# DNS Hijacker



## Tormud (Apr 3, 2007)

Hi Everyone,

I am new here so this can be a little intimidating, especially since I am not a Techie and don't purport to be, but you guys are my last hope. I am running Win XP Svc.Pack 2 on my laptop via a secured lynksis wireless connection. I am running Webroot Anti-Spy ( latest Version ) and McAffee version 7.2 built 7.2.147. I also downloaded Smitfraud, updated it and ran it in Safe Mode. Nothing was detected. The dead give away was the fact that my connection speed is typically 54 Mbs. It slowed to a crawl of about 1 Mbs. At times my connection disappears and I have to repair my wireless connection.

By accident I ran Smitfraud in full mode and the readout said:

" Your computer may be a victim of a DNS Hijacker 85.255.x.x detected. "
Below is the log report from Smitfraud:

SmitFraudFix v2.162

Scan done at 20:14:50.92, Mon 04/02/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 85.255.116.132
DNS Server Search Order: 85.255.112.180

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.116.132
DNS Server Search Order: 85.255.112.180

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0188CADD-BD0B-4837-8C8E-2F9C7F27E203}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C0345ED-7477-4493-9B6D-57D834AA775C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0188CADD-BD0B-4837-8C8E-2F9C7F27E203}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C0345ED-7477-4493-9B6D-57D834AA775C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0188CADD-BD0B-4837-8C8E-2F9C7F27E203}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F2E700F-7284-4118-92AB-1B5847130D13}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3BE79365-8ABE-4648-B98A-07D7A3A5D090}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3C0345ED-7477-4493-9B6D-57D834AA775C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F35F12CA-4020-4C58-B4BE-4BFEB091430C}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: DhcpNameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FFE477C9-1857-4626-8CDA-091AAE1E2D7B}: NameServer=85.255.116.132,85.255.112.180
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.132 85.255.112.180
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.132 85.255.112.180
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.132 85.255.112.180

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Glaswegian (Sep 16, 2005)

Hi and welcome to TSF.

The IP 85.255.XXX.XXX is a know malware location. Please follow these instructions carefully.


Download *Deckard's System Scanner (DSS)* to your *Desktop* . Note: You must be logged onto an account with administrator privileges.
*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > *extra.txt* and maximised > *main.txt*.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* in a new thread 
in the *HJT Forum* *(do not attach it or post it here). *
Please *attach* *extra.txt* to your post.


To attach a file to a new post, simply

Click the[*Manage Attachments*] button under *Additional Options > Attach Files* on the post composition page, and
*copy and paste* the following into the "*Upload File from your Computer*" box: *C:\Deckard\System Scanner\extra.txt*​
 Click *Upload.*

We'll then have a look and provide instructions to clean your system, if required. Please note that the HJT forum is constantly busy, so I would ask that you be patient while waiting for a reply.


----------



## Tormud (Apr 3, 2007)

Thanks, 

At least I know what I am dealing with...

Attached are the Deckard's Main and Extra Txt files. I took the liberty of attaching other pertinent info on my system scan.


----------



## Glaswegian (Sep 16, 2005)

Please start a new thread in the HJT forum and post your logs there.




Edit - you need to attach the logs to your post in the HJT Forum.

http://www.techsupportforum.com/security-center/hijackthis-log-help/148530-dns-highjacker.html


----------

