Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page DNSchanger
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-17-2009, 01:05 PM   #1 (permalink)
Registered User
 
palguy's Avatar
 
Join Date: Nov 2004
Posts: 369
OS: xp


DNSchanger
I just recently started seeing strange banner adds for Vimax Pills when using Hotmail. Also I cannot to connect to Windows Live via Hotmail. Other strange advertisements are showing up. I cannot use system restore to restore to an earlier date. Also note that I have 2 additional harddrives that also have or had "resycle" folders and autorun.inf files in them.

I have am posting what I hope is the necessary information and attachments from what I read in the what to do before posting thread.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Tom at 14:48:23.76 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.560 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Home Plan Software\Date Reminder\dr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [QuickGammaLoader] c:\program files\quickgamma\QuickGammaLoader.exe
uRun: [dr] "c:\program files\home plan software\date reminder\dr.exe" /autorun
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\documents and settings\tom\start menu\programs\startup\numlock.vbs
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\numlock.vbs
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: wvUnMcdA - wvUnMcdA.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\b99dk5w3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\tom\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\google updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-12-25 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-12-25 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-12-25 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-12-25 10760]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2008-11-21 72992]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-12-25 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-12-25 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-12-25 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-12-25 4960]
R4 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2008-11-21 1078560]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-01-17 12:29 5,120 a--sh--- c:\windows\system32\Thumbs.db
2009-01-17 12:18 <DIR> --d----- c:\program files\Exterminate It!
2009-01-17 11:33 <DIR> --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-01-17 11:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-17 11:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 21:30 <DIR> --d----- c:\docume~1\tom\applic~1\LimeWire
2009-01-16 21:13 <DIR> --d----- c:\program files\LimeWire
2009-01-11 14:15 14,848 a--sh--- c:\windows\Thumbs.db
2009-01-09 05:43 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-08 16:49 <DIR> --d----- c:\program files\Oberon Media
2009-01-08 06:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-01-08 05:59 <DIR> --d----- c:\windows\RegisteredPackages
2009-01-05 13:12 18,632 a------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2008-12-31 19:17 27,262,976 a------- C:\VIRTPART.DAT
2008-12-27 13:11 87,608 a------- c:\docume~1\tom\applic~1\inst.exe
2008-12-27 13:11 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-27 13:11 47,360 a------- c:\docume~1\tom\applic~1\pcouffin.sys
2008-12-27 13:11 <DIR> --d----- c:\program files\DVDFab 5
2008-12-26 15:15 <DIR> --d----- c:\program files\QuickGamma
2008-12-26 15:04 116 a------- c:\windows\NeroDigital.ini
2008-12-26 13:39 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-26 13:20 <DIR> --d----- c:\program files\Nero
2008-12-26 13:13 <DIR> --d----- c:\docume~1\tom\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-12-26 13:04 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-26 12:19 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-26 12:19 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-26 12:18 <DIR> --d----- c:\program files\iPod
2008-12-26 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 12:18 <DIR> --d----- c:\program files\iTunes
2008-12-26 12:17 <DIR> --d----- c:\program files\Bonjour
2008-12-26 12:17 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-12-26 11:58 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2008-12-26 11:58 1,843,200 a------- c:\windows\system32\acXMLParser.dll
2008-12-26 11:58 3,518,464 a------- c:\windows\system32\cdintf300.dll
2008-12-26 11:58 <DIR> --d----- c:\docume~1\tom\applic~1\Intuit
2008-12-26 11:57 <DIR> --d----- c:\program files\common files\Palo Alto Software
2008-12-26 11:57 <DIR> --d----- c:\program files\common files\Intuit
2008-12-26 11:57 <DIR> --d----- c:\program files\Quicken
2008-12-26 11:57 165 a------- c:\windows\QUICKEN.INI
2008-12-26 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2008-12-26 11:40 <DIR> --d----- c:\program files\PWUnmask
2008-12-26 11:35 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 11:35 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-26 04:42 <DIR> --d----- c:\program files\Webshots
2008-12-26 04:42 <DIR> --d----- c:\docume~1\tom\applic~1\Webshots
2008-12-26 04:34 45,056 a------- c:\windows\system32\WNASPI32.DLL
2008-12-26 04:34 17,005 a------- c:\windows\system32\drivers\ASPI32.SYS
2008-12-26 04:34 5,600 a------- c:\windows\system\WINASPI.DLL
2008-12-26 04:34 4,672 a------- c:\windows\system\WOWPOST.EXE
2008-12-26 04:34 <DIR> --d----- c:\docume~1\tom\applic~1\Symantec
2008-12-26 04:34 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-26 04:34 <DIR> --d----- c:\program files\Symantec
2008-12-26 04:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-26 04:32 <DIR> --d----- C:\ng2003
2008-12-26 03:34 <DIR> --d----- c:\program files\SysShield Tools
2008-12-26 03:34 <DIR> --d----- c:\program files\CleanUp!
2008-12-26 03:11 <DIR> --d----- c:\program files\XaMp studio
2008-12-26 02:52 <DIR> --d----- c:\program files\PhotomatixPro3
2008-12-26 02:50 <DIR> --d----- c:\windows\system32\URTTemp
2008-12-26 02:19 <DIR> --d----- c:\program files\Blue Coat K9 Web Protection
2008-12-26 01:49 <DIR> --d----- c:\program files\Home Plan Software
2008-12-26 01:40 <DIR> --d----- c:\program files\mIRC
2008-12-26 00:13 <DIR> --d----- c:\docume~1\tom\applic~1\Auslogics
2008-12-26 00:12 <DIR> --d----- c:\program files\Auslogics
2008-12-25 23:35 376 a------- c:\windows\ODBC.INI
2008-12-25 23:34 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-12-25 23:34 <DIR> --d----- c:\windows\ShellNew
2008-12-25 23:24 <DIR> --d----- c:\docume~1\tom\applic~1\AVG7
2008-12-25 23:17 <DIR> --d----- c:\windows\system32\scripting
2008-12-25 23:17 <DIR> --d----- c:\windows\l2schemas
2008-12-25 23:17 <DIR> --d----- c:\windows\system32\en
2008-12-25 23:17 <DIR> --d----- c:\windows\system32\bits
2008-12-25 22:52 908 -c------ c:\windows\system32\dllcache\skins.inf
2008-12-25 22:51 290,816 -c------ c:\windows\system32\dllcache\l3codeca.acm
2008-12-25 22:50 8,192 -c------ c:\windows\system32\dllcache\asferror.dll
2008-12-25 22:50 136,192 -------- c:\windows\system32\aaclient.dll
2008-12-25 22:49 <DIR> --d----- c:\windows\pss
2008-12-25 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Canon
2008-12-25 22:44 1,138,688 a------- c:\windows\system32\MpAdtlws.dll
2008-12-25 22:44 <DIR> --d----- c:\program files\Canon
2008-12-25 22:42 <DIR> --d----- c:\windows\network diagnostic
2008-12-25 22:42 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2008-12-25 22:30 <DIR> --d----- c:\windows\system32\Adobe
2008-12-25 22:14 266,360 a------- c:\windows\system32\TweakUI.exe
2008-12-25 22:14 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2008-12-25 22:10 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-12-25 22:10 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2008-12-25 22:10 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-12-25 22:10 3,593,216 -c------ c:\windows\system32\dllcache\mshtml.dll
2008-12-25 22:10 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-12-25 22:10 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2008-12-25 22:10 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-12-25 22:10 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2008-12-25 22:08 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-25 22:08 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-25 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2008-12-25 22:07 <DIR> --d----- c:\windows\system32\PreInstall
2008-12-25 22:07 <DIR> --d-h--- c:\windows\$hf_mig$
2008-12-25 22:01 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-12-25 21:54 <DIR> --ds---- c:\windows\system32\Microsoft
2008-12-25 21:47 369,664 a------- c:\windows\system32\html.iec
2008-12-25 21:46 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-25 21:44 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2008-12-25 21:43 26,488 a------- c:\windows\system32\spupdsvc.exe
2008-12-25 21:41 <DIR> --d----- c:\windows\EHome
2008-12-25 21:35 252,936 a----r-- c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-25 21:35 146,048 a------- c:\windows\system32\drivers\portcls.sys
2008-12-25 21:35 129,536 a------- c:\windows\system32\ksproxy.ax
2008-12-25 21:35 49,408 a------- c:\windows\system32\drivers\stream.sys
2008-12-25 21:35 4,096 a------- c:\windows\system32\ksuser.dll
2008-12-25 21:35 141,056 a------- c:\windows\system32\drivers\ks.sys
2008-12-25 21:35 60,160 a------- c:\windows\system32\drivers\drmk.sys
2008-12-25 21:28 37,248 a------- c:\windows\system32\drivers\isapnp.sys
2008-12-25 21:28 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-12-25 21:27 306,688 a------- c:\windows\IsUninst.exe
2008-12-25 21:27 <DIR> --d----- c:\documents and settings\tom\WINDOWS
2008-12-25 21:27 3,291 a------- c:\windows\Ascd_tmp.ini
2008-12-25 21:27 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2008-12-25 21:25 <DIR> --dsh--- c:\windows\Installer
2008-12-25 21:25 <DIR> --d----- c:\documents and settings\Tom
2008-12-25 21:22 8,192 a------- c:\windows\REGLOCS.OLD
2008-12-25 21:20 571,392 ac------ c:\windows\system32\dllcache\tintlgnt.ime
2008-12-25 21:19 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2008-12-25 21:18 2,577 a------- c:\windows\system32\CONFIG.NT
2008-12-25 21:18 0 a------- c:\windows\control.ini
2008-12-25 21:18 25,065 a------- c:\windows\system32\wmpscheme.xml
2008-12-25 21:18 23,392 a------- c:\windows\system32\nscompat.tlb
2008-12-25 21:18 16,832 a------- c:\windows\system32\amcompat.tlb
2008-12-25 21:18 299,552 a------- c:\windows\WMSysPrx.prx
2008-12-25 21:18 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-12-25 21:16 <DIR> --d----- c:\program files\common files\MSSoap
2008-12-25 21:15 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-12-25 21:15 <DIR> --d----- c:\program files\Online Services
2008-12-25 21:15 <DIR> --d----- c:\program files\Messenger
2008-12-25 21:15 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-12-25 21:15 <DIR> --d----- c:\program files\Windows NT
2008-12-25 16:08 <DIR> --d----- c:\program files\common files\ODBC
2008-12-25 16:07 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-12-25 16:07 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2008-12-25 21:15 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-21 17:08 72,992 a------- c:\windows\system32\drivers\bckd.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll

============= FINISH: 14:48:36.06 ===============
Attached Files
File Type: zip Attach.zip (4.5 KB, 2 views)
__________________
"We never seem to have the time to do things correctly, but we inevitably find the time to do them over again."
Last edited by palguy; 01-17-2009 at 01:19 PM. Reason: Addition of problem information.
palguy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-19-2009, 02:55 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,605
OS: 2000 Pro; XP Pro; XP Home


Re: DNSchanger
Hello, palguy. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 04:59 PM   #3 (permalink)
Registered User
 
palguy's Avatar
 
Join Date: Nov 2004
Posts: 369
OS: xp


Re: DNSchanger
Although I disabled AVG ComboFix said it was still scanning but ran anyway.

Here is the log. The date is wrong but I have since fixed that.

ComboFix 09-01-17.02 - Tom 2009-01-17 15:40:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.677 [GMT -5:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tom\Application Data\inst.exe
c:\windows\system32\drivers\gaopdxpyriesmn.sys
c:\windows\system32\gaopdxgxvmttpd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 14:51 . 2009-01-17 14:51 250 --a------ c:\windows\gmer.ini
2009-01-17 14:30 . 2009-01-17 14:30 <DIR> d-------- c:\documents and settings\Administrator
2009-01-17 12:29 . 2009-01-17 12:29 5,120 --ahs---- c:\windows\system32\Thumbs.db
2009-01-17 12:18 . 2009-01-17 12:35 <DIR> d-------- c:\program files\Exterminate It!
2009-01-17 11:53 . 2009-01-17 11:53 71,680 --a------ c:\windows\system32\drivers\gaopdxxjlbabir.sys
2009-01-17 11:33 . 2009-01-17 11:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 11:33 . 2009-01-17 11:33 <DIR> d-------- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-01-17 11:33 . 2009-01-17 11:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 11:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 11:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 21:30 . 2009-01-17 12:31 <DIR> d-------- c:\documents and settings\Tom\Application Data\LimeWire
2009-01-16 21:13 . 2009-01-17 14:46 <DIR> d-------- c:\program files\LimeWire
2009-01-16 20:31 . 2009-01-16 20:31 71,680 --a------ c:\windows\system32\drivers\gaopdxrnvxumej.sys
2009-01-11 14:15 . 2009-01-17 12:29 14,848 --ahs---- c:\windows\Thumbs.db
2009-01-09 05:43 . 2009-01-09 05:43 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-08 16:49 . 2009-01-16 20:26 <DIR> d-------- c:\program files\Oberon Media
2009-01-08 16:49 . 2009-01-17 14:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 16:35 . 2009-01-08 16:35 <DIR> d-------- c:\windows\Sun
2009-01-08 15:35 . 2009-01-08 15:35 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Nero
2009-01-08 06:03 . 2009-01-17 15:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-07 14:34 . 2009-01-07 14:34 <DIR> d-------- c:\documents and settings\Tom\Application Data\Nero
2009-01-05 13:12 . 2009-01-05 13:12 18,632 --a------ c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-12-31 19:17 . 2008-12-31 19:17 27,262,976 --a------ C:\VIRTPART.DAT
2008-12-27 16:42 . 2008-12-27 16:42 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Apple Computer
2008-12-27 13:11 . 2009-01-17 12:31 <DIR> d-------- c:\program files\DVDFab 5
2008-12-27 13:11 . 2009-01-09 18:23 <DIR> d-------- c:\documents and settings\Tom\Application Data\Vso
2008-12-27 13:11 . 2008-12-27 13:11 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-27 13:11 . 2008-12-27 13:11 47,360 --a------ c:\documents and settings\Tom\Application Data\pcouffin.sys
2008-12-26 15:15 . 2008-12-26 15:15 <DIR> d-------- c:\program files\QuickGamma
2008-12-26 15:04 . 2009-01-17 12:29 116 --a------ c:\windows\NeroDigital.ini
2008-12-26 13:56 . 2008-12-26 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-26 13:49 . 2008-12-26 13:49 <DIR> d-------- c:\program files\Adobe Media Player
2008-12-26 13:45 . 2008-12-26 13:45 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-26 13:39 . 2008-12-26 13:39 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-26 13:21 . 2008-12-26 15:05 <DIR> d-------- c:\documents and settings\Tom\Application Data\Ahead
2008-12-26 13:20 . 2009-01-17 15:15 <DIR> d-------- c:\program files\Nero
2008-12-26 13:20 . 2009-01-08 06:02 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-26 13:13 . 2008-12-26 13:13 <DIR> d-------- c:\documents and settings\Tom\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-12-26 13:09 . 2008-12-26 13:09 <DIR> d-------- c:\documents and settings\Twins\Application Data\AVG7
2008-12-26 13:08 . 2008-12-26 13:08 <DIR> d-------- c:\documents and settings\Twins
2008-12-26 13:04 . 2008-04-13 19:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-26 12:19 . 2008-12-28 14:41 <DIR> d-------- c:\documents and settings\Tom\Application Data\Apple Computer
2008-12-26 12:19 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-26 12:19 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-26 12:18 . 2008-12-26 12:19 <DIR> d-------- c:\program files\iTunes
2008-12-26 12:18 . 2008-12-26 12:18 <DIR> d-------- c:\program files\iPod
2008-12-26 12:18 . 2008-12-26 12:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 12:17 . 2008-12-26 12:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-26 12:17 . 2008-12-26 12:17 <DIR> d-------- c:\program files\Bonjour
2008-12-26 12:17 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-26 12:09 . 2009-01-16 20:26 <DIR> d-------- c:\program files\QuickTime
2008-12-26 12:09 . 2008-12-26 12:16 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-26 12:08 . 2008-12-26 12:08 <DIR> d-------- c:\program files\Apple Software Update
2008-12-26 12:08 . 2008-12-26 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-26 12:08 . 2008-12-26 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 11:58 . 2009-01-17 14:37 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2008-12-26 11:58 . 2008-12-26 11:58 <DIR> d-------- c:\documents and settings\Tom\Application Data\Intuit
2008-12-26 11:58 . 2007-07-26 17:13 3,518,464 --a------ c:\windows\system32\cdintf300.dll
2008-12-26 11:58 . 2007-07-26 17:13 1,843,200 --a------ c:\windows\system32\acXMLParser.dll
2008-12-26 11:57 . 2009-01-16 20:26 <DIR> d-------- c:\program files\Quicken
2008-12-26 11:57 . 2008-12-26 11:57 <DIR> d-------- c:\program files\Common Files\Palo Alto Software
2008-12-26 11:57 . 2008-12-26 11:57 <DIR> d-------- c:\program files\Common Files\Intuit
2008-12-26 11:57 . 2008-12-26 12:08 165 --a------ c:\windows\QUICKEN.INI
2008-12-26 11:56 . 2008-12-26 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2008-12-26 11:40 . 2008-12-26 11:40 <DIR> d-------- c:\program files\PWUnmask
2008-12-26 11:35 . 2008-12-26 11:35 <DIR> d-------- c:\program files\Java
2008-12-26 11:35 . 2008-12-26 11:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 11:35 . 2008-12-26 11:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-26 04:42 . 2009-01-16 20:26 <DIR> d-------- c:\program files\Webshots
2008-12-26 04:42 . 2008-12-26 04:42 <DIR> d-------- c:\documents and settings\Tom\Application Data\Webshots
2008-12-26 04:34 . 2008-12-26 04:35 <DIR> d-------- c:\program files\Symantec
2008-12-26 04:34 . 2008-12-26 04:34 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-26 04:34 . 2008-12-26 04:34 <DIR> d-------- c:\documents and settings\Tom\Application Data\Symantec
2008-12-26 04:34 . 2008-12-26 04:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-26 04:34 . 2002-08-14 15:03 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2008-12-26 04:34 . 2002-08-14 15:03 17,005 --a------ c:\windows\system32\drivers\ASPI32.SYS
2008-12-26 04:34 . 2002-08-14 15:03 5,600 --a------ c:\windows\system\WINASPI.DLL
2008-12-26 04:34 . 2002-08-14 15:03 4,672 --a------ c:\windows\system\WOWPOST.EXE
2008-12-26 04:32 . 2008-12-26 04:32 <DIR> d-------- C:\ng2003
2008-12-26 04:27 . 2008-12-26 04:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-26 03:34 . 2008-12-26 03:34 <DIR> d-------- c:\program files\SysShield Tools
2008-12-26 03:34 . 2009-01-17 14:04 <DIR> d-------- c:\program files\CleanUp!
2008-12-26 03:17 . 2008-12-26 03:18 <DIR> d-------- c:\program files\Google
2008-12-26 03:17 . 2009-01-16 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-26 03:11 . 2009-01-16 20:26 <DIR> d-------- c:\program files\XaMp studio
2008-12-26 02:52 . 2009-01-16 20:26 <DIR> d-------- c:\program files\PhotomatixPro3
2008-12-26 02:50 . 2008-12-26 02:52 <DIR> d-------- c:\windows\system32\URTTemp
2008-12-26 02:19 . 2009-01-17 15:39 <DIR> d-------- c:\program files\Blue Coat K9 Web Protection
2008-12-26 01:49 . 2008-12-26 01:49 <DIR> d-------- c:\program files\Home Plan Software
2008-12-26 01:40 . 2009-01-08 06:01 <DIR> d-------- c:\program files\mIRC
2008-12-26 01:24 . 2008-12-26 13:51 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-26 01:13 . 2008-12-26 01:14 <DIR> d-------- c:\program files\Windows Defender
2008-12-26 00:43 . 2008-12-26 00:43 <DIR> d-------- c:\program files\CyberLink
2008-12-26 00:13 . 2008-12-26 16:08 <DIR> d-------- c:\documents and settings\Tom\Application Data\Auslogics
2008-12-26 00:12 . 2008-12-26 00:12 <DIR> d-------- c:\program files\Auslogics
2008-12-25 23:35 . 2008-12-25 23:35 376 --a------ c:\windows\ODBC.INI
2008-12-25 23:34 . 2009-01-17 12:29 <DIR> d-------- c:\windows\ShellNew
2008-12-25 23:34 . 2008-12-25 23:34 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-25 23:24 . 2009-01-17 12:18 <DIR> d-------- c:\documents and settings\Tom\Application Data\AVG7
2008-12-25 23:17 . 2008-12-25 23:17 <DIR> d-------- c:\windows\system32\scripting
2008-12-25 23:17 . 2008-12-25 23:17 <DIR> d-------- c:\windows\system32\en
2008-12-25 23:17 . 2008-12-25 23:17 <DIR> d-------- c:\windows\system32\bits
2008-12-25 23:17 . 2008-12-25 23:17 <DIR> d-------- c:\windows\l2schemas
2008-12-25 22:52 . 2008-09-09 20:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2008-12-25 22:51 . 2008-04-13 19:11 650,752 --------- c:\windows\system32\dot3ui.dll
2008-12-25 22:50 . 2008-04-13 19:11 136,192 --------- c:\windows\system32\aaclient.dll
2008-12-25 22:50 . 2008-04-13 12:23 8,192 -----c--- c:\windows\system32\dllcache\asferror.dll
2008-12-25 22:44 . 2008-12-26 11:58 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-25 22:44 . 2008-12-25 22:44 <DIR> d-------- c:\program files\Canon
2008-12-25 22:44 . 2008-12-25 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Canon
2008-12-25 22:44 . 2002-11-09 10:25 1,138,688 --a------ c:\windows\system32\MpAdtlws.dll
2008-12-25 22:43 . 2002-05-09 07:44 589,824 -ra------ c:\windows\system32\CFFL2WUD.DLL
2008-12-25 22:43 . 2001-04-10 12:10 327,740 -ra------ c:\windows\system32\UCS32P.DLL
2008-12-25 22:43 . 2002-05-09 07:53 135,168 -ra------ c:\windows\system32\mpmasdll.dll
2008-12-25 22:43 . 2000-04-12 22:02 119,808 -ra------ c:\windows\system32\ITLIB32.DLL
2008-12-25 22:43 . 2002-05-09 07:43 118,784 -ra------ c:\windows\system32\MPIMGENH.DLL
2008-12-25 22:43 . 2000-04-12 22:02 45,056 -ra------ c:\windows\system32\CANOIT32.EXE
2008-12-25 22:43 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-25 22:42 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2008-12-25 22:38 . 2008-12-26 11:58 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-25 22:30 . 2008-12-25 22:31 <DIR> d-------- c:\windows\system32\Adobe
2008-12-25 22:14 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-12-25 22:14 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-12-25 22:10 . 2008-12-13 01:40 3,593,216 -----c--- c:\windows\system32\dllcache\mshtml.dll
2008-12-25 22:10 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 02:19 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 22:08 72,992 ----a-w c:\windows\system32\drivers\bckd.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_15.27.52.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2009-01-17 20:39:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"QuickGammaLoader"="c:\program files\QuickGamma\QuickGammaLoader.exe" [2005-03-28 68096]
"dr"="c:\program files\Home Plan Software\Date Reminder\dr.exe" [2007-04-22 347344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-12-25 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-12-25 219136]

c:\documents and settings\Brendan\Start Menu\Programs\Startup\
numlock.vbs [2008-12-25 77]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
numlock.vbs [2008-12-25 77]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-12-26 157000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
numlock.vbs [2008-12-25 77]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2008-11-21 72992]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [2002-08-14 5632]
R4 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2008-11-21 1078560]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 03:17]

2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\b99dk5w3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 15:41:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-01-17 15:42:58
ComboFix-quarantined-files.txt 2009-01-17 20:42:55
ComboFix2.txt 2009-01-17 20:28:15

Pre-Run: 476,774,604,800 bytes free
Post-Run: 476,762,374,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

251 --- E O F --- 2009-01-16 21:42:50
__________________
"We never seem to have the time to do things correctly, but we inevitably find the time to do them over again."
palguy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 06:10 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,605
OS: 2000 Pro; XP Pro; XP Home


Re: DNSchanger
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    To disable AVG 7

    AVG
    Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
    When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335869-dnschanger.html#post1922271

    Collect::
    c:\windows\system32\drivers\gaopdxxjlbabir.sys
    c:\windows\system32\drivers\gaopdxrnvxumej.sys
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. Follow the prompts.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
  6. Please perform this online scan to help look for remnants

    Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan.

    Click Accept, when prompted to download and install the program files and database of malware definitions.
    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on Settings. Uncheck Mail databases.
    • Next, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    ---------------------------------------------------------------------------------------------

    How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-20-2009, 02:28 AM   #5 (permalink)
Registered User
 
palguy's Avatar
 
Join Date: Nov 2004
Posts: 369
OS: xp


Re: DNSchanger
Here is the scan you requested. The machine appears to be operating normally at this time.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 20, 2009 00:02:53
Records in database: 1650458
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 82657
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:54:02


File name / Threat name / Threats count
C:\Documents and Settings\Tom\My Documents\Downloaded Programs\Programs & Registrations\astlog.zip Infected: not-a-virus:PSWTool.Win32.Asterisk.a 1
C:\Program Files\mIRC\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxgxvmttpd.dll.vir Infected: Trojan-PSW.Win32.Agent.lqj 1

The selected area was scanned.
__________________
"We never seem to have the time to do things correctly, but we inevitably find the time to do them over again."
palguy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-20-2009, 08:50 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,605
OS: 2000 Pro; XP Pro; XP Home


Re: DNSchanger
Good job. We can ignore two of those finds, as long as you've intentionally brought mIRC and astlog onto the machine. astlog is an asterisk password revealer. These get flagged due to potential. If you've not intentionally brought these onto the machine, they should be removed.

The other item Kaspersky found is in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-20-2009, 11:53 AM   #7 (permalink)
Registered User
 
palguy's Avatar
 
Join Date: Nov 2004
Posts: 369
OS: xp


Re: DNSchanger
Thank you very much for all your help. I will take care of the clean up work.
__________________
"We never seem to have the time to do things correctly, but we inevitably find the time to do them over again."
palguy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-20-2009, 11:57 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,605
OS: 2000 Pro; XP Pro; XP Home


Re: DNSchanger
Glad to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:49 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85