win32/cryptor

Yeah I am using a wireless router, that info would have helped sooner I assume.

Have taken the action and it said it had been added.

Hello.
Sometimes DNS hijackers don't just infect your machines, they effect the Linux firmware inside the router as a way of DNS manipulation. Meaning they infect your router too, so as soon as you get online, the infection comes back.

The only way to fix this is to do a hard reboot of the router (setting it back to factory defaults), but doing so you will lose internet access because the DNS isn't set to your ISP.

To fix that, you'll need to work with your ISP so the details can be set back to them. Before we do that though, lets go for one more even deeper scan.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (AVG8)
  
• Double click on ComboFix.exe.
  
• Follow the prompts.
  NOTE:
  
• Tell Combofix NOT to download the recovery console(If prompted...).
  
• Accept the End-User License Agreement.
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Ok I did as you asked re combofix but the net connection is no gone so cannot post log as asked, any suggestions?

Posting now from an iPhone

Darn.
Try this.

Press Start. In the search box, type in cmd to do a search for the command prompt.
When it appears in the list, right click cmd > Select "Run as administrator"

Now when the command prompt opens, type in:

netsh winsock reset

Hit enter.
Reboot normally.

Any internet connection now?

That worked a treat, here is the log:

ComboFix 09-04-04.01 - Admin 06/04/2009 15:04:42.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3061.1969 [GMT 1:00]
Running from: c:\users\Stephanie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 03:07 --------- d-----w c:\program files\Windows Mail
2009-04-06 03:06 --------- d-----w c:\programdata\Microsoft Help
2009-04-05 21:52 --------- d-----w c:\users\Stephanie\AppData\Roaming\Malwarebytes
2009-04-05 21:33 0 ----a-w C:\backup.reg
2009-04-05 21:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 20:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 20:14 --------- d-----w c:\programdata\Malwarebytes
2009-04-05 19:55 --------- d-----w c:\users\Admin\AppData\Roaming\DNA
2009-04-03 17:16 --------- d-----w c:\programdata\McAfee
2009-04-03 16:35 --------- d-----w c:\users\Stephanie\AppData\Roaming\BitTorrent
2009-04-02 15:02 --------- d-----w c:\program files\Google
2009-04-02 15:00 --------- d-----w c:\program files\Softonic_English
2009-04-02 12:33 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-26 15:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-02 23:35 --------- d-----w c:\users\Stephanie\AppData\Roaming\NesterSoft
2009-02-09 03:10 2,033,152 ----a-w c:\windows\System32\win32k.sys
2009-02-02 08:39 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-08-11 14:46 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [29/02/2008 05:18 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [04/05/2008 10:25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [04/03/2008 06:05 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [06/03/2008 08:58 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [06/03/2008 08:58 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [06/03/2008 08:58 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [27/07/2007 16:43 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 13:00 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [16/05/2008 13:17 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [11/08/2008 15:54 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [11/03/2008 12:44 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [21/12/2007 10:58 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [06/09/2008 15:09 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [01/10/2008 18:57 289576]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [14/08/2008 00:04 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [02/02/2009 09:39 1601304]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [13/09/2007 15:44 405504]

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-05-13 1058088]

c:\users\Stephanie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-05-13 1058088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-08-11 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
11/08/2008 16:01 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2E038292-EF82-4526-814C-8302486EBFCD}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{8112B007-D453-4014-A056-5F21DFDF83FE}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{F6E4D4CA-1100-47DA-9EC3-DE55815E24BF}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{45FBFCEA-AAD3-4504-8570-08006E57172C}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{32CBBFF3-2990-4311-B60A-1E8F4FBD4D28}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{9BB45849-F997-4AF1-B466-2FF6EF3A7D38}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8D0302CC-35F4-42A7-A5F6-E93344CAC839}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31FB613C-E313-4F61-8A14-31102316B035}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{73BC571D-1533-4987-8D93-88DA93A12744}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{9DB4EF27-5EA6-43D0-85D4-17A5E6A56833}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{84EC16EC-A0BE-4F55-A657-C551212893F2}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4A7B93BF-0414-43F1-AF96-BCE1C4C71528}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{32A4F0CB-092C-49FB-8F12-EF3FF23815DB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{2E883A8F-56D5-4FAA-B037-BA1BAEE2084C}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{9ECEC11F-5097-4097-9D48-09A7AB7A9384}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{441AAEA2-3302-4F41-AD9E-4D1BBBAF3B6C}c:\\users\\admin\\program files\\dna\\btdna.exe"= UDP:c:\users\admin\program files\dna\btdna.exe:btdna.exe
"UDP Query User{A8850546-B753-4F1E-9B62-3C4C75335FCB}c:\\users\\admin\\program files\\dna\\btdna.exe"= TCP:c:\users\admin\program files\dna\btdna.exe:btdna.exe
"{83F14680-0AB4-45A3-9B59-C6E7E15F0848}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2008-10-30 325128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-08-11 73728]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [2008-08-12 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-08-12 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-08-12 7424]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{930F1200-F5F1-4870-BAC6-E233EC8E7023} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3080811
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 15:06:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 06/04/2009 15:08:17
ComboFix-quarantined-files.txt 2009-04-06 14:08:14

Pre-Run: 75,021,914,112 bytes free
Post-Run: 75,029,192,704 bytes free

126 --- E O F --- 2009-04-06 03:06:56

Hello.
I want you to uninstall Bittorrent, that's probably how you got infected.

• Open HijackThis
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Browser Address Error Redirector
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Dell-eBay
Digital Line Detect
EDocs
Google Desktop
GoToAssist 8.0.0.514
HijackThis 2.0.2
Intel(R) Matrix Storage Manager
iTunes
Java(TM) 6 Update 5
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
MediaDirect
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
NetWaiting
OutlookAddinSetup
QuickSet
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SigmaTel Audio
Softonic_English Toolbar
TimeLeft
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
VLC media player 0.9.4
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
WinRAR archiver
Xvid 1.1.3 final uninstall

Yeah I couldnt find bittorrent to uninstall it... It just doesnt appear to be here anymore.

Hello.

While Bittorrent isn't there, there is one or two things that need to go because they are old and are a security risk.

• Click Start >> Control Panel.
  
• Under the Programs click Uninstall a Program
  
• Highlight the following:
  
  Adobe Reader 8.1.0
  Java(TM) 6 Update 5
  VLC media player 0.9.4
  
  
• Click on the Uninstall/Change button at the top.
  

Lets have Combofix do this for us.

Note: If you lose internet connection again, then go back to my Run command and do that again.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{31FB613C-E313-4F61-8A14-31102316B035}"=-
"{73BC571D-1533-4987-8D93-88DA93A12744}"=-
"{2E883A8F-56D5-4FAA-B037-BA1BAEE2084C}"=-
"{9ECEC11F-5097-4097-9D48-09A7AB7A9384}"=-
"TCP Query User{441AAEA2-3302-4F41-AD9E-4D1BBBAF3B6C}c:\\users\\admin\\program files\\dna\\btdna.exe"=-
"UDP Query User{A8850546-B753-4F1E-9B62-3C4C75335FCB}c:\\users\\admin\\program files\\dna\\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{938cf847-f51a-4cc5-9b1b-07745b5ac2b3}]
"NameServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}]
"DhcpNameServer"-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}]
"NameServer"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Ok about to do so, re bittorrent, where did it go? I didn't uninstall it, in fact I used it just the other day.

I don't know where it's gone, but we'll remove it's folders soon.
The CFScript will close the ports that bittorrent uses and it won't be allowed past the firewall anymore.

Hmm ok, it ran restarted then warning has come up saying c:\combofix\HIV\security! Error saving file. Continue with next file? Regcreatekeyex: 5 access is denied click yes or no?

Press No.

log came up empty

Hello.
Doesn't matter then, it still did what I wanted it to.

Still having problems?

I don't really know, how will I know if it is still on the machine? You mentioned something about my router?

Update and scan with MBAM.
See if that DNSChanger returns.

I have updated MBAM still says current db is 1904. That correct?

I have 2 brother who did AI and software engineering, clearly the IT gene skipped me.

Shall run MBAM now?

I have one Trojan.DNSChanger still

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}\DhcpNameServer

Hello.
That isn't the latest.
Download the latest from here:
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Install that file.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}]
  "DhcpNameServer"=-
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

See if it returns now.

ok done

Is that one last reg key gone now?

Had to go to work, left machine to restart. Lef you know how it goes

OK im back from work. ran MBAM, again got, trojan.dnschanger

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}\DhcpNameServer

Hello.
Lets try this.

Download smitfraudfix from here:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

1. Download that to your Desktop.
   
2. Right click the file > Run as administrator.
   
3. This will extract it's contents.
   
4. If AVG popup with a warning, tell it to ignore it.
   
   Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
   http://www.beyondlogic.org/consulting/proc...processutil.htm
   
   
5. It also opens the command prompt, so allow it to load.
   
6. Press any key when asked.
   
7. Now in the opens menu, select option 1 (search) by typing 1 and pressing enter.
   
8. Copy and paste the log back here.
   

SmitFraudFix v2.406

Scan done at 22:48:55.04, 2009-04-06
Run from C:\Users\Stephanie\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» \


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL avgrsstx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1395 WLAN Mini-Card
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{938CF847-F51A-4CC5-9B1B-07745B5AC2B3}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CFB53BDF-65D1-49FB-BCE3-D851F1E35B0D}: DhcpNameServer=69.42.88.21 69.42.88.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{938CF847-F51A-4CC5-9B1B-07745B5AC2B3}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CFB53BDF-65D1-49FB-BCE3-D851F1E35B0D}: DhcpNameServer=85.255.112.194,85.255.112.125
HKLM\SYSTEM\CS2\Services\Tcpip\..\{938CF847-F51A-4CC5-9B1B-07745B5AC2B3}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CFB53BDF-65D1-49FB-BCE3-D851F1E35B0D}: DhcpNameServer=69.42.88.21 69.42.88.22
HKLM\SYSTEM\CS3\Services\Tcpip\..\{938CF847-F51A-4CC5-9B1B-07745B5AC2B3}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CFB53BDF-65D1-49FB-BCE3-D851F1E35B0D}: DhcpNameServer=69.42.88.21 69.42.88.22
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

again your help is much appreciated

Hmm.
SFF doesn't report of a DNS hijack.

The malware has gotten control of your router, you need to change the password.

To get into it, you usually need to type a certain IP adress, 192.168.1.1 is usually the router.
In your case it could be 192.168.1.254.

Once you've found the page, login using the default password. Depending on what type of router you have will depend on the layout.

You need to find an option for changing the default administrator password.

ok so I just change the password and thats it?

No, changing the password will stop that one reg key returning. Once it's changed, that reg key should die with a little help.

If not, we may need to do a hard reset of the router.

Ok password changed, what next?

Lets see if the router is the problem.

Disconnect from the internet and stay disconnected while doing this.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

Now run the MBAM scan again, allow it to delete everything it finds.

Reboot normally.
Run the scan again.

If the key is back, the router isn't the problem.

Ok done as asked. The safe mode scan found it, I removed, rescanned with wifi still disconnected and it was still there.
Will it be on the other machines on the network too?

I don't think it will be, but you can check if you want to.

Lets try this manually. Press Start > search for "regedit". When it finds it, right click > Run as administrator.
Then follow this path in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfb53bdf-65d1-49fb-bce3-d851f1e35b0d}

Then when you get to the CLSID, find this in the right side pane: [/b]DhcpNameServer[/b]
Double click it and take out whatever IP adress is there now, and insert 192.168.1.254

Ok did that

If the new value sticks and doesn't go back to the malicious IP, then we should be done.
We'll move them Bittorrent folders soon.

Do I need to restart to be sure of this?

Yes.

Ok, it did not change back!

Thank god for that.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Thank you so much! You have been an absolute star!

Re all the programs we installed, do I keep them? Also bittorrent folders?

Hello.
Delete these folders in bold:

c:\program files\BitTorrent
c:\users\admin\program files\dna

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

I could not find those in search

Okay, doesn't matter than.
You should be okay to go now. Just stay away from trouble.

thanks for all your help, a donation will be coming your way

If you choose to donate, then thank you so much.