Thread: Problems with a DNS Changer Trojan
View Single Post
Join Date: Jul 2008
Posts: 3,083
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 175
Moderator
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Sensei

Re: Problems with a DNS Changer Trojan

 
0
  #2
Nov 20th, 2008
Hello redrevis and welcome to daniweb. Sorry you are having so many problems. You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again. as you have found.

You need to uninstall combofix.
Do it this way;
Go to Start, Run
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

Next you need to turn off some services which are running automatically at start up.
To do this do the following:
Click the Start button.
From the Start menu, choose Control Panel.
From the Control Panel home page, choose the System And Maintenance option.
On the System And Maintenance page, click Administrative Tools.
From the Administrative Tools page double-click on the Services option.
# When prompted by User Access Control to verify that opening the Services Control Panel applet is allowed, click the Continue button. If you are not prompted, you have either disabled User Access Control or are logged in with an account that does not have the ability to run with administrative privileges.
You should now be at the Services Control Panel applet.
You are going to have to scroll through this list and in alphabetical order you will see to find these services. One by one I want you to double click on each entry. First if it is running you will see a STOP button. Click the Stop button to Stop the service. When it is stopped then go to the Start Up Type section and click the small arrow next to where it says Automatic or Manual. If it says Automatic, change it to Manual. If it says Manual then change it to disabled for now. Click the OK button and move on to the next one.

PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe
TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

This one right here is part of your culprit. Stop the Service if it is running and definitely change the start up type to DISABLED.
Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhum.exe

Once you have done this with all of the above entries then click APPLY
And close out that services box. Reboot the computer.

Please download Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

REBOOT the Computer.

Run HJT again and place check marks next to the following entries if they still remain:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (no file)
O9 - Extra button: (no name) - {DF96BA30-57F6-4700-8065-910EC3BE9E3B} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{300724CF-170F-48C8-A7DB-5CCC2345805F}: NameServer = 85.255.112.86;85.255.112.189
O17 - HKLM\System\CS1\Services\Tcpip\..\{300724CF-170F-48C8-A7DB-5CCC2345805F}: NameServer = 85.255.112.86;85.255.112.189
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhum.exe
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer and run a new HJT log. Post back with that log and the MBA-M log.
Last edited by jholland1964; Nov 20th, 2008 at 6:17 pm.
Reply With Quote