Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Various Issues, Thank You in Advance

  • This topic is locked This topic is locked
2 replies to this topic

#1 rrmac


  • Members
  • 1 posts
  • Local time:03:24 AM

Posted 22 June 2009 - 06:39 PM


First, thank you in advance for all of your help and expertise!

I am having an issue on an Acer Extensa, series 4620 model MS2204. I am running Vista Home Premium 32 bit.

I have various issues affecting my computer, all of which began at the same time (around 2 weeks ago). The major problem is not being able to connect to the Internet in regular mode (I am able to connect to my home network). I am using a wireless connection. I am, however, able to connect to the internet in Safe Mode with Networking. I tried using a wired connection with no luck. I have another computer on the network which works perfectly fine.

I tried system restore right away, but it wouldn't allow me to (I apologize, I do not remember the error message as it was a couple of weeks ago). I tried to run it again and it told me there were no restore points.

When I first discovered I could connect in Safe Mode with Networking, I tried searching Google for anything to help me, but was redirected each time to a different site (of random topics). I hit the back button and clicked the link again, it took me to the correct site. However, this problem has seemed to subside (leading me to the new issue...)

When in Safe Mode with Networking, I tried using Windows Update, but it redirects me to Google English (not even sure if it's the "real" Google). I tried downloading SUPERAntiSpyware and Malwarebytes, but I keep getting an "Address not found" error on both sites in both Firefox and IE. I seem to be unable to access anything that has to do with Microsoft Updates.

Hope you can help! Here is the log file from DDS, and attached is the Attach.txt file. Thanks!

I ran this while in Safe Mode with Networking, please let me know if I need to run in Normal mode. I also have a HijackThis logfile if needed:

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Owner at 19:07:25.01 on Mon 06/22/2009
Internet Explorer: 7.0.6000.16830 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1357 [GMT -4:00]

AV: Trend Micro AntiVirus - Virus Protection *On-access scanning enabled* (Outdated) {9596F8E6-38C3-4C51-80B9-8C94D2E25B07}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Spy Sweeper *disabled* (Outdated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Trend Micro AntiVirus - Spyware Protection *enabled* (Outdated) {7241C815-3D0F-4059-9AF4-BF225B1D78B9}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [Acer Tour Reminder]
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [Acer Tour]
mRun: [PLFSet] "rundll32.exe" c:\windows\PLFSet.dll,PLFDefSetting
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eRecoveryService]
mRun: [Trend Micro AntiVirus 2007] "c:\program files\trend micro\antivirus 2007\tavui.exe" -1 --delay 200
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRunOnce: [AOLRebootNeeded] regsvr32.exe /s
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: netflix.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer =,
TCP: {526A5B0A-BA19-45F3-B264-667F5997E8FF} =,
TCP: {74BA12ED-7C2D-4279-9589-BDEEA826796C} =,
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\8swgp36d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\8swgp36d.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-10 28544]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-9-17 13560]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-10-2 36368]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus 2007\components\TmProxy.exe [2007-10-2 566872]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2009-1-6 18912]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2009-1-6 3768]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-1-6 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-1-6 3768]
S4 SoundMovieServer;SoundMovieServer;"c:\windows\system32\snmvtsvc.exe" --> c:\windows\system32\snmvtsvc.exe [?]

=============== Created Last 30 ================

2009-06-14 19:21 <DIR> --d----- c:\windows\pss
2009-06-11 21:33 269,207,423 a------- c:\windows\MEMORY.DMP
2009-06-11 19:42 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-11 19:07 <DIR> --d----- c:\program files\CCleaner
2009-06-10 21:43 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-10 21:42 <DIR> --d----- c:\program files\Panda Security
2009-06-04 21:36 <DIR> --d----- c:\users\owner\appdata\roaming\SSH
2009-06-04 21:35 <DIR> --d----- c:\program files\SSH Communications Security
2009-05-26 22:22 <DIR> --d----- c:\program files\Bulk Rename Utility

==================== Find3M ====================

2009-06-10 02:40 225,280 a------- c:\windows\system32\drivers\udfs.sys
2009-06-10 02:38 236,032 a------- c:\windows\system32\iprtrmgr.dll
2009-06-10 02:37 408,576 a------- c:\windows\system32\msvcp60.dll
2009-06-10 02:36 63,488 a------- c:\windows\system32\iscsiwmi.dll
2009-04-21 19:43 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-21 19:43 51,200 a------- c:\windows\inf\infpub.dat
2009-04-21 19:42 86,016 a------- c:\windows\inf\infstor.dat
2009-04-19 01:24 665,600 a------- c:\windows\inf\drvindex.dat
2009-04-09 12:48 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 11:48 174 a--sh--- c:\program files\desktop.ini
2008-07-04 21:59 740 a------- c:\users\owner\appdata\roaming\wklnhst.dat
2007-10-21 20:21 267,592 a------- c:\program files\Uninstall Ask Toolbar.dll
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-27 11:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009012920090130\index.dat
2007-09-17 16:28 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:08:39.16 ===============

Attached Files

BC AdBot (Login to Remove)



#2 Farbar


    Just Curious

  • Security Developer
  • 21,656 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:24 AM

Posted 23 June 2009 - 04:55 PM

Hi rrmac,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your computer is infected with a DNS-Changer trojan and all your internet traffic goes through the trojan's server.

Note: You may download Combofix in any mode or using another computer and transfer it to the desktop of the infected computer,
but please run it in normal mode.
Run it just once as I need the log of the first run.
If ComboFix didn't run rename it to rr.exe and run it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you, if it needed to reboot allow it. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 Farbar


    Just Curious

  • Security Developer
  • 21,656 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:24 AM

Posted 27 June 2009 - 07:38 PM

This thread will now be closed due to lack of activity.

If you should have the same or a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users