Inactive DNS Hijacking: Attempted and Failed
- Thread starter groweedallday
- Start date
- Status
groweedallday
Posts: 22 +0
The original problem is gone.
Bobbye
Posts: 16,313 +36
If you have no other malware related problems, you can remove all of the tools we used and the files and folders they created
You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Creating a Restore Point in Windows 7:
I am still concerned about the missing Find 3M section in Combofix and the fact that you have so many processes starting from the Registry on boot. I strongly recommend that you uncheck everything on the Startup Menu except the AV program, touchpad if on laptop, third party firewall if you have one and network processes if you have 3rd party network set up:
Images courtesy NetSquirrel
The only processes that need to start on boot are the antivirus program, third party firewall if you have one, touchpad if on laptop and network processes if using third party software for network. Any other entries in this section can be Unchecked.
This does not remove a process or program- it can still be accessed when needed through All Programs. And you can go back at a later time and reset the default programs if needed.
- Uninstall ComboFix and all Backups of the files it deleted
- Click START> then RUN
- Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- Download OTCleanIt by OldTimer and save it to your Desktop.
- Double click OTCleanIt.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Creating a Restore Point in Windows 7:
- Click on Start> right click on Computer> Properties
- Select System Protection
- Click on the Create button (near bottom)
- Type a name for the Restore Point
- Click on Create again to save the restore point.
- Click Start, type Cleanmgr.exe and press ENTER
- Select the drive-letter from the list and click OK
- Click Clean up system files
This restarts Disk Cleanup to run in elevated mode. - Select the drive-letter from the list and click OK
- Click the More Options tab
- Click the Clean up… button under System Restore and Shadow Copies.
- Click OK.
I am still concerned about the missing Find 3M section in Combofix and the fact that you have so many processes starting from the Registry on boot. I strongly recommend that you uncheck everything on the Startup Menu except the AV program, touchpad if on laptop, third party firewall if you have one and network processes if you have 3rd party network set up:
- Click on the Windows 7 start icon in the bottom left corner of your screen.
- Type MSCONFIG in the search box> press enter or double-click on the MSCONFIG program that appears in the search results.
- Click on Selective Startup
- Click on the Startup tab. You will now see the System Msconfig Utility
Windows 7 loads almost all of Windows' essential programs are loaded through Windows Services. So most of the startup items you see here are optional and can be turned off.
Important! When in doubt, leave it on-or- use a Startup database to identify a process you are not sure of. - Uncheck any process you don't want to start on boot.
- When finished> click on OK
Reboot the computer. - When you see this message come up: Check 'don't show this message again'> then Restart.
Images courtesy NetSquirrel
The only processes that need to start on boot are the antivirus program, third party firewall if you have one, touchpad if on laptop and network processes if using third party software for network. Any other entries in this section can be Unchecked.
This does not remove a process or program- it can still be accessed when needed through All Programs. And you can go back at a later time and reset the default programs if needed.
groweedallday
Posts: 22 +0
I have been slowly and cautiously deleting these tools. Haven't had any real big issues other than when I ran ESET online scanner Win32/Olmarik.zc trojan. here is the log from ESET:
======================================================
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan error while cleaning
======================================================
At the beginning of the scan I checked fix problems if found. So now the file is just sitting in quarantine.
======================================================
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan error while cleaning
======================================================
At the beginning of the scan I checked fix problems if found. So now the file is just sitting in quarantine.
groweedallday
Posts: 22 +0
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c01658194b5e714b82217fe5ff1bf6a8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-12 02:51:52
# local_time=2010-10-11 09:51:52 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775165 100 98 0 222204341 0 0
# compatibility_mode=1024 16777215 100 0 12019298 12019298 0 0
# compatibility_mode=5893 16776573 100 94 0 38393178 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=179930
# found=3
# cleaned=0
# scan_time=3524
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir_ Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c01658194b5e714b82217fe5ff1bf6a8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-20 11:46:07
# local_time=2010-10-20 06:46:07 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 265709 265709 0 0
# compatibility_mode=768 16777215 100 0 96082 96082 0 0
# compatibility_mode=1024 16777215 100 0 12785200 12785200 0 0
# compatibility_mode=5893 16776573 100 94 0 39159080 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183630
# found=1
# cleaned=0
# scan_time=4078
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c01658194b5e714b82217fe5ff1bf6a8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-12 02:51:52
# local_time=2010-10-11 09:51:52 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775165 100 98 0 222204341 0 0
# compatibility_mode=1024 16777215 100 0 12019298 12019298 0 0
# compatibility_mode=5893 16776573 100 94 0 38393178 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=179930
# found=3
# cleaned=0
# scan_time=3524
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir_ Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c01658194b5e714b82217fe5ff1bf6a8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-20 11:46:07
# local_time=2010-10-20 06:46:07 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 265709 265709 0 0
# compatibility_mode=768 16777215 100 0 96082 96082 0 0
# compatibility_mode=1024 16777215 100 0 12785200 12785200 0 0
# compatibility_mode=5893 16776573 100 94 0 39159080 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=183630
# found=1
# cleaned=0
# scan_time=4078
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I
Bobbye
Posts: 16,313 +36
Okay- after a lot of thought and searching, I am going to call the entry in the Eset log as a False Positive. It was in the Combofix Qoobox twice- that where Combofix puts the quarantined files. OTMoveIt now hows it as 'not found.'
My searching shows the file breakdown as follows:
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys
FMP> File Maker Pro
FileMaker Pro is a cross-platform relational database application from FileMaker Inc., formerly Claris, a subsidiary of Apple Inc.. It integrates a database engine with a GUI-based interface, allowing users to modify the database by dragging new elements into layouts, screens, or forms. Database management system
RDPRE> OpenMP for Adaptive Master-Slave Message Passing Applications
OpenMP (Open Multi-Processing) is an application programming interface (API) that supports multi-platform shared memory multiprocessing programming in C, C++, and Fortran on many architectures, including Unix and Microsoft Windows platforms. It consists of a set of compiler directives, library routines, and environment variables that influence run-time behavior.
Multithreading: Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources.
If you known anything about this, maybe you can handle it. I could not find any related files. So if the problems have been resolved and there are no new ones, the only thing I can offer is a second online AV scan using Kaspersky:
Run Kaspersky Online Scanner in Internet Explorer
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
We will see if anything shows up in this log.
My searching shows the file breakdown as follows:
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys
FMP> File Maker Pro
FileMaker Pro is a cross-platform relational database application from FileMaker Inc., formerly Claris, a subsidiary of Apple Inc.. It integrates a database engine with a GUI-based interface, allowing users to modify the database by dragging new elements into layouts, screens, or forms. Database management system
RDPRE> OpenMP for Adaptive Master-Slave Message Passing Applications
OpenMP (Open Multi-Processing) is an application programming interface (API) that supports multi-platform shared memory multiprocessing programming in C, C++, and Fortran on many architectures, including Unix and Microsoft Windows platforms. It consists of a set of compiler directives, library routines, and environment variables that influence run-time behavior.
Multithreading: Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources.
If you known anything about this, maybe you can handle it. I could not find any related files. So if the problems have been resolved and there are no new ones, the only thing I can offer is a second online AV scan using Kaspersky:
Run Kaspersky Online Scanner in Internet Explorer
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
- Click Accept and the web scanner will begin to load
- If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
- You will be prompted to install an ActiveX component from Kaspersky, click Install
- If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT and then Scan Settings
- In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases - Click OK
- Now under select a target to scan:
[o] Select My Computer - The program will start to scan your system.
- Once the scan is complete, click on the Save as Text button and save the file to your desktop
We will see if anything shows up in this log.
- Status
Similar threads
