IE hijacked - DNS entry - HELP PLEASE!

[bl4ze]

Hi there,
I am having trouble with a hijack, adware popup.
My IE seems to be hijacked, I have a DNS entry from some adware company which doesnt belong to my ISP :
O17 - HKLM\System\CCS\Services\Tcpip\..\{825D81E7-BB6D-44BD-8159-4F8875A7948B}: NameServer = 69.50.184.84 195.225.176.37

This one is causing redirects every now and then, and pop up`s.
***ADULT FINDER*** webpage, etc.

Here is my full HIJACKTHIS log, any help to remove the DNS entry is greatly welcomed :

Code:

Logfile of HijackThis v1.99.1
Scan saved at 21:37:35, on 2005. 08. 02.
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICQ\Icq.exe
C:\totalcmd\TOTALCMD.EXE
C:\TEMP\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.index.hu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{825D81E7-BB6D-44BD-8159-4F8875A7948B}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

...can also upload a fresh SILENTRUNNERS log if needed.

Thanks!

bl4ze

[Ruby]

Welcome to HijackThis.de @ bl4ze

Please post your Logfiles in vB Code!
Note: Announcement....

Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!

1
Using Windows XP: turn off System Restore.

2
Make sure you set windows to see the hidden files and folders.

3
Download and Instructions of Use

A. Download
New Version: Ad-Aware SE
Ad-Aware SE: install and update it

B. Download
New Version: Spybot Search & Destroy
Spybot Search & Destroy: install and update it

C. Download
CWShredder.

D. Download
about:Buster,
unzip to C:\aboutbuster, run it, and then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip that.)
3. Click "Download Update", and wait for it to be installed.

E. Download
If you don't have a zip-tool we suggest zipgenius (It is free).

F. Download
host.zip
Press 'Restore Original Hosts' and press 'OK'
Take a look to the instructions

G. Download
CleanUp

H. Download
RegClean 4.1a

4
Don't use the programs now.

5
Disconnect to the Internet.

6
Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

7
Close down all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix Checked button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hzzp://www.index.hu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Click on Fix Checked and exit HijackThis.

8
Stay in safe mode
run Ad-Aware SE (Adaware SE 1.05 Tutorial)
Take a full system scan.
Delete the content of all Ad-aware SE folders and the Quarantine box when the scan is finished.
Safe the logfile.

9
Stay in safe mode
Run Spybot Search & Destroy once more
Turn on Advanced Mode. Go to "Tools" and put a checkmark into every box.
Scan your system. Let Spybot Search & Setroy delete everything it finds.
Take the immunication for your system.

10
Stay in safe mode
Run CWShredder
press the *fix,* not the scan button
allow it to clean the infection.
Close all browser and explorer windows before hitting the fix button.

11
Stay in safe mode
Run about:Buster
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Click "Exit".

12
Reboot your system into normal mode.

13
Empty your "Recycle Bin"
Go to START > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.

14
Run CleanUp

Go to the option -> Select ‘custom’ -> Put a checkmark to:

* Cookies
* Prefetch
* Temp
* All users.

Press the 'cleanup' button

15
Run RegClean
Allow the program to delete all it finds.

16
Do you have the actual version of Windows XP SP2?
Please load it down here: www.windowsupdate.com

17
Your IE and your version of Windows must be up-to-date:
www.windowsupdate.com

18
Run a Full System Scan with Panda ActiveScan.
It will last 2-3 hours. You will have to allow ActiveX.
Save the logfile.
Reboot the system when the scan is finished.

19
Configure then the IE with these Settings.

20
Run HijackThis once more.
Have it save a new Logfile.

-> Post the Ad Aware SE Logfile
-> Post the About:Buster Logfile
-> Post the Panda ActiveScan Logfile
-> Please post the new HJT-Logfile.

[bl4ze]

Hi Ruby,

Thanks for the hints, I have did what you asked me to do, heres a summary:

*AD-Aware SE found nothing at all, just 12 non dangerous cookies
*SpyBot S&D found nothing at all too
*CWShredder same result, nothing was present
*about:Buster:nothing found there as well

Panda webscan is a different story, I tried to run it 3 times but it shuts itself down at random points. It pointed while scanning 2 spywares were found, is there a temp log somewhere saved on C: ?
How can I ensure the scan doesnt stop kills itself at random ???

The DNS entry keeps coming back unfortunately, I am attaching the fresh HJT log.
I can also upload a SILENTRUNNERS log if you like.

Thanks let me know how to proceed.

bye
bl4ze

[Ruby]

Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!

16
Do you have the actual version of Windows XP SP2?
Please load it down here: www.windowsupdate.com

17
Your IE and your version of Windows must be up-to-date:
www.windowsupdate.com

-> Post the Ad Aware SE Logfile
-> Post the About:Buster Logfile
-> Post the Panda ActiveScan Logfile
-> Please post the new HJT-Logfile.

You may want to follow the steps you were asked to do.

[bl4ze]

SP2 is not installing on my XP , some licence key error.

All other updates were downloaded. Just SP2 is not.

My IE is up to date as far as Im concerned.
I did all the steps but Panda web scan dies on me at some point indicating
2 spywares during the scan but since its not finishing I can not get the logfile to see what spywares were detected.

What can we do about the Panda scan error?
I have tried to run it 3-4 times, closes the ActiveX window while scanning

I need to get rid off this.

thanks bye
bl4ze

[Ruby]

@ bl4ze

You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.

Follow these STEPS.

STEP 1
You must turn off System Restore during this process. You will keep it off until we are done fixing your system.

STEP 2

1. Download mwavscan (It is free), if you don't have a zip-tool we suggest zipgenius (It is free).
2. You MUST Unzip mwavscan to 'C:\bases' (case sensitive, any other folder and it won't work properly)
3. After installing some systems automatically start up the program, if this happens close it, you don't want to run it now.
4. Open 'My Computer'
5. Double click on 'C:'
6. Double click on the folder 'bases'
7. Now in that root folder look for 'kavupd.exe' and double click on it. (We are updating mwavscan to the latest definitions.)
8. NOTE: Occasionally users receive an error that 'signatures are more then 30 days old'. If you receive this keep trying to run kavupd.exe, it means the definition server is busy, but you will eventually get through.

STEP 3

1. Now turn off your computer and remove the network cable/phone line from your machine.
2. Reboot your computer in Safe Mode

STEP 4

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Double click on 'mwavscan.com'
5. Now close all other windows, browsers, and programs other then Mwavscan before continuing
6. Checkmark: Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services
7. Now select 'Scan All Files'
8. Finally, click on 'Scan Clean' (The program will take several hours to run)
9. When the scan is complete, click 'View Log' and Save it!

STEP 5

1. Reconnect your network cable/phone line
2. Reboot your system into normal mode.

STEP 6

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Find the log file in the directory.
5. Open it with an editor (Notepad will do fine)
6. Look for the files which are tagged as "virus" or "infected"
7. Copy&paste all these files tagged as "virus" or "infected" in a new document and save to your desktop

STEP 7
Run Hijackthis again and have it save a new log file.

Step 8

Post every file of mwavscan by looking for "infected" and "tagged as" to this thread:

It looks like this:

File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken

File C:\Documents and Settings\Name\Local Settings\Application Data\Wildtangent\0F.dat tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.

Also post the total results:

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****

Finally, post the new Hijackthis logfile!

[bl4ze]

Hi Ruby,

I did all the steps, but unfortunately the DNS keeps coming back as soon as internet connection is launched, so is the blank:htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{825D81E7-BB6D-44BD-8159-4F8875A7948B}: NameServer = 69.50.184.84 195.225.176.37

Im sure theres a spyware/adware sitting on my PC still so that we can not erase that phony DNS record from my PC

Here is the result of the scan as requested :

Thu Aug 04 21:08:08 2005 => Scanning File C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office 2003 - Beállításmento varázsló.lnk
Thu Aug 04 21:08:08 2005 => C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office 2003 - Beállításmento varázsló.lnk possibly infected and removed by background antivirus package!
Thu Aug 04 21:08:08 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office 2003 - Beállításmento varázsló.lnk: Scanning Failure!!!
Thu Aug 04 21:08:08 2005 => C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office 2003 - Beállításmento varázsló.lnk possibly infected and removed by background antivirus package!
Thu Aug 04 21:08:08 2005 => File C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office 2003 - Beállításmento varázsló.lnk infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Thu Aug 04 21:08:09 2005 => C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office elakadáskezelo.lnk possibly infected and removed by background antivirus package!
Thu Aug 04 21:08:09 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office elakadáskezelo.lnk: Scanning Failure!!!
Thu Aug 04 21:08:09 2005 => C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office elakadáskezelo.lnk possibly infected and removed by background antivirus package!
Thu Aug 04 21:08:09 2005 => File C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office eszközök\Microsoft Office elakadáskezelo.lnk infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Thu Aug 04 21:36:12 2005 => Scanning File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Fobb indexek.iqy
Thu Aug 04 21:36:12 2005 => C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Fobb indexek.iqy possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:12 2005 => Result: ERROR!!! File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Fobb indexek.iqy: Scanning Failure!!!
Thu Aug 04 21:36:12 2005 => C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Fobb indexek.iqy possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:12 2005 => File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Fobb indexek.iqy infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Thu Aug 04 21:36:12 2005 => Scanning File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Tozsdeindex.iqy
Thu Aug 04 21:36:13 2005 => C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Tozsdeindex.iqy possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:13 2005 => Result: ERROR!!! File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Tozsdeindex.iqy: Scanning Failure!!!
Thu Aug 04 21:36:13 2005 => C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Tozsdeindex.iqy possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:13 2005 => File C:\Program Files\Microsoft Office\OFFICE11\QUERIES\MSN MoneyCentral Investor Tozsdeindex.iqy infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Thu Aug 04 21:36:20 2005 => C:\Program Files\Microsoft Office\Templates\1038\Eroforrás-ütemezés.mdz possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:20 2005 => Result: ERROR!!! File C:\Program Files\Microsoft Office\Templates\1038\Eroforrás-ütemezés.mdz: Scanning Failure!!!
Thu Aug 04 21:36:20 2005 => C:\Program Files\Microsoft Office\Templates\1038\Eroforrás-ütemezés.mdz possibly infected and removed by background antivirus package!
Thu Aug 04 21:36:20 2005 => File C:\Program Files\Microsoft Office\Templates\1038\Eroforrás-ütemezés.mdz infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Thu Aug 04 22:40:39 2005 => File D:\eMule\Temp\005.part infected by "Trojan-Dropper.Win32.Small.mt" Virus. Action Taken: File Deleted.

Thu Aug 04 22:52:01 2005 => Total Number of Files Scanned: 47580
Thu Aug 04 22:52:02 2005 => Total Number of Virus(es) Found: 6
Thu Aug 04 22:52:02 2005 => Total Number of Disinfected Files: 0
Thu Aug 04 22:52:02 2005 => Total Number of Files Renamed: 5
Thu Aug 04 22:52:02 2005 => Total Number of Deleted Files: 1
Thu Aug 04 22:52:02 2005 => Total Number of Errors: 22
Thu Aug 04 22:52:02 2005 => Time Elapsed: 01:48:10
Thu Aug 04 22:52:02 2005 => Virus Database Date: 2005/08/04
Thu Aug 04 22:52:02 2005 => Virus Database Count: 142075

Thu Aug 04 22:52:02 2005 => Scan Completed.

My HJT log is attached in the file.

Since I couldnt run Panda webscan to the end, I have downloaded the
trial version from their webpage.
Shall I go and make a scan with that one instead of the Active X based one?

Also, if your familiar with SILENTRUNNERS I can post a log made with SILENTRUNNERS.

Thanks again and let me know what to do to get rid off this annoying IE hijack, DNS entry

bye
bl4ze

[Ruby]

@ bl4ze

ok once more, please

Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!

Remember that Hijackthis must be run in an own folder.
C:\Program Files\HJT\HijackThis.exe of C:\HJT\HijackThis.exe
Only if Hijackthis runs in an own folder it will create backups!

Please change this: C:\TEMP\HIJACKTHIS\HijackThis.exe

Follow the numbers.

1
Run CleanUp
Go to the option -> Select ‘custom’ ->
Put a checkmark to every box as to be seen on this picture:



Press the 'cleanup' button

2
Using Windows XP: turn off System Restore.

3
Make sure you set windows to see the hidden files and folders.

4
Disconnect to the Internet.

5
Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

6
Close down all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix Checked button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hzzp://www.index.hu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Click on Fix Checked and exit HijackThis.

7
Stay in safe mode
run Ad-Aware SE (Adaware SE 1.05 Tutorial)
Take a full system scan.
Delete the content of all Ad-aware SE folders and the Quarantine box when the scan is finished.
Safe the logfile.

8
Stay in safe mode
Run Spybot Search & Destroy once more
Turn on Advanced Mode. Go to "Tools" and put a checkmark into all boxes.
Scan your system. Let Spybot Search & Setroy delete everything it finds.
Take the immunication for your system.

9
Stay in safe mode
Run CWShredder
press the *fix,* not the scan button
allow it to clean the infection.
Close all browser and explorer windows before hitting the fix button.

10
Stay in safe mode
Run about:Buster
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Save the logfile.
6. Click "Exit".

11
Reboot your system into normal mode.

12
Run CleanUp once more!
Go to the option -> Select ‘custom’ ->
Put a checkmark to every box as to be seen on this picture.
Press the 'cleanup' button

13
Empty your "Recycle Bin"
Go to START > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.

14
Run RegClean
Allow the program to delete all it finds.

15
Your IE is out-of-date:
www.windowsupdate.com

16
Configure then the IE with these Settings.

17
Run HijackThis once more.
Have it save a new Logfile.

-> Post the Ad Aware SE Logfile
-> Post the About:Buster Logfile
-> Please post the new HJT-Logfile.

[bl4ze]

Hi,

I have followed your instructions and made all the steps.

CWShredder : Nothing present
about:Buster : Nothing found

Spybot S&D : 1 thing found "ALEXA RELATED"
C:\WINDOWS\Web\Related.htm

Ad-Aware SE 1.06 : Alexa related found, destroyed

I have updated my IE thru windowsupdate.com

Unfortunately the blank.htm and the DNS entry is still present, please
find the HJT log below

Please let me know how we can trace this DNS/spyware thing, because
Im going nuts.

Thanks,
bye
bl4ze

[Ruby]

Hi bl4ze

Please read this instructions carefully, hold on these instructions.
Load down the Generic Smithfraud remover, unzip it to your desktop, install it, press the finished button, (load down the Patch if your system is missing a file), press the finished button. Don't forget to reboot your system.

Run HijackThis once more, have it save a logfile and post it, please.