129 replies to this topic

[Goonsac]

Currently running a clean install of Windows XP Pro SP3 hoping to get rid of this Trojan.DNSChanger but guess i was wrong. For antivirus i have AVG Free, im also using Ad-Aware, Malwarebytes' Anti-Malware, VundoFix, and I have my HijackThis log file i will post below. Someone please help me remove this virus its been going on for 6 days now with no help from other forums. thanks in advance. ALso i'd like to add that AVG doesnt find the virus seems only malwarebytes find 4-6 reg. entrys and adaware find 2-4 entrys. I currently only use Firefox and never IE, its gotten to the point to where i cannot update any of my spyware/antivirus programs via the update or from downloading the newest updates from the softwares websites.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:54 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AltBinz\altbinz.exe
C:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\mkv2vob\mkv2vob.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\mkv2vob\tools\mkvextract.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4865 bytes

Edited by Goonsac, 08 November 2008 - 01:18 AM.

[LDTate]

Hello and Welcome to the forum.

DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

[Goonsac]

ok thanks for the reply but right off the bat im running combofix and when it tries to connect to the internet to download the recovery console it pops up with "You do not appear to be connect to the internet. Kindly connect before clicking 'OK" now whatever is on my system is really blocking me from any form of removal of it. what should i do now that im stuck at this point? I do infact have use of my internet but certain programs say that its not connected. ALSO could u tell me the best way to disable AVG Free 2008? normally i'd find the disable button but thats not this case with AVG Free so i had to go into the Task manager and END PROCESS everything that delt with AVG. IF theres another way to do it please let me know.

Edited by Goonsac, 08 November 2008 - 01:01 PM.

[Goonsac]

I was able to install recovery console via my windows disk and ran the ComboFix. After combo fix was ran the computer took about 10min to restart then booted up like normal but is now saying that my windows firewall has been turned off. should i turn this back on??? After running the programs and restarting windows i loaded up firefox and proceeded to surf the web and after 2 refreshes the popups started up again as they were before. here are the Logs you requested as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:13 PM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4773 bytes

ComboFix 08-11-07.01 - Goonsac 2008-11-08 14:15:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527 [GMT -6:00]
Running from: c:\documents and settings\Goonsac\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-08 12:50 . 2008-11-08 14:15 4,958,588 --a------ c:\windows\{00000004-00000000-00000003-00001102-00000004-20021102}.BAK
2008-11-07 12:12 . 2008-11-07 12:12 <DIR> d-------- c:\program files\Trend Micro
2008-11-06 18:51 . 2008-11-06 18:51 <DIR> d-------- c:\program files\Lavasoft
2008-11-06 18:51 . 2008-11-06 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-06 18:06 . 2008-11-06 18:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-06 18:06 . 2008-11-06 18:06 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\Malwarebytes
2008-11-06 18:06 . 2008-11-06 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-06 18:06 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-06 18:06 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-06 18:02 . 2008-11-06 18:02 <DIR> d-------- c:\documents and settings\Administrator
2008-11-06 17:56 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-06 17:56 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-06 17:56 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-06 17:56 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-06 17:55 . 2008-11-06 17:55 <DIR> d-------- C:\VundoFix Backups
2008-11-06 17:48 . 2008-11-06 17:48 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\Acreon
2008-11-04 23:17 . 2008-11-04 23:17 <DIR> d-------- c:\program files\mkv2vob
2008-11-04 23:12 . 2008-11-04 23:12 <DIR> d-------- c:\program files\QuickPar
2008-11-04 22:58 . 2008-11-04 22:58 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\Logitech
2008-11-04 22:58 . 2008-11-04 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-11-04 22:57 . 2008-11-04 22:57 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-11-04 22:56 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-11-04 22:56 . 2008-05-02 02:39 170,512 --a------ c:\windows\system32\kemutb.dll
2008-11-04 22:56 . 2008-05-02 02:39 145,936 --a------ c:\windows\system32\KemUtil.dll
2008-11-04 22:56 . 2008-05-02 02:40 117,264 --a------ c:\windows\system32\KemWnd.dll
2008-11-04 22:56 . 2008-05-02 02:40 84,496 --a------ c:\windows\system32\KemXML.dll
2008-11-04 22:56 . 2006-10-08 21:51 23,856 --a------ c:\windows\system32\spupdsvc.exe
2008-11-04 22:56 . 2008-11-04 22:56 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-04 22:56 . 2008-11-04 22:56 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-11-04 22:55 . 2008-11-04 22:56 <DIR> d-------- c:\program files\Common Files\Logishrd
2008-11-04 22:00 . 2008-11-04 23:03 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\vlc
2008-11-04 21:26 . 2008-11-04 21:26 <DIR> d-------- c:\windows\Sun
2008-11-04 21:26 . 2008-11-04 23:03 <DIR> d-------- c:\documents and settings\Goonsac\.housecall6.6
2008-11-04 20:58 . 2008-11-04 20:58 <DIR> d-------- c:\program files\Java
2008-11-04 20:58 . 2008-11-04 20:58 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-04 20:58 . 2008-11-04 20:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-04 20:46 . 2008-11-04 20:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-04 20:34 . 2008-11-08 08:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\AVG
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-04 20:34 . 2008-11-04 20:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-04 20:34 . 2008-11-04 20:34 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-04 20:34 . 2008-11-04 20:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-04 20:27 . 2008-11-04 20:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-04 20:22 . 2008-11-04 20:22 <DIR> d-------- c:\program files\VideoLAN
2008-11-04 20:21 . 2008-11-04 20:21 <DIR> d-------- c:\windows\nview
2008-11-04 20:21 . 2008-10-23 07:42 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-11-04 20:21 . 2008-11-08 14:07 203,127 --a------ c:\windows\system32\nvapps.xml
2008-11-04 20:21 . 2008-10-23 07:42 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-11-04 20:20 . 2008-10-22 16:55 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-04 20:17 . 2008-11-04 20:17 <DIR> d-------- c:\program files\CCleaner
2008-11-04 20:06 . 2008-11-04 20:06 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2008-11-04 19:39 . 2008-11-04 20:28 8 --a------ c:\windows\system32\nvModes.dat
2008-11-04 19:18 . 2008-11-04 19:18 <DIR> d-------- c:\program files\Ventrilo
2008-11-04 19:18 . 2008-11-04 20:40 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\Ventrilo
2008-11-04 19:06 . 2008-11-04 19:06 <DIR> d-------- c:\program files\ffdshow
2008-11-04 19:06 . 2006-12-10 23:32 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-11-04 19:06 . 2006-12-10 23:32 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-11-04 19:06 . 2008-06-08 23:58 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-04 19:06 . 2008-06-12 20:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-04 19:06 . 2007-07-10 18:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-04 19:02 . 2008-11-04 19:02 <DIR> d-------- c:\program files\TVersity
2008-11-04 18:33 . 2008-11-04 19:09 <DIR> d-------- c:\program files\AltBinz
2008-11-04 18:31 . 2008-11-08 13:28 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000004-00000000-00000003-00001102-00000004-20021102}.rfx
2008-11-04 18:31 . 2008-11-08 13:28 31,056 --a------ c:\windows\system32\BMXState-{00000004-00000000-00000003-00001102-00000004-20021102}.rfx
2008-11-04 18:31 . 2008-11-08 13:28 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000004-00000000-00000003-00001102-00000004-20021102}.rfx
2008-11-04 18:31 . 2008-11-08 13:28 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000004-00000000-00000003-00001102-00000004-20021102}.rfx
2008-11-04 18:31 . 2008-11-08 13:28 11,564 --a------ c:\windows\system32\DVCState-{00000004-00000000-00000003-00001102-00000004-20021102}.rfx
2008-11-04 18:31 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
2008-11-04 18:31 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2008-11-04 18:28 . 2008-11-04 18:28 <DIR> d-------- c:\documents and settings\Goonsac\Application Data\Creative
2008-11-04 18:27 . 2008-11-04 18:28 <DIR> d-------- c:\windows\system32\Data
2008-11-04 18:27 . 2008-11-04 22:55 <DIR> d-------- c:\program files\Logitech
2008-11-04 18:27 . 2008-11-04 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-11-04 18:27 . 2008-04-14 00:49 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2008-11-04 18:27 . 2008-04-14 00:49 146,048 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-11-04 18:27 . 2008-04-14 05:42 129,536 --a------ c:\windows\system32\ksproxy.ax
2008-11-04 18:27 . 2008-04-14 05:42 129,536 --a--c--- c:\windows\system32\dllcache\ksproxy.ax
2008-11-04 18:27 . 2008-04-14 00:15 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2008-11-04 18:27 . 2008-04-14 00:15 60,160 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-11-04 18:27 . 2008-04-14 05:41 4,096 --a------ c:\windows\system32\ksuser.dll
2008-11-04 18:27 . 2008-04-14 05:41 4,096 --a--c--- c:\windows\system32\dllcache\ksuser.dll
2008-11-04 18:24 . 2008-11-04 18:24 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-04 18:24 . 2008-11-06 18:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-04 18:24 . 2008-11-04 20:21 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-04 18:24 . 2008-11-04 18:24 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 04:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 00:28 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-11-05 00:28 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-04 23:48 --------- d-----w c:\program files\Kaspersky Lab
2008-11-04 23:47 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-04 23:43 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-04 23:39 --------- d-----w c:\program files\Realtek
2008-11-04 23:39 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-04 23:39 --------- d-----w c:\documents and settings\Goonsac\Application Data\InstallShield
2008-11-04 23:38 --------- d-----w c:\program files\Intel
2008-11-04 23:28 --------- d-----w c:\program files\microsoft frontpage
2008-10-13 15:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 15:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 15:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 15:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 15:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-23 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-23 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-04 1234712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-04 136600]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
"nwiz"="nwiz.exe" [2008-10-23 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-04 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-04 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-04 76040]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-11-04 152984]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-04 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-04 231704]
S3 ALLOW-IO;ALLOW-IO;E:\ALLOW-IO.sys [ ]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{826314a9-aa8d-11dd-bc81-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe root.ini
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Goonsac\Application Data\Mozilla\Firefox\Profiles\79yidtkl.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 14:16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-08 14:17:15
ComboFix-quarantined-files.txt 2008-11-08 20:17:13

Pre-Run: 145,162,858,496 bytes free
Post-Run: 145,259,831,296 bytes free

192

Edited by Goonsac, 08 November 2008 - 03:20 PM.

[LDTate]

2 refreshes the popups started up again as they were before.

What type of popups are you having? Popups only when you are surfing? I'm not seeing anything bad in the combofix scan.

[Goonsac]

yes popup's when im surfing. I never had this problem before this all started happening after i brought my sisters computer to the house and put it on our network whatever was on her computer infected the other 3 computers in the house. but it seems mine was the only one that was infected bad as i keep finding 6 different Trojan.DNSChanger files when i run malwarebytes. these popups are happening on sites that i regularly view and have never had popups from them ive tried some of these websites on other computers and had my friends try them as well and they had no problems

[LDTate]

Can you post the scan results from the malwarebytes scan?

[Goonsac]

Malwarebytes' Anti-Malware 1.30 Database version: 1370 Windows 5.1.2600 Service Pack 3 11/8/2008 5:29:46 PM mbam-log-2008-11-08 (17-29-42).txt Scan type: Quick Scan Objects scanned: 42349 Time elapsed: 5 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{46b71314-81c9-4d7a-b58e-04244044e15e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{46b71314-81c9-4d7a-b58e-04244044e15e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{46b71314-81c9-4d7a-b58e-04244044e15e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[LDTate]

No action taken.

Are you selecting to fix those?

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .

[Goonsac]

yeah i have fixed them 20 different times they always come back i fixed then restarted my pc

[LDTate]

Click Start> Run> type in CMD tap enter key
Copy/Paste: ipconfig /flushdns
If you are typing this in, note the space between the g /f
It needs to be there.


Now lets check some settings on your system.
Enter your Control Panel and double-click on Network Connections

Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Note: Do this for all Network Connections
Press OK twice to get out of the properties screen and reboot if it asks

[Goonsac]

ok finished the flushdns and checked the properties and it was already set to Obtain DNS Servers Auto, it didnt ask for a computer restart but i did one anyway

[LDTate]

Good. Run the MBAM scan again.

[Goonsac]

Malwarebytes' Anti-Malware 1.30 Database version: 1370 Windows 5.1.2600 Service Pack 3 11/8/2008 6:00:29 PM mbam-log-2008-11-08 (18-00-29).txt Scan type: Quick Scan Objects scanned: 41921 Time elapsed: 1 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 4 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{46b71314-81c9-4d7a-b58e-04244044e15e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{46b71314-81c9-4d7a-b58e-04244044e15e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[LDTate]

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe
Double Click SmitfraudFix.exe on your Desktop. A folder named SmitfraudFix will be created on your Desktop.



______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter


This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named:
c:\rapport.txt


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt