Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

I've got a trojan dnschanger - does it show here?

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

I've got a trojan dnschanger - does it show here?

Old 10-01-07, 06:43 PM
  #1  
DVD Talk Special Edition
Thread Starter
 
Join Date: Mar 2004
Location: Western PA, Central Florida
Posts: 1,930
Likes: 0
Received 0 Likes on 0 Posts
I've got a trojan dnschanger - does it show here?

I did some cleaning but have a trojan dnschanger someplace and can't seem to get rid of it without buying webroot. Does it show up here? Thanks


Logfile of HijackThis v1.99.0
Scan saved at 6:40:03 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099678867375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186098370375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Old 10-01-07, 07:05 PM
  #2  
DVD Talk Hall of Fame
 
Join Date: Jan 2000
Location: Somewhere out there... YES THERE!!!
Posts: 7,936
Likes: 0
Received 0 Likes on 0 Posts
not sure where you went for the cleaning instructions but good instructions here

http://forums.majorgeeks.com/showthread.php?p=909996


if worse comes to worse you can always post your log in that thread, that guys seems to know this virus very well
Old 10-01-07, 09:02 PM
  #3  
DVD Talk Special Edition
Thread Starter
 
Join Date: Mar 2004
Location: Western PA, Central Florida
Posts: 1,930
Likes: 0
Received 0 Likes on 0 Posts
The log you see is after an earlier cleaning for a logitech problem.

I'll check the reference site, thanks
Old 10-03-07, 11:28 PM
  #4  
DVD Talk Special Edition
Thread Starter
 
Join Date: Mar 2004
Location: Western PA, Central Florida
Posts: 1,930
Likes: 0
Received 0 Likes on 0 Posts
That site seems a bit convoluted. I tried some of their downloads and recommendations and they do not seem to help. Still have the dns changer.

I did run a Kaspersky scan and here is what it found:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 03, 2007 10:24:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 426926
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 101139
Number of viruses found: 4
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:54:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\cert8.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\history.dat Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\key3.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\parent.lock Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\search.sqlite Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\cert8.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\history.dat Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\key3.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\parent.lock Object is locked skipped
C:\Documents and Settings\User Name\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temp\~DF27CE.tmp Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temp\~DF27DB.tmp Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\smswDEMO\SyrasoftTS.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\smswDEMO\SyrasoftTS.exe 7-Zip: infected - 1 skipped
C:\smswDEMO\SyrasoftTS.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1364\A0130292.dll Infected: not-a-virus:AdWare.Win32.Coupons.a skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1369\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{17EE54E1-2001-4383-BACF-F692AB243A97}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Last edited by kayak99; 10-03-07 at 11:31 PM.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.