Nameserver prob

[cholmes2]

helloooooooo anybody there?

[MicroBell]

Since these entrys reappear on your connection back to the internet..this sounds like the Trojan.Flush.A

Please follow the removal instructions here...

http://securityresponse.symantec.com...n.flush.a.html

[cholmes2]

Hi,
Installed Norton Internet Security/Anti Virus and i found a trojan, but not Flush.A.

Found Namerver in the registry, path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}

Deleted nameserver from this folder but left other items, should i delete this whole folder?, the folder name is the same as the code that follows nameserver in the hijackthis log. The folder didn't contain any IP addresses so was unable to delete these.

Nameserver keeps reappearing still.

Found my rasphone page and according to the advice on the link you gave me i was supposed to delete

"IpDnsAddress=69.50.176.196"
"IpDns2Address=192.225.176.37"
"IpNameAssign=2"

My addresses have different numbers (so did the namerver entry) so should i delete them? If so which ones i had the same entries repeated a few times over for bluetooth LAN connections and BT Broadband etc.

Realize this is one very long thread by now and you're probably getting sick of me, but who knows we might be nearly there (well i can dream can't i?)

Many Thanks

PS why is there a 'local hosts' entry in my hijackthis log, is this simply from one of the programs i've downloaded to try and get rid of this or should i be worried?

[MicroBell]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}

As long as those IP's are not listed in the folder leave it be....

IN the rasphone file delete the entrys in BOLD if they are NOT your IP's from your ISP or network..and save the file. Write the IP's down though..in case you have to put them back. Both of those entrys should contain YOUR IP's and NOT the bad guys.

"IpDnsAddress=69.50.176.196"
"IpDns2Address=192.225.176.37"
"IpNameAssign=2"

Delete any IP that isn't part of your ISP or network.

Local host is your PC's address in the hosts file..hence it appears in the log. Check your hosts file and make you have no bad IP's listed. Also search the registry using the following IP's

69.50.188.180
85.255.112.5

If these IP are not part of the network or your ISP's delete the entrys found.

[cholmes2]

Hi,
Although i had deleted nameserver from the registry it returned when i rebooted, so today i deleted it again along with the IP Address next to it in the same folder. When i reconnected to the web i had another look and now there are two namerserver entries complete with IP Addresses in different folders that didn't previously exist.

It seems that if it is deleted from one folder it simply creates another and places itself there. Also its able to change its code (IP Address and that big code that sits betwwen the '{}' brackets) as these are now different for the new entries.

Can you take a look at my rasphone.pbk as although the IP addresses are different from the ones mentioned i was wondering if there was anything there causing this stuff to return.

[Bluetooth LAN Connection Client]
Encoding=1
Type=3
AutoLogon=0
UseRasCredentials=1
DialParamsUID=305890
Guid=4B98498AAD230947BD6EFF0DDED3619C
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=8
SwCompression=1
NegotiateMultilinkAlways=1
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=0
DialPercent=75
DialSeconds=120
HangUpPercent=10
HangUpSeconds=120
OverridePref=15
RedialAttempts=0
RedialSeconds=0
IdleDisconnectSeconds=0
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=COM4
PreferredDevice=Communications cable between two computers
PreferredBps=0
PreferredHwFlow=0
PreferredProtocol=0
PreferredCompression=0
PreferredSpeaker=0
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=632
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=1
IpAddress=0.0.0.0
IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=2
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_msclient=1
ms_server=1

MEDIA=rastapi
Port=LPT1
Device=Direct Parallel

DEVICE=rastapi
PhoneNumber=0
AreaCode=
CountryCode=44
CountryID=1
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1

[Bluetooth Dial-up Connection]
Encoding=1
Type=1
AutoLogon=0
UseRasCredentials=1
DialParamsUID=305765
Guid=10FE811106F0C04886D5057DFFE75F27
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=0
SwCompression=1
NegotiateMultilinkAlways=1
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=2
DialPercent=75
DialSeconds=120
HangUpPercent=10
HangUpSeconds=120
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=-1
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=COM5
PreferredDevice=Standard 56000 bps V90 Modem
PreferredBps=0
PreferredHwFlow=0
PreferredProtocol=0
PreferredCompression=0
PreferredSpeaker=0
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=1
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=632
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=1
IpAddress=0.0.0.0
IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=2
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=0
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_msclient=1
ms_server=1

MEDIA=serial
Port=COM3
Device=Conexant HSF V92 56K PCI Modem
ConnectBPS=115200

DEVICE=modem
PhoneNumber=0
AreaCode=
CountryCode=44
CountryID=1
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
HwFlowControl=1
Protocol=1
Compression=1
Speaker=1
MdmProtocol=0

[Bluetooth GPRS Connection]
Encoding=1
Type=1
AutoLogon=0
UseRasCredentials=1
DialParamsUID=305921
Guid=7807298F4465A041A7694D48FB9AB0B4
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=0
SwCompression=1
NegotiateMultilinkAlways=1
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=2
DialPercent=75
DialSeconds=120
HangUpPercent=10
HangUpSeconds=120
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=-1
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=COM5
PreferredDevice=Standard 56000 bps V90 Modem
PreferredBps=0
PreferredHwFlow=0
PreferredProtocol=0
PreferredCompression=0
PreferredSpeaker=0
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=1
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=632
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=1
IpAddress=0.0.0.0
IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=2
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=0
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_msclient=1
ms_server=1

MEDIA=serial
Port=COM3
Device=Conexant HSF V92 56K PCI Modem
ConnectBPS=115200

DEVICE=modem
PhoneNumber=*99#
AreaCode=
CountryCode=44
CountryID=1
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
HwFlowControl=1
Protocol=1
Compression=1
Speaker=1
MdmProtocol=0

[BT Broadband]
Encoding=1
Type=1
AutoLogon=0
UseRasCredentials=1
DialParamsUID=59078
Guid=ABB0FCC95C796643B97A75254CF6AD9D
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=1
DialPercent=75
DialSeconds=120
HangUpPercent=10
HangUpSeconds=120
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=-1
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=0
BindMsNetClient=0
SharedPhoneNumbers=1
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=ISDN11-0
PreferredDevice=BT Voyager 105 ADSL Modem
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=632
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=2
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_msclient=0
ms_server=0
ms_psched=1

MEDIA=isdn
Port=ISDN11-0
Device=BT Voyager 105 ADSL Modem

DEVICE=isdn
PhoneNumber=0,38
AreaCode=
CountryCode=44
CountryID=44
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
LineType=0
Fallback=1
EnableCompression=1
ChannelAggregation=1
Proprietary=0

Many thanks

[MicroBell]

See if you have this file....dnsping.exe or these 2...
C:\WINDOWS\system32\micefix.exe
C:\WINDOWS\system32\sesmgr.exe

Let me know

You need to remove ALL these at once...otherwise one protects the other and adds the entrys back. I wana try a few more tools.

Download FindIt's.zip to your desktop.
http://forums.net-integration.net/in...post&id=142443

Unzip/extract the files inside preferable to C:\ < a new folder. open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.

Also....

Click Start > Run > type or copy&paste regedit /e c:\interfaces.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" >OK

This will create the file c:\interfaces.txt
Post the content please.

• Download this Registry Search Tool
• Unzip the contents of RegSrch.zip to a convenient location.
• Double-click on RegSrch.vbs.
• If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
• In the "Enter search string (case insensitive) and click OK..." box paste this string: {D74D6144-A420-4CC0-97EC-9F10E668DB9D}
• Click "OK" to search the registry for that string.
• Wait for a few minutes while it completes the search.
• Click "OK" to open the results in WordPad.
• Copy and paste the entire results into your next post.

Post the Findit's and interfaces.txt logs and the Registry Search tools log.

**Note** I will also need the CORRECT DNS servers for your provider!! If you can't find them....you'll have to contact them. We will need them to replace the bad ones in the rasphone.pbk file.

[cholmes2]

Hi,
Heres the Find-it log


Microsoft Windows XP [Version 5.1.2600]
The current date is: 26/07/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


And the interface.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{87A82460-4BA6-4E5E-AC11-E92BE482C81E}]
"NameServerList"=hex(7):00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{961A5304-BBB8-4CF0-AAE4-F270DBC1DC10}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{B74981C0-A043-44ED-9222-A406510EF3BF}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{D74D6144-A420-4CC0-97EC-9F10E668DB9D}]
"NameServerList"=hex(7):00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{EC735246-0262-4A1B-AABE-DEAC4BC60BC5}]
"NameServerList"=hex(7):00,00,00,00

I searched for the files and exe's you mentioned didn't find any exact matches though i did find

C:\WINDOWS\system32\sessmgr.exe

as opposed to

C:\WINDOWS\system32\sesmgr.exe which you mentioned, have left it for now to be on the safe side.

My computer is now having problems connecting to the web. Something to do with Tcpip.

Registry search tool didn't produce a log as it didn't find anything.

How do i find out my correct DNS address, is it listed on my computer and if it is how can i be sure its correct.

Thanks

[MicroBell]

Quote:

Registry search tool didn't produce a log as it didn't find anything

Make sure your using the correct search term. It has to find something as that CLSID is in the registry. To confirm it didn't change CLSID's please run hijackthis and post JUST the 017 line. If that long number between the brackets is {D74D6144-A420-4CC0-97EC-9F10E668DB9D} do a search for it. Try just the D74D6144-A420-4CC0-97EC-9F10E668DB9D

**Note** If the hijackthis 017 entry doesn't match that above CLSID..do a search using using the new CLSID and post another Interface log. If your mucking around deleting things..this entry will change.

To find your DNS's click start...control panel....network connections. Right click on your ISP's icon..select properties.....networking tab. Make sure TCP/IP is highlighted..select properties..and the DNS's servers should be in the bottom. If not...or they are the bad IP's you will need to contact your ISP provider to get them. Most ISP will have this on their homepage help sections..or you can call them and ask.

As for you connect...I didn't remove anything yet..so If you did...replace it. Make sure you made a backup of this file....rasphone.pbk If you have not...and you've been deleting entrys and such...then use the one you posted...and restore it to those settings. That may help for now...as we are going to edit that file later anyway.

C:\WINDOWS\system32\sessmgr.exe <--LEGIT..leave it be!

[cholmes2]

Hi,
I know we haven't deleted anything from the rasphone entry, i just didn't know if the trojan (or whatever this is) could be responsible, i wasn't trying to blame anyone!.

The nameserver code has changed to this
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F7D20C2-DE8C-4F09-BFA3-3C7EC4C72164}: NameServer = 69.50.188.180 85.255.112.5

And those DNS addresses appear in my Tcpip settings as

Preferred 69.50.188.180
Alternate 85.255.122.5

With my DNS settings set to use the following DNS addresses, rather than obtain automatically, i don't know which was the default setting. My IP address is set to obtain automatically.

I've rang BT and visited there support website to try and find out what my default DNS settings should be and what my DNS Server address should be, but i was told that the DNS address changes constantly (?) and they were'nt much help all i was told is that BT DNS address is 0.38. Which i already knew.
It still is. Perhaps something was lost in translation.

Also as the nameserver code has changed i did another interface log here it is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{87A82460-4BA6-4E5E-AC11-E92BE482C81E}]
"NameServerList"=hex(7):00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{8F7D20C2-DE8C-4F09-BFA3-3C7EC4C72164}]
"NameServerList"=hex(7):00,00,00,00
"NetbiosOptions"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{961A5304-BBB8-4CF0-AAE4-F270DBC1DC10}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{B74981C0-A043-44ED-9222-A406510EF3BF}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{EC735246-0262-4A1B-AABE-DEAC4BC60BC5}]
"NameServerList"=hex(7):00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{FA9E3676-7170-4906-ADCC-DEA356DA0BD1}]
"NameServerList"=hex(7):00,00

Many thanks

[MicroBell]

Ok..here's what I want to do.

First..make a backup copy of this file....C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk and move it to folder other then the one it's in.

I'm going to replace it so make sure you make a backup copy in case it doesn't work. If you can't connect with the one I upload..then just copy your backup copy back to that folder.

1. Download my attachment to this thread called rasphone.txt to your desktop.
2. Right click the file and rename it to rasphone.pbk
3. Disconnect your PC from ANY internet access.
4. Enter your Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Make sure the radio dial has the Green Dot in it!

Reboot into safe mode.

1. Run hijackthis and fix any of the following lines...

O17 - HKLM\System\CCS\Services\Tcpip\..\{8F7D20C2-DE8C-4F09-BFA3-3C7EC4C72164}: NameServer = 69.50.188.180 85.255.112.5


2. Now...rename the rasphone.pbk file located in C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder to rasphone.old

3. Then move that file I uploaded and you renamed rasphone.pbk from your desktop to C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\


4. Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Now reboot back to normal windows

1. Once back in normal mode, click Start>>> Run>>> and type CMD and click OK.
2. At the Dos Prompt Screen, type in cd\ and hit enter.
3. Now type in ipconfig /flushdns and click enter! (notice the space in the middle)
4. Then close the command prompt

Reconnect your Internet connection.

Go back into your Network Connections and make sure "Obtain DNS Servers Automatically" is still selected. We don't want any manual entrys for the DNS entrys!!

Repeat the above ipconfig /flushdns again.

Reboot the PC..and run another hijackthis scan and post it's log along with the Ewido scans log

[cholmes2]

Hi,
Did all that was asked, ewido found nothing so no log, however nameserver still appears though only when i'm online. If i disconnect it disappears from the hijackthis log. I have to be online to delete it. I don't have any problems connecting to the web anymore though.

My new hijackthis log is

Logfile of HijackThis v1.99.1
Scan saved at 19:28:15, on 28/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\BtUsrBdg.exe
C:\WINDOWS\System32\BTSetBootKey.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121104012062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{807B8712-E859-48E1-845D-4919875DC878}: NameServer = 194.74.65.69 62.6.40.178
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

My DNS setting are still set to 'obtain automatically' and the nameservers dns address doesn't appear in rasphone.pbk.

Any ideas?

Many thanks

[MicroBell]

Is your ISP BTNET?? If so..I don't have an issue with that entry..as it's correct. Make sure your connected and run another hijackthis scan, If the same entry that's posted in your last log is there...then it's ok. It's NOT the same DNS's of the hijackers.

[cholmes2]

Eh?

I guess my ISP is BTNET as im with BT. I just wondered my i still have nameserver cropping up in the hijackthis log. I know the DNS address is different from before and therefore not the hijackers, but then why still the nameserver entry?

Thanks

[MicroBell]

Quote:

Originally Posted by cholmes2

Eh?

I guess my ISP is BTNET as im with BT. I just wondered my i still have nameserver cropping up in the hijackthis log. I know the DNS address is different from before and therefore not the hijackers, but then why still the nameserver entry?

Thanks

Because its supposed to be. Some ISP's require the DNS entrys when the user connects to the servers. Since we have this set to automatically get the DNS server names it will show in the log. As long as the 017 entry is related to your ISP...it's fine. This DNS issue is resolved...


Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

[cholmes2]

Hi,
Many thanks for your help and support, just one thing i now have two identical nameserver entries in my hijackthis log, how can i be sure the 017 entry (194.74.65.69 62.6.40.178) is related to my ISP?

Cheers

[cholmes2]

Hi,
Which of these programs should i keep on my computer. I could keep them all but it runs a bit slow.

Ad Aware SE Personal Edition
Ewido Security Suite
AVG Free
Spyware Blaster
Spyware Guard
Spybot Search and Destroy
Norton Internet Security
Clean Up
SmitRem
Del015Domains
Killbox
Peek2
Silent Runners
IE-Spyad2
StartDreck
WinPFind
Tq VBS
rkfiles
RemV3
Regsrch
Find_It_s

Thanks

[MicroBell]

Ok..to answer your question about the 017 entrys. Always keep and eye on the IP displayed. If anythings questionable..run them through a search..

http://www.arin.net/whois/
http://www.ripe.net/whois
http://www.dnsstuff.com/

Most of the bad IP's will come out of europe, russia, ukrain, netherlands, china....ect

*Note* You have 2 Antivirus programs. Ditch one of them. AVG works nicely and Norton Internet Security is a BIG resource hog. Your choice though!

Keep and use the following in BOLD...and if you can..burn the others tools to a CD.

Ad Aware SE Personal Edition <--update and run every week
Ewido Security Suite <--REMOVE this program. Expires in 14 days anyway unless you buy it.
AVG Free <-- update and run every week
Spyware Blaster <-- update every 2 weeks (runs in background)
Spyware Guard <-- No updates (runs in background)
Spybot Search and Destroy <--update and run every week
Norton Internet Security
Clean Up <---run bi-weekly or when needed
SmitRem
Del015Domains
Killbox
Peek2
Silent Runners
IE-Spyad2
StartDreck
WinPFind
Tq VBS
rkfiles
RemV3
Regsrch
Find_It_s