Oh Dear!

[Toxcity]

Okay heres my new problem of the week!

When I use google to search for stuff, you know you get your nice page of search result links.

Well when i click on a link, I get transported to some sales website. Like monster shopping..

Some kinda malware i guess.. Where would I find the file that does this.

I am downloading adaware now!

 

[butcherbob]

depends on what it is,just use adaware and maybe spybot if that doesnt work.Then cc shredder and avg antivirus with new update if that fails.

If that lot of free stuff dont get it then nothing will.

Get hijack this for free and post up the results for all to see and find the bugger.

 

[Toxcity]

Cheers matey!

So far adaware found nothing!

 

[butcherbob]

get hijack this and post the results up.Im a doofus with overclocking but aint bad at finding crap on a system.

 

[Toxcity]

Logfile of HijackThis v1.99.1

Scan saved at 20:28:03, on 27/02/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\DOCUME~1\Niccums\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EFB99FD-030D-4C6E-8757-9B78EA7D2596}: NameServer = 85.255.114.85,85.255.112.213

O17 - HKLM\System\CCS\Services\Tcpip\..\{15E193BA-B710-43CF-B039-2B4F5617C17C}: NameServer = 85.255.114.85,85.255.112.213

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213

O17 - HKLM\System\CS1\Services\Tcpip\..\{0EFB99FD-030D-4C6E-8757-9B78EA7D2596}: NameServer = 85.255.114.85,85.255.112.213

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213

O17 - HKLM\System\CS2\Services\Tcpip\..\{0EFB99FD-030D-4C6E-8757-9B78EA7D2596}: NameServer = 85.255.114.85,85.255.112.213

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Might mean something to someone!

Stuff in Bold looks unnormal... When my broswer gets redicrected it comes up with a IP.. I think maybe a little like thta!

 

[butcherbob]

run hijack again and check the 2 css services and windows messenger lines (if you dont use the crap)and try see.

 

[Toxcity]

run hijack again and check the 2 css services and windows messenger lines (if you dont use the crap)and try see.

Nope nothing happened.. I still get the gay thingy!

This is the site that redicrects me.. 81.201.104.136

 

[butcherbob]

Run spybot and avg and delete all things found.Then hijackthis kill all running apart from hijack and delete all 017's.

 

[Toxcity]

Just ran Spybot.. found some stuff got rid of it, but its still here..

Not going to go get AVG

 

[butcherbob]

well you need to run a up to date virus scanner,whatever youve got.Youve got a known problem on your puter thats a sod to get rid of.AVG is the last easy way before it gets more complicated.

 

[Toxteth O'Grady]

Tox

You're right, the stuff in bold is abnormal. You've had your DNS IP addresses hijacted by malware, probably to a rogue Russian DNS server.

I'll look for the fix for you.

p.s. what was it you were saying the other day about not needing a virus scanner? - sorry. couldn't resist.



TOG

 

[Toxcity]

well you need to run a up to date virus scanner,whatever youve got.Youve got a known problem on your puter thats a sod to get rid of.AVG is the last easy way before it gets more complicated.

Downloading now!

I hope this works! Thanks for all the help so far!

Tox

You're right, the stuff in bold is abnormal. You've had your DNS IP addresses hijacted by malware, probably to a rogue Russian DNS server.

I'll look for the fix for you.

p.s. what was it you were saying the other day about not needing a virus scanner? - sorry. couldn't resist.



TOG

Damn it Tox, I was hoping you wouldn't come online!

Anywho, yeah im in trouble now! All help is uber needed!

Nice to see you Tox matey.. You are the clever cloggs of the forum when it come to Virus stuff.

 

[equk]

If you google the IP there are loads of reports it pings at 200ms so prob quite far away

 

[Toxcity]

If you google the IP there are loads of reports it pings at 200ms so prob quite far away

I can't google anything at the mo..

I get jacked!

So is there any fix out there peeps?

 

[butcherbob]

looks like its the alg.exe as youve not got ms firewall running it shouldnt really be running,its a trojan theres bucketloads on the net about it.avg shouild find it though.Get firefox and zone alarm after this.

 

[butcherbob]

http://forums.techguy.org/security/544992-pop-ups-system-slowdown-2.html

have a read.

 

[Toxteth O'Grady]

yep - it's a DNS Changer trojan.

Download Superantispyware (freeware version) from here and AVG free Antispyware from here. Install both. Disable System Restore and then reboot into Safe mode and run a full scan of both. Post back results.

Hopefully they'll get it. Once you done that you'll need to reconfigure your DNS settings. Let me know if you need help with that.



TOG

btw - you have HJT in a temp directory. You need to extract it to its own directory (eg. create C:\Program Files\HJT and extract to there. Otherwise it won't allow you to fix and backup\recover if you end up deleting the wrong entries.

 

[equk]

This one seems like a good fix.

Hello and welcome to the forum You have been hijacked by folks in the Ukraine see this: http://www.whois.sc/85.255.114.108

It will take a little work to get rid of them, and the instructions must be followed carefully to be successful.

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

Thanks to LonnyRJones and any others who helped with this fix.

2) You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt (hold the logs until the end please)

Now lets check some settings on your system.

(2000/XP) Only

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

That option might not be avaiable on some systems

Next Go start run type cmd and hit OK

type

ipconfig /flushdns

then hit enter, type exit hit enter

(that space between g and / is needed)

(Spyware Doctor may block the fix we must make, turn it off until you are done)

(some lines may be gone, do not be concerned, just do not miss any)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O1 - Hosts: localhost 127.0.0.1

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\zgych.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\zgych.dll

O4 - HKLM\..\Run: [SysCheck32] SysCheck32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F54D557-AC48-4872-A177-C52F0AECD854}: NameServer = 85.255.114.108,85.255.112.143

O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.114.108,85.255.112.143

O17 - HKLM\System\CCS\Services\Tcpip\..\{83FF1B5A-6982-4DCB-AB12-FBE3104461B0}: NameServer = 85.255.114.108,85.255.112.143

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCC1F58C-308F-4472-AAE5-1C50ADCCDF06}: NameServer = 85.255.114.108,85.255.112.143

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F54D557-AC48-4872-A177-C52F0AECD854}: NameServer = 85.255.114.108,85.255.112.143

O17 - HKLM\System\CS3\Services\Tcpip\..\{0F54D557-AC48-4872-A177-C52F0AECD854}: NameServer = 85.255.114.85,85.255.112.13

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

You will need to search for the location of this item: SysCheck32.exe

RIGHT Click on Start then click on Explore. Locate and delete these items:

SysCheck32.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)

Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp

Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the C:\fixwareout\report.txt, a new HJT log and any comments you think will help. We will have more to do.

Thanks...pskelley

Safer Networking Forums

You deffinately will want to flush the dns cache

ipconfig /flushdns

 

[Toxcity]

I will try Tox's idea first as it is the quickest, then the rest!

Thanks for the support so far dudes! :worship:

 

[Toxteth O'Grady]

I know the two freeware apps I linked to do clean trojan.dns.changer so you should be ok. If they don't suggest you take up equk's suggestion to run fixwareout next. If you have to get that far post the fixwareout report log on here.



TOG

I