using a router? If so, it's possible that your router's DNS settings have been compromised. Some variants of the Zlob trojan have been able to do that. A hard reset of the router will fix it.

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. While still powered, press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). You may also want to ask your ISP for help in case there are custom settings that need to be maintained.

Then change your admin login and password--make it a strong password. Check out this site here for tutorials on how to properly configure your router's encryption and security settings.

If you don't know the router's default password, check the manual or you can look it up on the internet.

===================================

Also, perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===================================

Please post back the Kaspersky report and let me know if the redirections have stopped.

[lizbette]

i am in fact using a router called linksys wireless access point router. however if reset, what custom settings would usually need to be restored? how do i contact isp and what exactly is isp? (i'm far from being a knowledgeable techie).

as for the kaspersky scan, i have tried doing the scan, but the website refuses to allow the update section, so the scan would not run.

[amateur]

Hi lizbette,

ISP is your Internet Service Provider. If custom settings needed, only your ISP can tell you what they are, I cannot. You can contact them via telephone.

Quote:

as for the kaspersky scan, i have tried doing the scan, but the website refuses to allow the update section, so the scan would not run.

How does it refuse, what does it say?


While you're here, can we do this part of the last fix again. I didn't get the result I was expecting. I think I missed something.

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

SkipFix::

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1*NULL*]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===========================

When you're done with that, please repeat the RegQuery part again.

• Copy the following registry keypath by highlighting the text an pressing CTRL and C at the same time

HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt

• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply

Sorry for asking you to do it the second time. Thanks.

So, I'll be expecting the Combofix.txt and the RegQuery results.

[lizbette]

combofix would run, then stop, saying Find3M FINDSTR: Cannot open temp01. (this was before resetting router)

regquery did run. here's the log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt]

i reset the linksys router, but now my only problem is that when my laptop shows the wireless connections, my only option is the "unsecure" network called linksys. before i reset the router, there was a secure network called airmedi. does this mean i should contact my isp provider to see what they can do? is there a number where i can reach them?

upon reseting the router, i have found microsoft update does not redirect anymore and works as it should, but i am uneasy about using an "unsecure" network, and the mysterious absence of my previous wi-fi network.

[lizbette]

also before, kaspersky "failed to connect to update source"

now kaspersky doesn't seem to want to download. it's been 10 minutes, and it's still at 0%

[amateur]

Quote:

upon reseting the router, i have found microsoft update does not redirect anymore and works as it should

That's good to hear.

If you are able to connect to the internet, it means that there weren't any custom settings. You don't need to call your ISP.

Did you visit this site here? There's good information there on how to secure your wireless connection.

Do you have your Wireless router's manual? If not, can you tell me what model it is?

[lizbette]

i'm sorry. i'm just very confused, and the wireless security site is confusing me a lot too. is this linksys connection the same one i had before, only now it has a different name and it's unsecured?

i have a linksys BEFW11S4.

[amateur]

These two links explain how to get to your router's page, how to change your default router login credentials and how to secure your router.

http://linksys.custhelp.com/cgi-bin/...hp?p_faqid=598

If you don't feel comfortable about doing this yourself, call your internet service provider and ask them to walk you through it. Make sure that you note the new login ID and password somewhere safe for future use.

The following link explains how to secure your wireless router:

http://www.onguardonline.gov/tools/p...-password.aspx

When you're done, again make sure to keep a record of the changes you've made, in case you need to access them again.

[lizbette]

Amateur
Thank you for all of your help. Whatever was in my systems before now seems to be gone, as windows update works fine now. Kaspersky's scan, which now works, comes up with nothing. The links you gave me were very helpful. Thanks for solving this problem!

[amateur]

Hi,

Quote:

Thank you for all of your help. Whatever was in my systems before now seems to be gone, as windows update works fine now.

You're welcome. I am glad to hear that things are back to normal. It was the zlob infection that has changed the router settings.

Quote:

Kaspersky's scan, which now works, comes up with nothing.

Although I would have liked to see the report, I'll take your word for it.

We have a little house-keeping to do.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

[lizbette]

thank you for all your help amateur. the redirecting problem is now solved.

[amateur]

You're welcome. Glad that we could help. Stay safe!