i decided to restore my PC from stratch after i got tired of being redirected to different search portals after any search i did, now its gotten worse, i'm unable to update windows or pretty much any other program, it will redirect me to msn.com each time i try to force a update, won't let me download any update manually from microsoft, it aparently is a trojan dns changer according to Malwarebyter Anitmalware program...please i need your help...thanks in advance

Hello chrisbeck and welcome to Geeks to Go! My is Dave and I'll be helping you to clean your computer.

The first thing I need you to do is go to this page and follow the instructions there: You must read this before posting a HijackThis log. These are some preliminary steps designed to deal with the most common problems. If you follow the procedures and your problems disappear, then great - let us know of your success. If you're still having trouble when you get to Step 5 - Posting a HijackThis (HJT) log, follow the steps for downloading and creating a log with HJT. Then post the logs from HijackThis and Malwarebytes' Anti-Malware here in a reply to this thread so I can take a look at them and get an idea of what's going on with your computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:41 AM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 3151 bytes

Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 3

11/30/2008 2:05:29 AM
mbam-log-2008-11-30 (02-05-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83690
Time elapsed: 22 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

isn't there an easier way to get rid of this thing? i thought that when i would restore my Pc, it does erase everything, is there a way to reset everything? completely erase the PC and start from scratch? wouldn't that be easier? i don't mind doing it? i got all my personal info backed up in an external drive, plus DVDs...

i also wanted to thank you for taking the time to help me, i really appreciate it...

thanks a lot

Hi chris -

It's my pleasure to help you out


There's a few different levels of restoring your PC. The factory settings restore or System restore options will change your system files and boot settings back to a point in time when the computer booted normally, and although this may sometimes get rid of the malware on your computer, other times the infections remain.

The way to completely reset everything is known as formatting your hard drive, we have a guide here to do that if you'd like to. The good news is that your logs don't look badly infected, and there probably isn't that much cleaning left to do if any at all.

I see that you did have the trojan DNS changer (better known as Smitfraud) in your previous logs, it looks like MBAM took care of it but let's make sure there isn't any left:

1. Scan for Smitfraud

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:\), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Do NOT run option #2 OR any other option until you are directed to do so!

Let's get a little deeper look than HJT to make sure we aren't missing anything:

2. Random's System Information Tool

• Please download random's system information tool (RSIT) by random/random from here.
• It is important that is saved directly to your desktop.
• Double click on RSIT.exe to run RSIT.
• Leave the file age at the default of 1 month, and click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note: It is likely that the 2 logs will be very long and may not fit into one reply. If that's the case, please split them up into multiple replies and ensure that you've posted the contents of the logs to the last line, which should read ---EOF---.

So please post back the 2 logs from RSIT, the SmitfraudFix log, and let me know of any problems you're still having.

- Dave

SmitFraudFix v2.379

Scanning Process...
Scanning hosts...
Scanning C:\...
Scanning C:\WINDOWS\...
Scanning C:\WINDOWS\system...
Scanning C:\WINDOWS\Web...
Scanning C:\WINDOWS\system32...
Scanning C:\Documents and Settings\Chris Beck...
Scanning C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp...
Scanning C:\Documents and Settings\Chris Beck\Application Data...
Scanning Start Menu...
Scanning C:\DOCUME~1\CHRISB~1\FAVORI~1...
Scanning Desktop...
Scanning C:\Program Files...
Scanning corrupted keys
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
Scanning Desktop Components
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
'regedit.exe' is not recognized as an internal or external command,
operable program or batch file.
Scanning o4Patch
Scanning IEDFix
Scanning VACFix
Scanning 404Fix
Scanning Sharedtaskscheduler
Scanning AppInit_DLLs
Scanning Winlogon
Scanning RK
Scanning DNS
C:\SmitfraudFix\ScanDNS.vbs(102, 4) Microsoft VBScript runtime error: Invalid pr
ocedure call or argument

Scanning wininet.dll infection

End

here goes my log file

attached is my info file

Hi chris -

In the future please don't attach logs, just post them as plain text, they're easier to analyze that way .

That log looks good, just one thing to take care of:
1. OTMoveIt3

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  C:\WINDOWS\system32\drivers\injn.sys
  
  :Services
  hdwnbf
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\drivers\injn.sys
  
  :Commands
  [Purity]
  [EmptyTemp]
  [Start Explorer]
  [Reboot]
  
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, navigate to the open C:\_OTMoveIt\MovedFiles folder. Open the newest .log file present in notepad and post its contents in your next reply.

Then just a final check:

1. ATF Cleaner

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• Note:[b] If you would like to keep your saved passwords, please click [b]No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• Note: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here or here.

Doubleclick mbam-setup.exe to install the program.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan, then click Scan.
• The scan will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
• Copy & Paste the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so and allow MBAM to finish.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum in your next reply.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

1. Follow this link to the Kaspersky WebScanner
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure the following is checked.
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
10. Please post this log in your next reply.

So post back with the log from OTMoveIt, MBAM and Kaspersky when you get the time, and give me an update on how the PC is running, and we should have you on your way .

- Dave

========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: C:\WINDOWS\system32\drivers\injn.sys
========== SERVICES/DRIVERS ==========
Service hdwnbf stopped successfully.
Service hdwnbf deleted successfully.
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\drivers\injn.sys moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\~DF6A2C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\~DF8683.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_21c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_784.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12012008_212613

Files moved on Reboot...
File C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\~DF6A2C.tmp not found!
File C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\~DF8683.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_21c.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_784.dat moved successfully.

Ok that looks good, just waiting on the MBAM and Kaspersky results. I know those can take a while, no hurry. Whenever you can get those for me is fine .

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3

12/1/2008 10:17:48 PM
mbam-log-2008-12-01 (22-17-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 80768
Time elapsed: 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b358c20c-a341-432d-b14d-cbca389b6e75}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Wouldn't finish upload the kaspersky updates...

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads3.kaspersky-labs.com
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads2.kaspersky-labs.com
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads3.kaspersky-labs.com
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads4.kaspersky-labs.com
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads5.kaspersky-labs.com
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads5.kaspersky-labs.com
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads2.kaspersky-labs.com
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads1.kaspersky-labs.com
Update source selected: http://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads4.kaspersky-labs.com
Update source selected: ftp://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads1.kaspersky-labs.com

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Failed to resolve source DNS name]

Are you having any problems accessing the internet normally? Do you get redirected to pages you didn't try to go to? Play around with your Internet for a bit and let me know if anything abnormal occurs, if nothing does then you're otherwise clean and in good shape.