Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Changer Trojan Virus


  • This topic is locked This topic is locked
40 replies to this topic

#1 dragoon2015

dragoon2015

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 26 March 2015 - 10:45 AM

i have detected a DNS Changer Trojan Virus on my system using Malwarebytes. i thought it would remove the virus upon running but didn't. it has started to create pop ups anytime i use any search engine (firefox, chrome, ie) and has spread to my mobile as it has started to do the same thing. i have re-installed windows with no success. i have used a windows boot disk to delete my C: drive and re-installed again after formatting. still the virus persists.

 

this is beyond me. help please. i cannot afford a new pc and from reading up on this that may not help anyway.

 

awaiting your reply.


Edited by dragoon2015, 26 March 2015 - 10:45 AM.


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 27 March 2015 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?

#3 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 27 March 2015 - 12:15 PM

hello nasdaq,
 
thank you for your time and help. 
 
adw log file: 
 
# AdwCleaner v4.113 - Logfile created 27/03/2015 at 17:03:31
# Updated 22/03/2015 by Xplode
# Database : 2015-03-27.1 [Server]
# Operating system : Windows 7 Ultimate  (x64)
# Username : Martin - HAL-5000
# Running from : C:\Users\Martin\Downloads\adwcleaner_4.113.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7600.16385
 
 
-\\ Google Chrome v41.0.2272.101
 
[C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [875 bytes] - [27/03/2015 17:01:14]
AdwCleaner[S0].txt - [805 bytes] - [27/03/2015 17:03:31]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [863  bytes] ##########
 
FRST log :
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Martin (administrator) on HAL-5000 on 27-03-2015 17:07:20
Running from C:\Users\Martin\Downloads
Loaded Profiles: Martin (Available profiles: Martin)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\Martin\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12681320 2011-08-25] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-07-28] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-898660696-3059355129-3519592955-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-898660696-3059355129-3519592955-1000\...\MountPoints2: {9e9ab0ea-d499-11e4-b7c2-806e6f6e6963} - D:\Bin\ASSETUP.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Tcpip\Parameters: [DhcpNameServer] 91.194.254.105 8.8.8.8
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-27] (Google Inc.)
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gcswf32.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\pdf.dll ()
CHR Plugin: (Chrome NaCl) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gears.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Profile: C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-03-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-27]
CHR Extension: (Google Wallet) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-27]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2011-07-28] (Advanced Micro Devices, Inc.) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-27 23:54 - 2015-03-27 16:00 - 00000000 ____D () C:\Windows\Panther
2015-03-27 17:07 - 2015-03-27 17:07 - 02095616 _____ (Farbar) C:\Users\Martin\Downloads\FRST64 (1).exe
2015-03-27 17:07 - 2015-03-27 17:07 - 00006327 _____ () C:\Users\Martin\Downloads\FRST.txt
2015-03-27 17:00 - 2015-03-27 17:07 - 00000000 ____D () C:\FRST
2015-03-27 17:00 - 2015-03-27 17:00 - 02095616 _____ (Farbar) C:\Users\Martin\Downloads\FRST64.exe
2015-03-27 16:59 - 2015-03-27 17:03 - 00000000 ____D () C:\AdwCleaner
2015-03-27 16:58 - 2015-03-27 16:58 - 02168320 _____ () C:\Users\Martin\Downloads\adwcleaner_4.113.exe
2015-03-27 16:42 - 2015-03-27 16:42 - 00880208 _____ (Google Inc.) C:\Users\Martin\Downloads\ChromeSetup (1).exe
2015-03-27 16:41 - 2015-03-27 16:42 - 00880208 _____ (Google Inc.) C:\Users\Martin\Downloads\ChromeSetup.exe
2015-03-27 16:37 - 2015-03-27 16:37 - 00000000 ____D () C:\Users\Martin\AppData\Roaming\Macromedia
2015-03-27 16:37 - 2015-03-27 16:37 - 00000000 ____D () C:\Users\Martin\AppData\Roaming\Adobe
2015-03-27 16:28 - 2015-03-03 13:17 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-03-27 16:24 - 2015-03-27 16:24 - 00002154 _____ () C:\Windows\epplauncher.mif
2015-03-27 16:23 - 2015-03-27 16:23 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-03-27 16:23 - 2015-03-27 16:23 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-27 16:23 - 2015-03-27 16:23 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-03-27 16:23 - 2010-04-09 11:06 - 01898376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2015-03-27 16:23 - 2010-04-09 11:06 - 00374664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2015-03-27 16:22 - 2015-03-27 16:22 - 14160536 _____ (Microsoft Corporation) C:\Users\Martin\Downloads\mseinstall.exe
2015-03-27 16:20 - 2012-06-02 22:19 - 02428952 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-03-27 16:20 - 2012-06-02 22:19 - 00701976 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-03-27 16:20 - 2012-06-02 22:19 - 00057880 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-03-27 16:20 - 2012-06-02 22:19 - 00044056 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-03-27 16:20 - 2012-06-02 22:19 - 00038424 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-03-27 16:20 - 2012-06-02 22:15 - 02622464 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-03-27 16:20 - 2012-06-02 22:15 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-03-27 16:20 - 2012-06-02 15:19 - 00186752 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-03-27 16:20 - 2012-06-02 15:15 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-03-27 16:18 - 2011-08-23 13:57 - 00565352 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2015-03-27 16:18 - 2011-08-23 13:57 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
2015-03-27 16:18 - 2011-08-23 13:57 - 00074272 _____ () C:\Windows\system32\RtNicProp64.dll
2015-03-27 16:17 - 2015-03-27 16:17 - 00057560 _____ () C:\Users\Martin\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-27 16:17 - 2015-03-27 16:17 - 00000000 ____D () C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AMD VISION Engine Control Center
2015-03-27 16:17 - 2015-03-27 16:17 - 00000000 ____D () C:\Users\Martin\AppData\Local\AMD
2015-03-27 16:16 - 2015-03-27 16:16 - 00000000 ____D () C:\Users\Martin\AppData\Roaming\ATI
2015-03-27 16:16 - 2015-03-27 16:16 - 00000000 ____D () C:\Users\Martin\AppData\Local\ATI
2015-03-27 16:16 - 2015-03-27 16:16 - 00000000 ____D () C:\ProgramData\ATI
2015-03-27 16:16 - 2015-03-27 16:16 - 00000000 _____ () C:\Windows\ativpsrm.bin
2015-03-27 16:15 - 2015-03-27 16:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD VISION Engine Control Center
2015-03-27 16:15 - 2015-03-27 16:15 - 00000000 ____D () C:\Program Files (x86)\AMD APP
2015-03-27 16:14 - 2015-03-27 16:14 - 00000000 ____D () C:\ProgramData\AMD
2015-03-27 16:14 - 2015-03-27 16:14 - 00000000 ____D () C:\Program Files (x86)\ATI Technologies
2015-03-27 16:14 - 2011-07-28 21:41 - 00185088 _____ () C:\Windows\system32\atiapfxx.blb
2015-03-27 16:14 - 2011-07-28 21:36 - 00462848 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
2015-03-27 16:14 - 2011-07-28 21:01 - 00058880 _____ (AMD) C:\Windows\system32\coinst.dll
2015-03-27 16:14 - 2011-07-26 02:41 - 00034823 _____ () C:\Windows\atiogl.xml
2015-03-27 16:14 - 2011-03-17 17:51 - 00003929 _____ () C:\Windows\SysWOW64\atipblag.dat
2015-03-27 16:14 - 2011-03-17 17:51 - 00003929 _____ () C:\Windows\system32\atipblag.dat
2015-03-27 16:14 - 2010-02-18 09:18 - 00046136 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amdiox64.sys
2015-03-27 16:10 - 2015-03-27 16:18 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-03-27 16:10 - 2015-03-27 16:18 - 00000000 ____D () C:\Program Files (x86)\Realtek
2015-03-27 16:10 - 2015-03-27 16:10 - 00000000 ___HD () C:\Program Files (x86)\Temp
2015-03-27 16:10 - 2015-03-27 16:10 - 00000000 ____D () C:\Windows\SysWOW64\RTCOM
2015-03-27 16:10 - 2015-03-27 16:10 - 00000000 ____D () C:\Program Files\Realtek
2015-03-27 16:10 - 2011-08-26 02:57 - 03064936 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RTKVHD64.sys
2015-03-27 16:10 - 2011-08-25 05:46 - 02518120 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtPgEx64.dll
2015-03-27 16:10 - 2011-08-24 07:11 - 01501696 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoRes64.dat
2015-03-27 16:10 - 2011-08-24 05:30 - 03201128 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkAPO64.dll
2015-03-27 16:10 - 2011-08-24 05:14 - 01698408 ____R (Realtek Semiconductor Corp.) C:\Windows\RtlExUpd.dll
2015-03-27 16:10 - 2011-08-23 09:00 - 00603984 _____ (Knowles Acoustics ) C:\Windows\system32\KAAPORT64.dll
2015-03-27 16:10 - 2011-08-23 04:06 - 00097896 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoInst64.dll
2015-03-27 16:10 - 2011-08-19 06:54 - 01881704 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkApi64.dll
2015-03-27 16:10 - 2011-08-05 17:29 - 00527872 _____ (DTS) C:\Windows\system32\DTSU2PLFX64.dll
2015-03-27 16:10 - 2011-08-05 17:29 - 00515584 _____ (DTS) C:\Windows\system32\DTSU2PGFX64.dll
2015-03-27 16:10 - 2011-08-05 17:29 - 00439808 _____ (DTS) C:\Windows\system32\DTSU2PREC64.dll
2015-03-27 16:10 - 2011-07-27 16:55 - 02604376 _____ (Waves Audio Ltd.) C:\Windows\system32\WavesGUILib.dll
2015-03-27 16:10 - 2011-07-27 16:55 - 02132824 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioEQ.dll
2015-03-27 16:10 - 2011-07-22 11:35 - 01247848 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTCOM64.dll
2015-03-27 16:10 - 2011-07-08 06:34 - 00065432 _____ (TOSHIBA CORPORATION.) C:\Windows\system32\tepeqapo64.dll
2015-03-27 16:10 - 2011-06-30 08:14 - 01560168 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTSnMg64.cpl
2015-03-27 16:10 - 2011-06-27 06:45 - 03768152 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioRealtek.dll
2015-03-27 16:10 - 2011-06-14 03:13 - 00177088 _____ (TOSHIBA Corporation) C:\Windows\system32\tadefxapo264.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 01756264 _____ (DTS) C:\Windows\system32\DTSS2SpeakerDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 01568360 _____ (DTS) C:\Windows\system32\DTSS2HeadphoneDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 01486952 _____ (DTS) C:\Windows\system32\DTSBoostDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00728680 _____ (DTS) C:\Windows\system32\DTSBassEnhancementDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00712296 _____ (DTS) C:\Windows\system32\DTSSymmetryDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00693352 _____ (DTS) C:\Windows\system32\DTSVoiceClarityDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00491112 _____ (DTS) C:\Windows\system32\DTSNeoPCDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00432744 _____ (DTS) C:\Windows\system32\DTSLimiterDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00428648 _____ (DTS) C:\Windows\system32\DTSGainCompensatorDLL64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00242792 _____ (DTS) C:\Windows\system32\DTSLFXAPO64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00242792 _____ (DTS) C:\Windows\system32\DTSGFXAPO64.dll
2015-03-27 16:10 - 2011-05-31 01:42 - 00241768 _____ (DTS) C:\Windows\system32\DTSGFXAPONS64.dll
2015-03-27 16:10 - 2011-05-05 07:24 - 02085440 _____ (Fortemedia Corporation) C:\Windows\system32\FMAPO64.dll
2015-03-27 16:10 - 2011-05-05 06:15 - 00220512 _____ (Synopsys, Inc.) C:\Windows\system32\SFNHK64.dll
2015-03-27 16:10 - 2011-05-05 06:14 - 00081248 _____ (Synopsys, Inc.) C:\Windows\system32\SFCOM64.dll
2015-03-27 16:10 - 2011-05-05 06:14 - 00078176 _____ (Synopsys, Inc.) C:\Windows\system32\SFAPO64.dll
2015-03-27 16:10 - 2011-05-02 06:27 - 03308376 _____ (Dolby Laboratories) C:\Windows\system32\R4EEP64A.dll
2015-03-27 16:10 - 2011-05-02 06:27 - 00426328 _____ (Dolby Laboratories) C:\Windows\system32\R4EED64A.dll
2015-03-27 16:10 - 2011-05-02 06:27 - 00136024 _____ (Dolby Laboratories) C:\Windows\system32\R4EEL64A.dll
2015-03-27 16:10 - 2011-05-02 06:27 - 00118104 _____ (Dolby Laboratories) C:\Windows\system32\R4EEA64A.dll
2015-03-27 16:10 - 2011-05-02 06:27 - 00074072 _____ (Dolby Laboratories) C:\Windows\system32\R4EEG64A.dll
2015-03-27 16:10 - 2011-03-17 04:17 - 01361336 _____ (TOSHIBA Corporation) C:\Windows\system32\tosade.dll
2015-03-27 16:10 - 2011-03-07 09:11 - 00148416 _____ (TOSHIBA Corporation) C:\Windows\system32\tadefxapo.dll
2015-03-27 16:10 - 2010-11-18 03:49 - 00121744 _____ (Sony Corporation) C:\Windows\system32\SFSS_APO.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00375128 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEP64A.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00310104 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RP3DHT64.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00310104 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RP3DAA64.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00204120 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEED64A.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00101208 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEL64A.dll
2015-03-27 16:10 - 2010-11-07 23:31 - 00078680 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEG64A.dll
2015-03-27 16:10 - 2010-11-03 10:31 - 00332392 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtlCPAPI64.dll
2015-03-27 16:10 - 2010-11-03 10:30 - 00149608 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkCfg64.dll
2015-03-27 16:10 - 2010-10-03 05:46 - 00341336 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO30.dll
2015-03-27 16:10 - 2010-09-27 01:34 - 00318808 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO20.dll
2015-03-27 16:10 - 2010-07-22 08:48 - 00074064 _____ (Virage Logic Corporation / Sonic Focus) C:\Windows\SysWOW64\SFCOM.dll
2015-03-27 16:10 - 2010-07-22 08:37 - 00200800 _____ (Andrea Electronics Corporation) C:\Windows\system32\AERTAC64.dll
2015-03-27 16:10 - 2010-05-06 09:34 - 00334680 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxVolumeSDAPO.dll
2015-03-27 16:10 - 2009-11-24 01:55 - 00518896 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSTSX64.dll
2015-03-27 16:10 - 2009-11-24 01:55 - 00211184 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSTSH64.dll
2015-03-27 16:10 - 2009-11-24 01:55 - 00198896 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSHP64.dll
2015-03-27 16:10 - 2009-11-24 01:55 - 00155888 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSWOW64.dll
2015-03-27 16:10 - 2009-11-17 10:12 - 00108960 _____ (Andrea Electronics Corporation) C:\Windows\system32\AERTAR64.dll
2015-03-27 16:08 - 2015-03-27 16:08 - 00000316 _____ () C:\Windows\PFRO.log
2015-03-27 16:07 - 2015-03-27 16:15 - 00000000 ____D () C:\Program Files\ATI Technologies
2015-03-27 16:06 - 2015-03-27 16:06 - 00016896 _____ (ASUS) C:\Windows\AsTaskSched.dll
2015-03-27 16:06 - 2015-03-27 16:06 - 00000000 ____D () C:\Program Files\ATI
2015-03-27 16:06 - 2011-02-25 06:36 - 00295296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
2015-03-27 16:05 - 2015-03-27 17:04 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-27 16:05 - 2015-03-27 16:48 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-27 16:05 - 2015-03-27 16:47 - 00002255 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-27 16:05 - 2015-03-27 16:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-27 16:05 - 2015-03-27 16:43 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-03-27 16:05 - 2015-03-27 16:43 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-03-27 16:05 - 2015-03-27 16:20 - 00000000 ____D () C:\Users\Martin\AppData\Local\Google
2015-03-27 16:05 - 2015-03-27 16:05 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-27 16:04 - 2015-03-27 16:17 - 00026129 _____ () C:\Windows\Ascd_tmp.ini
2015-03-27 16:04 - 2015-03-27 16:17 - 00001769 _____ () C:\Windows\Language_trs.ini
2015-03-27 16:01 - 2015-03-27 16:01 - 00001409 _____ () C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-03-27 16:00 - 2015-03-27 16:01 - 00001443 _____ () C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-27 16:00 - 2015-03-27 16:00 - 00000020 ___SH () C:\Users\Martin\ntuser.ini
2015-03-27 16:00 - 2015-03-27 16:00 - 00000000 __SHD () C:\Recovery
2015-03-27 16:00 - 2015-03-27 16:00 - 00000000 ____D () C:\Users\Martin\AppData\Local\VirtualStore
2015-03-27 16:00 - 2015-03-27 16:00 - 00000000 ____D () C:\Users\Martin
2015-03-27 16:00 - 2009-07-14 04:54 - 00000000 ___RD () C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-27 16:00 - 2009-07-14 04:49 - 00000000 ___RD () C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-27 15:57 - 2015-03-27 17:07 - 00180309 _____ () C:\Windows\WindowsUpdate.log
2015-03-27 15:57 - 2015-03-27 15:57 - 00001345 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2015-03-27 15:57 - 2015-03-27 15:57 - 00001326 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2015-03-27 15:57 - 2015-03-27 15:57 - 00001313 _____ () C:\Windows\TSSysprep.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-27 23:54 - 2009-07-14 05:38 - 00025600 ___SH () C:\Windows\system32\config\BCD-Template.LOG
2015-03-27 23:54 - 2009-07-14 05:32 - 00028672 _____ () C:\Windows\system32\config\BCD-Template
2015-03-27 17:04 - 2009-07-14 05:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-27 17:04 - 2009-07-14 04:51 - 00016742 _____ () C:\Windows\setupact.log
2015-03-27 17:03 - 2009-07-14 04:45 - 00009584 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-27 17:03 - 2009-07-14 04:45 - 00009584 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-27 16:32 - 2009-07-14 05:13 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-27 16:19 - 2009-07-14 03:20 - 00000000 __RHD () C:\Users\Public\Libraries
2015-03-27 16:07 - 2009-07-14 03:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-03-27 16:05 - 2009-07-14 05:32 - 00000000 ____D () C:\Windows\system32\restore
2015-03-27 16:00 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\rescache
2015-03-27 15:59 - 2009-07-14 04:45 - 00274320 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-27 15:57 - 2009-07-14 05:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-03-27 15:57 - 2009-07-14 04:46 - 00001774 _____ () C:\Windows\DtcInstall.log
2015-03-27 15:57 - 2009-07-14 03:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-27 15:57 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\system32\sysprep
2015-03-27 15:55 - 2009-07-14 07:46 - 00000000 ____D () C:\Windows\CSC
 
Some content of TEMP:
====================
C:\Users\Martin\AppData\Local\Temp\Quarantine.exe
C:\Users\Martin\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-27 15:55
 
==================== End Of Log ============================
 
Addition log:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by Martin at 2015-03-27 17:08:01
Running from C:\Users\Martin\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AMD Catalyst Install Manager (HKLM\...\{EEB732AC-544D-09BD-7BEF-56ED6D198AB2}) (Version: 3.0.838.0 - Advanced Micro Devices, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.101 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.57 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6446 - Realtek Semiconductor Corp.)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
27-03-2015 16:05:50 Windows Update
27-03-2015 16:17:57 Installed Realtek Ethernet Controller Driver
27-03-2015 16:19:54 Windows Update
27-03-2015 16:23:21 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 02:34 - 2009-06-10 21:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {351C0DF1-E730-43ED-ABCF-F460BCB308BF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-27] (Google Inc.)
Task: {F48E9F59-C0A4-4912-8B4E-4534F4A3C389} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-27] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2011-07-28 17:44 - 2011-07-28 17:44 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2011-07-28 17:55 - 2011-07-28 17:55 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-898660696-3059355129-3519592955-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Martin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 91.194.254.105 - 8.8.8.8
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-898660696-3059355129-3519592955-500 - Administrator - Disabled)
Guest (S-1-5-21-898660696-3059355129-3519592955-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-898660696-3059355129-3519592955-1003 - Limited - Enabled)
Martin (S-1-5-21-898660696-3059355129-3519592955-1000 - Administrator - Enabled) => C:\Users\Martin
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
Error: (03/27/2015 05:03:41 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (03/27/2015 04:24:08 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
 
Microsoft Office Sessions:
=========================
 
==================== Memory info =========================== 
 
Processor: AMD A8-3870 APU with Radeon™ HD Graphics
Percentage of memory in use: 17%
Total physical RAM: 7659.49 MB
Available physical RAM: 6343.77 MB
Total Pagefile: 15317.13 MB
Available Pagefile: 13809.62 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:148.95 GB) (Free:126.2 GB) NTFS
Drive d: (MB Support CD) (CDROM) (Total:2.92 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 5BC13CE2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
i have reset the router as advised by someone else and reformatted c: drive with router unplugged while restting. this seems to have helped. can you see if anything remains? i was having problems with my mobile as well. is it safe to use that?
cleardot.gif


#4 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 27 March 2015 - 01:10 PM

have just installed and run malware and the dns changer is still there.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 27 March 2015 - 01:19 PM

i was having problems with my mobile as well. is it safe to use that?


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Plugin: (Chrome NaCl) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gears.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

can you see if anything remains? i was having problems with my mobile as well. is it safe to use that?

This fix is just a cleanup of the empty registry entries.

It might be infected. No way for me to find out what type of infection you had.

If your computer gets infected then Restore the computer to a date prior to this date.

#6 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 27 March 2015 - 04:05 PM

fixlog as requested :

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Martin at 2015-03-27 21:01:28 Run:1
Running from C:\Users\Martin\Downloads
Loaded Profiles: Martin (Available profiles: Martin)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Plugin: (Chrome NaCl) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gears.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
 
End
*****************
 
Processes closed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gears.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll not found.
 
 
The system needed a reboot. 
 
==== End of Fixlog 21:01:29 ====


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 28 March 2015 - 07:26 AM

How is the computer running now?

#8 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 28 March 2015 - 02:31 PM

malware bytes still detects the dns changer but my i'm back in control of my web browser and internet access so am happy to continue as is. 

 

many thanks



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 29 March 2015 - 07:37 AM


Let me check further.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#10 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 30 March 2015 - 01:00 PM

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Martin [Administrator]
Started from : C:\Users\Martin\Downloads\RogueKiller.exe
Mode : Delete -- Date : 03/30/2015  18:59:57
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 64ae21d2d6d4eef03c6e1a4e5608e1fa
[BSP] 13a3235adbc2f8a8ecf65a3f199ee9b7 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_03302015_185848.log


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 31 March 2015 - 07:26 AM

Please run the RogueKiller tool and fix these.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{339FEEB5-AF63-427F-8D84-04BF469E2A19} | DhcpNameServer : 91.194.254.105 8.8.8.8 [(Unknown Country?) (XX)] -> Not selected
[PUM.DesktopIcons] (X64)


How is the computer running now?

#12 dragoon2015

dragoon2015
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 March 2015 - 08:20 AM

all is clean. all is good.

 

many many thanks for all your time and effort.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 31 March 2015 - 08:42 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 05 April 2015 - 07:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:43 PM

Posted 23 April 2015 - 01:29 PM

This topic has been re-opened at the request of the person who originally posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users