Very persistant trojan - please help!
Hi,
2 nights ago i realised i had a virus or something bad anyway. It started when i had a problem downloading a song from Napster and i got error code 1018. I searched for it in google - looking for help. One of the links was a simple web page saying something "download workaround for error 1018". Foolishly i did just that. Seconds later BitDefender started firing up messages. It kept telling me it had delted something, only to have to delete the same things every 30 seconds ago. Clearly whatever it is keeps coming back.
Last night i spent all evening trying to sort this problem out. BitDefender no longer pops up with any messages, but my computer has various weird problems. Every time i boot up it's 50/50 whether the monitor shows anything, if i change user (which i need to do at school to log onto my teaching domain) it also stops working. Google search results redirect to advertising websites (usually porn - great - can't wait till that pops up on the whiteboard in front of my 4 year olds!). Whenever i boot up i usually get some message about screensavers or extra screen managers (?) not working. My USB connections are also now being temperamental, and my CD/DVD drive drivers are not workjing any more (Code 37 - tried various workarounds). Basically it's pretty annoying all round.
Last night, and tonight, i have tried using Spyware Doctor (doesn't work on Vista?), AVira (finds a file called TMP0000002A309C6A80253F7D89 in C:/windows/Temp on every boot up, but quaranting, denying access/ignoring don't seem to be effective), BitDefender - finds 3 files (see history below), Malwarebyte (finds 17 registery exhibits which it deletes, does a restart, but they are back again. See below as well). Tried CCleaner as well - clears lots of stuff but no help. AdAware also no help the first time - and now crashes when run. All are up to date with updates.
I even tried looking at the registery entries from Malaware and changing each entry very slightly in the Registry editor hoping the virus would not reinstall be not work either. Also tried renaming some of the files. No joy. HELP!!!!
Hijack This says:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:34:42, on 12/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
D:\Program Files\BlueSoleil\BtTray.exe
D:\Program Files\SMART\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
D:\Program Files\napster.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Al\Desktop\HiJackThis.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - D:\Program Files\SMART\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Office 2007\Office12\GrooveShellExtensions.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [BtTray] "D:\Program Files\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\Apple\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMART Board Service] D:\Program Files\SMART\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\napster.exe /systray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Users\Al\Desktop\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O17 - HKLM\Software\..\Telephony: DomainName = tyneview0507.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{19076F50-B923-4198-80F1-F382415B7826}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD445E-38B6-4EEE-9240-63F4BC8F322E}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1BF7C71-DF6D-4F58-88BD-3A694DB7FDD5}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Office 2007\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - D:\Program Files\Adobe\Adobe Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleilCS - Unknown owner - D:\Program Files\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - D:\Program Files\BlueSoleil\BsHelpCS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kduga.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 7430 bytes
___________________________________-------___________
Malware log is:
Malwarebytes' Anti-Malware 1.30
Database version: 1390
Windows 6.0.6001 Service Pack 1
12/11/2008 22:29:46
mbam-log-2008-11-12 (22-29-46).txt
Scan type: Quick Scan
Objects scanned: 56138
Time elapsed: 5 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 16
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Windows Tribute Service (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
------___________------____________
BitDefender:
Can't get log on-screen, but mentions Win32.worm.Autorun.MQ detected and also Trojan.Autorun.ZH have been blocked and delted but this was yesterday, not today.
Anyone any ideas please, i will be eternally grateful. I only bought the laptop 2 months ago and it is 2nd hand, but has been great. It is a Vaio dual core VGN AR11B with 2GB RAM, running Vista Ultimate 32bit. Never had any problems until 2 days ago.It is 2 years old.
Alex
2 nights ago i realised i had a virus or something bad anyway. It started when i had a problem downloading a song from Napster and i got error code 1018. I searched for it in google - looking for help. One of the links was a simple web page saying something "download workaround for error 1018". Foolishly i did just that. Seconds later BitDefender started firing up messages. It kept telling me it had delted something, only to have to delete the same things every 30 seconds ago. Clearly whatever it is keeps coming back.
Last night i spent all evening trying to sort this problem out. BitDefender no longer pops up with any messages, but my computer has various weird problems. Every time i boot up it's 50/50 whether the monitor shows anything, if i change user (which i need to do at school to log onto my teaching domain) it also stops working. Google search results redirect to advertising websites (usually porn - great - can't wait till that pops up on the whiteboard in front of my 4 year olds!). Whenever i boot up i usually get some message about screensavers or extra screen managers (?) not working. My USB connections are also now being temperamental, and my CD/DVD drive drivers are not workjing any more (Code 37 - tried various workarounds). Basically it's pretty annoying all round.
Last night, and tonight, i have tried using Spyware Doctor (doesn't work on Vista?), AVira (finds a file called TMP0000002A309C6A80253F7D89 in C:/windows/Temp on every boot up, but quaranting, denying access/ignoring don't seem to be effective), BitDefender - finds 3 files (see history below), Malwarebyte (finds 17 registery exhibits which it deletes, does a restart, but they are back again. See below as well). Tried CCleaner as well - clears lots of stuff but no help. AdAware also no help the first time - and now crashes when run. All are up to date with updates.
I even tried looking at the registery entries from Malaware and changing each entry very slightly in the Registry editor hoping the virus would not reinstall be not work either. Also tried renaming some of the files. No joy. HELP!!!!
Hijack This says:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:34:42, on 12/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
D:\Program Files\BlueSoleil\BtTray.exe
D:\Program Files\SMART\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
D:\Program Files\napster.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Al\Desktop\HiJackThis.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - D:\Program Files\SMART\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Office 2007\Office12\GrooveShellExtensions.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [BtTray] "D:\Program Files\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\Apple\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMART Board Service] D:\Program Files\SMART\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\napster.exe /systray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Users\Al\Desktop\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O17 - HKLM\Software\..\Telephony: DomainName = tyneview0507.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{19076F50-B923-4198-80F1-F382415B7826}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD445E-38B6-4EEE-9240-63F4BC8F322E}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1BF7C71-DF6D-4F58-88BD-3A694DB7FDD5}: NameServer = 85.255.112.151;85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tyneview0507.ad
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Office 2007\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - D:\Program Files\Adobe\Adobe Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleilCS - Unknown owner - D:\Program Files\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - D:\Program Files\BlueSoleil\BsHelpCS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kduga.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 7430 bytes
___________________________________-------___________
Malware log is:
Malwarebytes' Anti-Malware 1.30
Database version: 1390
Windows 6.0.6001 Service Pack 1
12/11/2008 22:29:46
mbam-log-2008-11-12 (22-29-46).txt
Scan type: Quick Scan
Objects scanned: 56138
Time elapsed: 5 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 16
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Windows Tribute Service (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{19076f50-b923-4198-80f1-f382415b7826}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{c0cd445e-38b6-4eee-9240-63f4bc8f322e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{f1bf7c71-df6d-4f58-88bd-3a694db7fdd5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151;85.255.112.146 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
------___________------____________
BitDefender:
Can't get log on-screen, but mentions Win32.worm.Autorun.MQ detected and also Trojan.Autorun.ZH have been blocked and delted but this was yesterday, not today.
Anyone any ideas please, i will be eternally grateful. I only bought the laptop 2 months ago and it is 2nd hand, but has been great. It is a Vaio dual core VGN AR11B with 2GB RAM, running Vista Ultimate 32bit. Never had any problems until 2 days ago.It is 2 years old.
Alex
Linear Mode
