jason8

DNSChanger Trojan

21 posts in this topic

I downloaded a virus, and I can't seem to get rid of it. First it redirected me to spam sites on google searches. While trying to get rid of it, I realized that I couldn't access malwarebytes.org. Additionally, it wouldn't let me download update antivirus software automatically. I downloaded the update for Malwarebytes from another computer and had to rename it to get it to run. Also I can't run Malicious Software Removal Tool from Microsoft.

After cleaning several files tagged "DNSChanger" by Malwarebytes, I can't access the internet anymore on that computer. I am pretty sure its a related problem, but otherwise I will figure out how to fix it after removing the virus.

I also scanned by computer with Avast Antivirus which didn't find anything.

Thanks in advance for your help, and let me know if I need to post any additional information.

Here are the log files. I have run Malwarebytes several times. I have included the logs from each time it found something.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:48:38 AM, on 3/18/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe

C:\Windows\System32\tp4serv.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Palm\Hotsync.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: HotSync Manager.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O13 - Gopher Prefix:

O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...houseplayer.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...esPlayer_v4.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe

O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 10243 bytes

I have run Malwarebytes several times while trying to get rid of this virus. The most recent scan is here:

Malwarebytes' Anti-Malware 1.34

Database version: 1826

Windows 6.0.6001 Service Pack 1

3/18/2009 11:16:11 AM

mbam-log-2009-03-18 (11-16-11).txt

Scan type: Full Scan (C:\|)

Objects scanned: 190310

Time elapsed: 39 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Previous Scans:

Malwarebytes' Anti-Malware 1.34

Database version: 1826

Windows 6.0.6001 Service Pack 1

3/18/2009 10:32:30 AM

mbam-log-2009-03-18 (10-32-30).txt

Scan type: Quick Scan

Objects scanned: 61343

Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

Another Scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 6.0.6001 Service Pack 1

3/18/2009 8:36:27 AM

mbam-log-2009-03-18 (08-36-27).txt

Scan type: Full Scan (C:\|)

Objects scanned: 188546

Time elapsed: 39 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 12

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-2-9-97-100011695-100002976-100002995-3318.com (Trojan.Agent) -> Quarantined and deleted successfully.

First Scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 6.0.6001 Service Pack 1

3/18/2009 2:29:34 AM

mbam-log-2009-03-18 (02-29-34).txt

Scan type: Full Scan (C:\|)

Objects scanned: 143042

Time elapsed: 41 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

welcome to malwarebytes forum

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:

  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Installed Programs

Please could you give me a list of the programs that are installed.

  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.

Click on save list button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.

Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.

Will be back with you as soon as I can.

Thanks dan

Share this post


Link to post
Share on other sites

Hi Dan,

Thanks for your help.

I am running Windows Vista with only a single user.

Here is the list of programs from HijackThis:

Access Help

Activation Assistant for the 2007 Microsoft Office suites

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.3

Adobe Shockwave Player

Apple Mobile Device Support

Apple Software Update

avast! Antivirus

Bonjour

Business Contact Manager for Outlook 2007

Business Contact Manager for Outlook 2007

Client Security Solution

Empire XP 5

EOS USB WIA Driver

Help Center

HijackThis 2.0.2

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

iTunes

Java 6 Update 11

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Java SE Runtime Environment 6

Lenovo Registration

Lenovo System Interface Driver

Maintenance Manager

Malwarebytes' Anti-Malware

Message Center

Microsoft Office 2003 Web Components

Microsoft Office 2007 Primary Interop Assemblies

Microsoft Office Small Business Connectivity Components

Microsoft Office XP Professional with FrontPage

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

MobileMe Control Panel

Mozilla Firefox (3.0.7)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

Netflix Movie Viewer

On Screen Display

Palm Desktop 6.2 for Windows

PC-Doctor 5 for Windows

Picasa 2

Presentation Director

Productivity Center Supplement for ThinkPad

QuickTime

Registry patch for Windows Vista USB S3 PM Enablement

Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista

Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista

Rescue and Recovery

Risk II (remove only)

Risk

Share this post


Link to post
Share on other sites

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Vuze

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

-------------------

  • Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

RootRepeal - Rootkit Detector

  • Please download the following tool:
  • Direct download link is here:

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    http://rarlabs.com/' rel="external nofollow">
  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Post both logs

Share this post


Link to post
Share on other sites

Start Root Repeal and click on the Drivers tab and then click the Scan button.

Then right click on this file: gaopdxsprbwnwxmcttbnfcyiqvcxmcceydeqhp.sys and select Dump File

This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.

Then type in the name gaopdxsprbwnwxmcttbnfcyiqvcxmcceydeqhp.sys and save it in that folder.

You can quit Root Repeal now.

Then zip up that file and upload it to: uploads.malwarebytes.org

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

---------------------

Now can you update malwarebytes as you need the latest definitions then do a quick scan.

Post the malwarebytes scan

Share this post


Link to post
Share on other sites

I uploaded the zipped file.

Here is the latest scan results.

Malwarebytes' Anti-Malware 1.34

Database version: 1863

Windows 6.0.6001 Service Pack 1

3/18/2009 10:11:02 PM

mbam-log-2009-03-18 (22-11-02).txt

Scan type: Quick Scan

Objects scanned: 62356

Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

I forgot to include this in the last message, but I still have the virus.

Share this post


Link to post
Share on other sites

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Please download DDS from Tech Support Forum and save it to your desktop.

Double click on dds to run it. If you receive a UAC prompt, please allow it.

When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.

Please attach Attach.txt in your next reply by scrolling down to Upload attachment and clicking on Browse....

An image is below for your reference:

attach.png

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt (attached to this topic)

Post gooredlog.txt

and the dds reports.

Share this post


Link to post
Share on other sites

Here are the logs:

GooredFix v1.92 by jpshortstuff

Log created at 08:53 on 19/03/2009 running Option #1 (Ariff)

Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Components"="C:\Program Files\Mozilla Firefox\components"

DDS (Ver_09-03-16.01) - NTFSx86

Run by Ariff at 8:56:06.89 on Thu 03/19/2009

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11

Microsoft

jason8_Attach.txt

jason8_Attach.txt

Share this post


Link to post
Share on other sites

FYI: your instructions for downloading DDS didn't work. I had to register at techsupportforum and do a search to find it.

Share this post


Link to post
Share on other sites

Download and run Combofix

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

----------------------------------------------

GMER

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan

    [*]Once the scan has finished, click copy

    [*]Paste the log into notepad using Ctrl+V

    [*]Save it to your desktop as gmerrk.txt

    [*]Click on the >>> tab

    [*]This will open up the rest of the tabs for you

    [*]Click on the Autostart tab

    [*]Click on Scan

    [*]Once the scan has finished, click copy

    [*]Paste the log into notepad using Ctrl+V

    [*]Save it to your desktop as gmerautos.txt

    [*]Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

Post back:

Gmer reports

Combofix report.

A new HijackThis log.

Share this post


Link to post
Share on other sites

Here are the reports requested:

ComboFix 09-03-18.01 - Ariff 2009-03-19 16:03:42.1 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

Hi, before you continue with below, please move combofix exe onto the desktop as the scripts will only work from there.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\windows\System32\gaopdxcounter

c:\windows\System32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll

Folder::

c:\program files\Vuze

c:\users\Ariff\AppData\Roaming\Azureus

DirLook::

C:\A

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Update malwarebytes do me a quick scan.

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Post combofix report

malwarebytes report

Eset report

Share this post


Link to post
Share on other sites

I am now able to log into malwarebytes.org from the infected computer and update software using the update feature. Here are the reports:

ComboFix 09-03-18.01 - Ariff 2009-03-19 18:47:03.2 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

Things are looking a lot better, I will need to look over the returned reports and will get back to you at some point tomorrow as it's late here. :(

Share this post


Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::c:\windows\TEMP\TMP0000006CF7EC81760B04637C

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post a fresh HJT log and let me know how things are with the pc.

Share this post


Link to post
Share on other sites

Hi Dan,

I haven't noticed any signs of the virus recently. Thanks again for your help with the virus removal.

Here are the requested logs:

ComboFix 09-03-18.01 - Ariff 2009-03-20 23:19:42.3 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

I ran ATF Cleaner, HijackThis (and fixed R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =), ComboFix /u, and then deleted rootrepeal, gooredfix, dds and gmer.

Thanks again for your help with the virus.

Share this post


Link to post
Share on other sites

Congratulations you are clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Create a new System Restore Point

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore-Vista

  • Click the Vista/Start icon.
  • Right Click >> Computer
  • Click Properties.
  • Click the System Protection tab.
  • Uncheck All drives
  • Click "Turn Off System Restore" at the prompt then click "Apply".
  • Restart your computer.

Turn ON System Restore-Vista

  • Click the Vista/Start icon
  • Right Click >> Computer
  • Click Properties.
  • Click the System Protection tab.
  • Checkmark All drives that were selected previously then click "Apply".

Here are some free programs I recommend that could help you improve your computer's security.

(Vista users must ensure that any programs are Vista compatible BEFORE installing)

Spybot Search and Destroy 1.5.2

Download it from here. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly here

Find here changes from older version 1.4 here

Install Spyware Guard

Download it from here

Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install MVPS Hosts File from here

The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!

Dan

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.