Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with DNS Changer Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Nandor

Nandor

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 30 April 2009 - 07:01 AM

Hi, can you please help me remove the DNS Changer Trojan I picked up?

I managed to remove some of it using Malwarebytes, but it keeps coming back every time I restart my PC - C:\WINDOWS\SYSTEM32\GXVXCCOUNTER
I tried running SpyBot Search and Destroy, but it bluescreens my PC every time I try to install it.

Symptoms are that it won't let me go to windowsupdate.com and it redirects links randomly to google search.

Please help!

Nandor
---------------------------

DDS (Ver_09-03-16.01) - NTFSx86
Run by Nandor Csapo at 21:35:37.91 on Thu 30/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.3326.2150 [GMT 10:00]

AV: eTrust Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\CA\eTrust Antivirus\Realmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Nandor Csapo\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Realtime Monitor] c:\program files\ca\etrust antivirus\realmon.exe -s
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/octet-stream - {F969FE8E-1937-45AD-AF42-8A4D11CBDC2A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-10 150568]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 SRUserService;IT Connection Manager;c:\program files\it connection manager\SRUserService.exe [2008-2-27 278672]
R3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\drivers\dc3d.sys [2009-1-15 15360]
R3 L1E;NDIS Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1E60x86.sys [2008-10-15 47616]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2008-4-4 87424]

=============== Created Last 30 ================

2009-04-26 17:07 227,155,639 a------- c:\windows\MEMORY.DMP
2009-04-26 17:06 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-04-26 17:06 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-04-18 10:52 <DIR> --d----- c:\programdata\STOPzilla!
2009-04-18 10:52 <DIR> --d----- c:\progra~2\STOPzilla!
2009-04-14 23:07 <DIR> --d----- c:\users\nandor~1\appdata\roaming\Malwarebytes
2009-04-14 23:03 <DIR> --d----- c:\program files\CCleaner
2009-04-14 22:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 22:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 22:57 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-14 22:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-14 22:57 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-14 01:44 <DIR> --d----- c:\program files\Trend Micro
2009-04-14 00:38 <DIR> --d----- c:\programdata\Lavasoft
2009-04-10 03:04 <DIR> --d----- c:\users\nandor~1\appdata\roaming\AVSMedia
2009-04-10 03:03 638,976 a------- c:\windows\system32\divx.dll
2009-04-10 03:03 221,215 a------- c:\windows\system32\divxdec.ax
2009-04-10 03:03 156,910 a------- c:\windows\WMSysPr8.prx
2009-04-10 03:03 139,264 a------- c:\windows\system32\xvidvfw.dll
2009-04-10 03:03 98,304 a------- c:\windows\system32\L3CODECX.AX
2009-04-10 03:03 53,248 a------- c:\windows\system32\xvid.ax
2009-04-10 03:03 524,288 a------- c:\windows\system32\xvidcore.dll
2009-04-10 03:03 413,760 a------- c:\windows\system32\mpg4c32.dll
2009-04-10 03:03 261,632 a------- c:\windows\system32\mcdvd_32.dll
2009-04-10 03:03 82,944 a------- c:\windows\system32\vct3216.acm
2009-04-10 03:03 81,920 a------- c:\windows\system32\AC3ACM.acm
2009-04-10 03:03 38,912 a------- c:\windows\system32\alf2cd.acm
2009-04-10 03:03 13,239 a------- c:\windows\system32\Scg726.acm
2009-04-10 02:49 <DIR> --d----- c:\users\nandor~1\appdata\roaming\GetRightToGo
2009-04-06 23:44 <DIR> --d----- c:\users\nandor~1\appdata\roaming\VideoFab
2009-04-06 23:30 <DIR> --d----- c:\users\nandor~1\appdata\roaming\DVDFab
2009-04-06 23:24 87,608 a------- c:\users\nandor~1\appdata\roaming\inst.exe
2009-04-06 23:03 <DIR> --d----- c:\users\nandor~1\appdata\roaming\AVS4YOU
2009-04-06 23:03 <DIR> --d----- c:\programdata\AVS4YOU
2009-04-06 23:03 <DIR> --d----- c:\progra~2\AVS4YOU
2009-04-06 23:02 <DIR> --d----- c:\program files\common files\AVSMedia
2009-04-06 23:02 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-04-06 23:02 24,576 a------- c:\windows\system32\msxml3a.dll
2009-04-04 02:16 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector

==================== Find3M ====================

2009-04-07 00:02 47,360 a------- c:\users\nandor~1\appdata\roaming\pcouffin.sys
2009-04-06 23:25 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-06 23:25 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 23:25 86,016 a------- c:\windows\inf\infstor.dat
2009-04-06 23:24 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-19 19:48 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-03-19 19:26 3,498 a------- c:\windows\system32\ealregsnapshot1.reg
2009-03-17 13:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 13:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 13:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 21:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 21:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 21:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 21:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 21:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 21:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 21:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 21:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 21:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 21:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 21:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 21:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 21:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 21:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 21:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 21:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 21:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 21:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-03 14:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 14:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 14:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 14:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 14:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 14:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 14:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 14:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 13:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 12:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-28 01:21 1,469,952 a------- c:\users\nandor~1\appdata\roaming\tsdnwin.dll
2009-02-13 18:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 18:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-06 18:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 17:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-05 09:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-06 21:10 16 ----h--- c:\users\nandor csapo\SyncToy_62db6d4e-8386-43b2-b405-97b683260abb.dat
2008-10-16 23:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-10-16 21:49 81,920 a------- c:\users\nandor~1\appdata\roaming\ezpinst.exe
2008-01-21 12:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-06-24 16:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 21:35:57.24 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:39 PM

Posted 13 May 2009 - 01:05 AM

Hello Nandor,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. You have a rootkit, so that explains why what you've run hasn't worked.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:39 PM

Posted 24 May 2009 - 04:22 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users