Recurring 'DNSCharger' Trojan found on computer

View previous topic View next topic Go down

Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 10:06 pm

Hello, on my computer, I have both MBAM and McAfee to help search for any viruses or anything of that sort. I usually prefer MBAM because it is more efficient to me, but recently, it seems to lack a bit.

My McAfee, at least three to five times a day, reports having found and deleted a Trojan under the name 'DNSCharger.as' file name " C:\WINDOWS\SYSTEM32\tdlcmd.dll ', in the Process :" C:\WINDOWS\system32\svchost.exe " .

This is not the first time a trojan has been located in the same file, my MBAM Full Scan used to find a trojan in the very same place, and I suspect that this is the same trojan that my MCAfee program finds. However, recently, the full MBAM scans do not catch this virus anymore. I constantly update MBAM, but now I must rely on MCAfee to remove this virus for me.

Could you help me stop getting this virus completely? It's stressing to me thinking that I have a virus roaming in my computer every time I start it. If it's able to re-download itself on my computer, nȯne of my two programs can seem to find it.

Also, I am not sure if this is a related case, but whenever I start my computer, a "Windows Installer" begins and loads itself, asking for a CD to complete it's installation. I have to open the Task Manager if I want to properly stop it until I reboot my computer. I have tried to stop it, but it was in vain, I am not sure if this is a virus or not, so I am quite afraid of this as well.

Thank you for the time and patience you have spent.
Happy Holidays!

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 20th December 2009, 10:12 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 10:15 pm

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit quick scan 2009-12-20 17:14:47
Windows 5.1.2600 Service Pack 3
Running: mzelisz9.exe; Driver: C:\DOCUME~1\Amanda\LOCALS~1\Temp\kxloapog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED8D778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xED8D7821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED8D7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED8D774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED8D7835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED8D7861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED8D78CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED8D78B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED8D77CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED8D78FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED8D780D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED8D7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED8D7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED8D779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED8D7937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED8D78A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED8D788D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED8D784B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xED8D7923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xED8D790F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED8D7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED8D7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xED8D7877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED8D77F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED8D78E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED8D77E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED8D77B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 20th December 2009, 10:45 pm

Hmm, weird.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 10:47 pm

Hello, I was full scanning with the program GMER, when suddenly my Computer screen turned blue and I was forced to restart.

I tried to go on Safe Mode, but my computer did not allow me for 'safety' reasons. I tried 2-3 times, but I could not go to safe Mode.

So, just now, I tried again to re-scan with GMER, and I have the blue screen harassing me.

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 10:49 pm

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:49:40 PM, on 20/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 os-secure2009.com
O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [You must be registered and logged in to see this link.]
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8715 bytes

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 20th December 2009, 10:59 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.226 os-secure2009.com
    O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Can you please post me the MBAM log?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 11:05 pm

Well, today I didn't do a MBAM scan, would you like me to do one right now?
It might take up to 5-8 hours if I close everything.

If it's ok with you, can I send you a log from a Full Scan that I did 2 days ago? (18 december 2009)

Or would you prefer to wait for the latest scan?

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 20th December 2009, 11:06 pm

Full scan isn't anymore efficient than quick scan. Full scan just finds things that are something harmless (quarantined items, restore points, etc)

But yes, post me the Dec 18 log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 20th December 2009, 11:07 pm

If you would like a Quick Scan, I can give you yesterdays;

Malwarebytes' Anti-Malware 1.42
Database version: 3395
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

19/12/2009 11:44:30 PM
mbam-log-2009-12-19 (23-44-30).txt

Scan type: Quick Scan
Objects scanned: 156614
Time elapsed: 1 hour(s), 26 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 20th December 2009, 11:11 pm

I think we may need to go a little deeper, although I wonder, usually GMER would detect something like that because it's a stealth object.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 21st December 2009, 12:15 am

ComboFix 09-12-19.04 - Amanda 20/12/2009 18:32:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.128 [GMT -5:00]
Running from: c:\documents and settings\Amanda\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amanda\Local Settings\Application Data\{1C1E5F31-76F3-4044-8900-19DDC507C919}
c:\documents and settings\Amanda\Local Settings\Application Data\{1C1E5F31-76F3-4044-8900-19DDC507C919}\chrome.manifest
c:\documents and settings\Amanda\Local Settings\Application Data\{1C1E5F31-76F3-4044-8900-19DDC507C919}\chrome\content\_cfg.js
c:\documents and settings\Amanda\Local Settings\Application Data\{1C1E5F31-76F3-4044-8900-19DDC507C919}\chrome\content\overlay.xul
c:\documents and settings\Amanda\Local Settings\Application Data\{1C1E5F31-76F3-4044-8900-19DDC507C919}\install.rdf
C:\LOG.TXT
c:\windows\EventSystem.log
c:\windows\run.log
c:\windows\system32\18467.exe
c:\windows\system32\22vvanp9.dat
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 22:48 . 2009-12-20 22:48 388096 ----a-r- c:\documents and settings\Amanda\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-20 22:48 . 2009-12-20 22:48 -------- d-----w- c:\program files\TrendMicro
2009-12-11 04:48 . 2007-02-17 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 23:50 . 2009-10-28 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 23:47 . 2009-12-03 23:47 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-10-28 02:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-10-28 02:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 18:59 . 2009-10-23 05:48 120 ----a-w- c:\windows\Glisakamodeta.dat
2009-12-01 05:10 . 2009-10-23 05:48 0 ----a-w- c:\windows\Hfenewugonajero.bin
2009-11-21 06:24 . 2006-07-14 19:18 -------- d-----w- c:\documents and settings\Amanda\Application Data\U3
2009-11-19 13:30 . 2008-03-16 12:59 -------- d-----w- c:\program files\McAfee
2009-11-05 02:35 . 2005-02-28 21:38 82592 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 08:18 . 2008-09-08 23:04 -------- d-----w- c:\program files\Microsoft Works
2009-10-31 02:19 . 2009-10-31 02:19 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-10-30 10:55 . 2009-10-27 22:46 -------- d-----w- c:\program files\vfixtm
2009-10-29 07:46 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-11-30 05:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 04:37 . 2009-10-18 20:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 02:34 . 2009-10-28 02:34 -------- d-----w- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-10-28 02:12 . 2009-10-28 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 02:58 . 2007-09-04 00:25 129862 ----a-w- c:\windows\hpoins13.dat
2009-10-24 16:58 . 2009-10-23 05:44 -------- d-----w- c:\program files\lpuqqi
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-2-21 156784]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8616:TCP"= 8616:TCP:PORT_8616
"37737:TCP"= 37737:TCP:PORT_37737
"11048:TCP"= 11048:TCP:PORT_11048
"11426:TCP"= 11426:TCP:PORT_11426
"12726:TCP"= 12726:TCP:PORT_12726
"49335:TCP"= 49335:TCP:PORT_49335
"24719:TCP"= 24719:TCP:PORT_24719
"52391:TCP"= 52391:TCP:PORT_52391
"22843:TCP"= 22843:TCP:PORT_22843
"35391:TCP"= 35391:TCP:PORT_35391
"7440:TCP"= 7440:TCP:PORT_7440
"34165:TCP"= 34165:TCP:PORT_34165
"29940:TCP"= 29940:TCP:PORT_29940
"47946:TCP"= 47946:TCP:PORT_47946
"56326:TCP"= 56326:TCP:PORT_56326
"46663:TCP"= 46663:TCP:PORT_46663
"16396:TCP"= 16396:TCP:PORT_16396
"31143:TCP"= 31143:TCP:PORT_31143
"14541:TCP"= 14541:TCP:PORT_14541
"47936:TCP"= 47936:TCP:PORT_47936
"41640:TCP"= 41640:TCP:PORT_41640
"60210:TCP"= 60210:TCP:PORT_60210
"16801:TCP"= 16801:TCP:PORT_16801
"41255:TCP"= 41255:TCP:PORT_41255
"46394:TCP"= 46394:TCP:PORT_46394
"14377:TCP"= 14377:TCP:PORT_14377
"40773:TCP"= 40773:TCP:PORT_40773
"33120:TCP"= 33120:TCP:PORT_33120
"9221:TCP"= 9221:TCP:PORT_9221
"31945:TCP"= 31945:TCP:PORT_31945
"62458:TCP"= 62458:TCP:PORT_62458
"31141:TCP"= 31141:TCP:PORT_31141
"49070:TCP"= 49070:TCP:PORT_49070
"28293:TCP"= 28293:TCP:PORT_28293
"60568:TCP"= 60568:TCP:PORT_60568
"53106:TCP"= 53106:TCP:PORT_53106
"14170:TCP"= 14170:TCP:PORT_14170
"43269:TCP"= 43269:TCP:PORT_43269
"34936:TCP"= 34936:TCP:PORT_34936
"17423:TCP"= 17423:TCP:PORT_17423
"17226:TCP"= 17226:TCP:PORT_17226
"10265:TCP"= 10265:TCP:PORT_10265
"9438:TCP"= 9438:TCP:PORT_9438
"29915:TCP"= 29915:TCP:PORT_29915
"63150:TCP"= 63150:TCP:PORT_63150
"59949:TCP"= 59949:TCP:PORT_59949
"28248:TCP"= 28248:TCP:PORT_28248
"14022:TCP"= 14022:TCP:PORT_14022
"10385:TCP"= 10385:TCP:PORT_10385
"11331:TCP"= 11331:TCP:PORT_11331
"26828:TCP"= 26828:TCP:PORT_26828
"62173:TCP"= 62173:TCP:PORT_62173
"65260:TCP"= 65260:TCP:PORT_65260
"14001:TCP"= 14001:TCP:PORT_14001
"32193:TCP"= 32193:TCP:PORT_32193
"59256:TCP"= 59256:TCP:PORT_59256
"10430:TCP"= 10430:TCP:PORT_10430
"27899:TCP"= 27899:TCP:PORT_27899
"29963:TCP"= 29963:TCP:PORT_29963
"19903:TCP"= 19903:TCP:PORT_19903
"9368:TCP"= 9368:TCP:PORT_9368
"44465:TCP"= 44465:TCP:PORT_44465
"39276:TCP"= 39276:TCP:PORT_39276
"28516:TCP"= 28516:TCP:PORT_28516
"54704:TCP"= 54704:TCP:PORT_54704
"22851:TCP"= 22851:TCP:PORT_22851
"8326:TCP"= 8326:TCP:PORT_8326
"26733:TCP"= 26733:TCP:PORT_26733
"45119:TCP"= 45119:TCP:PORT_45119
"26830:TCP"= 26830:TCP:PORT_26830
"64715:TCP"= 64715:TCP:PORT_64715
"35790:TCP"= 35790:TCP:PORT_35790
"61141:TCP"= 61141:TCP:PORT_61141
"35275:TCP"= 35275:TCP:PORT_35275
"31464:TCP"= 31464:TCP:PORT_31464
"33218:TCP"= 33218:TCP:PORT_33218
"27333:TCP"= 27333:TCP:PORT_27333
"60193:TCP"= 60193:TCP:PORT_60193
"50612:TCP"= 50612:TCP:PORT_50612
"33630:TCP"= 33630:TCP:PORT_33630
"39106:TCP"= 39106:TCP:PORT_39106
"63597:TCP"= 63597:TCP:PORT_63597
"55235:TCP"= 55235:TCP:PORT_55235
"30806:TCP"= 30806:TCP:PORT_30806
"27740:TCP"= 27740:TCP:PORT_27740
"28056:TCP"= 28056:TCP:PORT_28056
"6365:TCP"= 6365:TCP:PORT_6365
"8765:TCP"= 8765:TCP:PORT_8765
"34006:TCP"= 34006:TCP:PORT_34006
"18941:TCP"= 18941:TCP:PORT_18941
"56321:TCP"= 56321:TCP:PORT_56321
"59493:TCP"= 59493:TCP:PORT_59493
"17876:TCP"= 17876:TCP:PORT_17876
"55945:TCP"= 55945:TCP:PORT_55945
"49879:TCP"= 49879:TCP:PORT_49879
"62656:TCP"= 62656:TCP:PORT_62656
"24888:TCP"= 24888:TCP:PORT_24888
"58695:TCP"= 58695:TCP:PORT_58695
"19391:TCP"= 19391:TCP:PORT_19391
"63760:TCP"= 63760:TCP:PORT_63760
"22775:TCP"= 22775:TCP:PORT_22775
"41720:TCP"= 41720:TCP:PORT_41720
"65056:TCP"= 65056:TCP:PORT_65056
"54964:TCP"= 54964:TCP:PORT_54964
"63551:TCP"= 63551:TCP:PORT_63551
"13213:TCP"= 13213:TCP:PORT_13213
"48760:TCP"= 48760:TCP:PORT_48760
"19508:TCP"= 19508:TCP:PORT_19508
"35763:TCP"= 35763:TCP:PORT_35763
"7761:TCP"= 7761:TCP:PORT_7761
"9596:TCP"= 9596:TCP:PORT_9596
"31103:TCP"= 31103:TCP:PORT_31103
"9963:TCP"= 9963:TCP:PORT_9963
"65026:TCP"= 65026:TCP:PORT_65026
"47591:TCP"= 47591:TCP:PORT_47591
"13100:TCP"= 13100:TCP:PORT_13100
"19554:TCP"= 19554:TCP:PORT_19554
"16259:TCP"= 16259:TCP:PORT_16259
"30468:TCP"= 30468:TCP:PORT_30468
"36447:TCP"= 36447:TCP:PORT_36447
"17158:TCP"= 17158:TCP:PORT_17158
"9568:TCP"= 9568:TCP:PORT_9568
"53096:TCP"= 53096:TCP:PORT_53096
"38196:TCP"= 38196:TCP:PORT_38196
"7371:TCP"= 7371:TCP:PORT_7371
"59121:TCP"= 59121:TCP:PORT_59121
"28385:TCP"= 28385:TCP:PORT_28385
"30105:TCP"= 30105:TCP:PORT_30105
"23738:TCP"= 23738:TCP:PORT_23738
"54691:TCP"= 54691:TCP:PORT_54691
"62101:TCP"= 62101:TCP:PORT_62101
"20105:TCP"= 20105:TCP:PORT_20105
"40842:TCP"= 40842:TCP:PORT_40842
"35856:TCP"= 35856:TCP:PORT_35856
"63943:TCP"= 63943:TCP:PORT_63943
"60273:TCP"= 60273:TCP:PORT_60273
"33901:TCP"= 33901:TCP:PORT_33901
"16263:TCP"= 16263:TCP:PORT_16263
"32233:TCP"= 32233:TCP:PORT_32233
"45429:TCP"= 45429:TCP:PORT_45429
"5823:TCP"= 5823:TCP:PORT_5823
"55783:TCP"= 55783:TCP:PORT_55783
"34100:TCP"= 34100:TCP:PORT_34100
"64790:TCP"= 64790:TCP:PORT_64790
"8712:TCP"= 8712:TCP:PORT_8712
"34615:TCP"= 34615:TCP:PORT_34615
"7824:TCP"= 7824:TCP:PORT_7824
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"57094:TCP"= 57094:TCP:Pando Media Booster
"57094:UDP"= 57094:UDP:Pando Media Booster

R2 HPFECP06;HPFECP06;c:\windows\SYSTEM32\DRIVERS\hpfecp06.sys [11/03/2005 3:29 PM 38176]
S0 gmsgs;gmsgs;c:\windows\system32\drivers\ibjev.sys --> c:\windows\system32\drivers\ibjev.sys [?]
S0 ihte;ihte;c:\windows\system32\drivers\ejaeld.sys --> c:\windows\system32\drivers\ejaeld.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-CTFMON - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\msiexec.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-12-20 19:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 00:12

Pre-Run: 46,371,536,896 bytes free
Post-Run: 46,806,777,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 54A3921C34C9E848B0DF7E9C2465797C

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 21st December 2009, 12:22 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\Glisakamodeta.dat
    c:\windows\Hfenewugonajero.bin

    Driver::
    gmsgs
    ihte
    npggsvc

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 21st December 2009, 1:55 am

ComboFix 09-12-19.04 - Amanda 20/12/2009 19:28:10.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -5:00]
Running from: c:\documents and settings\Amanda\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Amanda\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Glisakamodeta.dat"
"c:\windows\Hfenewugonajero.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Glisakamodeta.dat
c:\windows\Hfenewugonajero.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gmsgs
-------\Service_ihte


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-20 22:48 . 2009-12-20 22:48 -------- d-----w- c:\program files\TrendMicro
2009-11-30 22:40 . 2009-11-30 22:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-11-30 22:30 . 2009-11-30 22:30 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-11-30 07:59 . 2009-11-30 07:59 -------- d-sh--w- c:\documents and settings\Amanda\IECompatCache
2009-11-30 07:58 . 2009-11-30 07:58 -------- d-sh--w- c:\documents and settings\Amanda\PrivacIE
2009-11-30 07:52 . 2009-11-30 07:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-30 07:51 . 2009-11-30 07:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-30 07:47 . 2009-11-30 07:47 -------- d-sh--w- c:\documents and settings\Amanda\IETldCache
2009-11-30 05:53 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-30 05:51 . 2009-12-08 03:59 -------- d-----w- c:\windows\ie8updates
2009-11-30 05:47 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-30 05:47 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-30 05:39 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-11-30 05:39 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 22:48 . 2009-12-20 22:48 388096 ----a-r- c:\documents and settings\Amanda\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-11 04:48 . 2007-02-17 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 23:50 . 2009-10-28 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 23:47 . 2009-12-03 23:47 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-10-28 02:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-10-28 02:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 06:24 . 2006-07-14 19:18 -------- d-----w- c:\documents and settings\Amanda\Application Data\U3
2009-11-19 13:30 . 2008-03-16 12:59 -------- d-----w- c:\program files\McAfee
2009-11-05 02:35 . 2005-02-28 21:38 82592 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 08:18 . 2008-09-08 23:04 -------- d-----w- c:\program files\Microsoft Works
2009-10-31 02:19 . 2009-10-31 02:19 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-10-30 10:55 . 2009-10-27 22:46 -------- d-----w- c:\program files\vfixtm
2009-10-29 07:46 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-28 04:37 . 2009-10-18 20:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 02:34 . 2009-10-28 02:34 -------- d-----w- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-10-28 02:12 . 2009-10-28 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 02:58 . 2007-09-04 00:25 129862 ----a-w- c:\windows\hpoins13.dat
2009-10-24 16:58 . 2009-10-23 05:44 -------- d-----w- c:\program files\lpuqqi
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-2-21 156784]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8616:TCP"= 8616:TCP:PORT_8616
"37737:TCP"= 37737:TCP:PORT_37737
"11048:TCP"= 11048:TCP:PORT_11048
"11426:TCP"= 11426:TCP:PORT_11426
"12726:TCP"= 12726:TCP:PORT_12726
"49335:TCP"= 49335:TCP:PORT_49335
"24719:TCP"= 24719:TCP:PORT_24719
"52391:TCP"= 52391:TCP:PORT_52391
"22843:TCP"= 22843:TCP:PORT_22843
"35391:TCP"= 35391:TCP:PORT_35391
"7440:TCP"= 7440:TCP:PORT_7440
"34165:TCP"= 34165:TCP:PORT_34165
"29940:TCP"= 29940:TCP:PORT_29940
"47946:TCP"= 47946:TCP:PORT_47946
"56326:TCP"= 56326:TCP:PORT_56326
"46663:TCP"= 46663:TCP:PORT_46663
"16396:TCP"= 16396:TCP:PORT_16396
"31143:TCP"= 31143:TCP:PORT_31143
"14541:TCP"= 14541:TCP:PORT_14541
"47936:TCP"= 47936:TCP:PORT_47936
"41640:TCP"= 41640:TCP:PORT_41640
"60210:TCP"= 60210:TCP:PORT_60210
"16801:TCP"= 16801:TCP:PORT_16801
"41255:TCP"= 41255:TCP:PORT_41255
"46394:TCP"= 46394:TCP:PORT_46394
"14377:TCP"= 14377:TCP:PORT_14377
"40773:TCP"= 40773:TCP:PORT_40773
"33120:TCP"= 33120:TCP:PORT_33120
"9221:TCP"= 9221:TCP:PORT_9221
"31945:TCP"= 31945:TCP:PORT_31945
"62458:TCP"= 62458:TCP:PORT_62458
"31141:TCP"= 31141:TCP:PORT_31141
"49070:TCP"= 49070:TCP:PORT_49070
"28293:TCP"= 28293:TCP:PORT_28293
"60568:TCP"= 60568:TCP:PORT_60568
"53106:TCP"= 53106:TCP:PORT_53106
"14170:TCP"= 14170:TCP:PORT_14170
"43269:TCP"= 43269:TCP:PORT_43269
"34936:TCP"= 34936:TCP:PORT_34936
"17423:TCP"= 17423:TCP:PORT_17423
"17226:TCP"= 17226:TCP:PORT_17226
"10265:TCP"= 10265:TCP:PORT_10265
"9438:TCP"= 9438:TCP:PORT_9438
"29915:TCP"= 29915:TCP:PORT_29915
"63150:TCP"= 63150:TCP:PORT_63150
"59949:TCP"= 59949:TCP:PORT_59949
"28248:TCP"= 28248:TCP:PORT_28248
"14022:TCP"= 14022:TCP:PORT_14022
"10385:TCP"= 10385:TCP:PORT_10385
"11331:TCP"= 11331:TCP:PORT_11331
"26828:TCP"= 26828:TCP:PORT_26828
"62173:TCP"= 62173:TCP:PORT_62173
"65260:TCP"= 65260:TCP:PORT_65260
"14001:TCP"= 14001:TCP:PORT_14001
"32193:TCP"= 32193:TCP:PORT_32193
"59256:TCP"= 59256:TCP:PORT_59256
"10430:TCP"= 10430:TCP:PORT_10430
"27899:TCP"= 27899:TCP:PORT_27899
"29963:TCP"= 29963:TCP:PORT_29963
"19903:TCP"= 19903:TCP:PORT_19903
"9368:TCP"= 9368:TCP:PORT_9368
"44465:TCP"= 44465:TCP:PORT_44465
"39276:TCP"= 39276:TCP:PORT_39276
"28516:TCP"= 28516:TCP:PORT_28516
"54704:TCP"= 54704:TCP:PORT_54704
"22851:TCP"= 22851:TCP:PORT_22851
"8326:TCP"= 8326:TCP:PORT_8326
"26733:TCP"= 26733:TCP:PORT_26733
"45119:TCP"= 45119:TCP:PORT_45119
"26830:TCP"= 26830:TCP:PORT_26830
"64715:TCP"= 64715:TCP:PORT_64715
"35790:TCP"= 35790:TCP:PORT_35790
"61141:TCP"= 61141:TCP:PORT_61141
"35275:TCP"= 35275:TCP:PORT_35275
"31464:TCP"= 31464:TCP:PORT_31464
"33218:TCP"= 33218:TCP:PORT_33218
"27333:TCP"= 27333:TCP:PORT_27333
"60193:TCP"= 60193:TCP:PORT_60193
"50612:TCP"= 50612:TCP:PORT_50612
"33630:TCP"= 33630:TCP:PORT_33630
"39106:TCP"= 39106:TCP:PORT_39106
"63597:TCP"= 63597:TCP:PORT_63597
"55235:TCP"= 55235:TCP:PORT_55235
"30806:TCP"= 30806:TCP:PORT_30806
"27740:TCP"= 27740:TCP:PORT_27740
"28056:TCP"= 28056:TCP:PORT_28056
"6365:TCP"= 6365:TCP:PORT_6365
"8765:TCP"= 8765:TCP:PORT_8765
"34006:TCP"= 34006:TCP:PORT_34006
"18941:TCP"= 18941:TCP:PORT_18941
"56321:TCP"= 56321:TCP:PORT_56321
"59493:TCP"= 59493:TCP:PORT_59493
"17876:TCP"= 17876:TCP:PORT_17876
"55945:TCP"= 55945:TCP:PORT_55945
"49879:TCP"= 49879:TCP:PORT_49879
"62656:TCP"= 62656:TCP:PORT_62656
"24888:TCP"= 24888:TCP:PORT_24888
"58695:TCP"= 58695:TCP:PORT_58695
"19391:TCP"= 19391:TCP:PORT_19391
"63760:TCP"= 63760:TCP:PORT_63760
"22775:TCP"= 22775:TCP:PORT_22775
"41720:TCP"= 41720:TCP:PORT_41720
"65056:TCP"= 65056:TCP:PORT_65056
"54964:TCP"= 54964:TCP:PORT_54964
"63551:TCP"= 63551:TCP:PORT_63551
"13213:TCP"= 13213:TCP:PORT_13213
"48760:TCP"= 48760:TCP:PORT_48760
"19508:TCP"= 19508:TCP:PORT_19508
"35763:TCP"= 35763:TCP:PORT_35763
"7761:TCP"= 7761:TCP:PORT_7761
"9596:TCP"= 9596:TCP:PORT_9596
"31103:TCP"= 31103:TCP:PORT_31103
"9963:TCP"= 9963:TCP:PORT_9963
"65026:TCP"= 65026:TCP:PORT_65026
"47591:TCP"= 47591:TCP:PORT_47591
"13100:TCP"= 13100:TCP:PORT_13100
"19554:TCP"= 19554:TCP:PORT_19554
"16259:TCP"= 16259:TCP:PORT_16259
"30468:TCP"= 30468:TCP:PORT_30468
"36447:TCP"= 36447:TCP:PORT_36447
"17158:TCP"= 17158:TCP:PORT_17158
"9568:TCP"= 9568:TCP:PORT_9568
"53096:TCP"= 53096:TCP:PORT_53096
"38196:TCP"= 38196:TCP:PORT_38196
"7371:TCP"= 7371:TCP:PORT_7371
"59121:TCP"= 59121:TCP:PORT_59121
"28385:TCP"= 28385:TCP:PORT_28385
"30105:TCP"= 30105:TCP:PORT_30105
"23738:TCP"= 23738:TCP:PORT_23738
"54691:TCP"= 54691:TCP:PORT_54691
"62101:TCP"= 62101:TCP:PORT_62101
"20105:TCP"= 20105:TCP:PORT_20105
"40842:TCP"= 40842:TCP:PORT_40842
"35856:TCP"= 35856:TCP:PORT_35856
"63943:TCP"= 63943:TCP:PORT_63943
"60273:TCP"= 60273:TCP:PORT_60273
"33901:TCP"= 33901:TCP:PORT_33901
"16263:TCP"= 16263:TCP:PORT_16263
"32233:TCP"= 32233:TCP:PORT_32233
"45429:TCP"= 45429:TCP:PORT_45429
"5823:TCP"= 5823:TCP:PORT_5823
"55783:TCP"= 55783:TCP:PORT_55783
"34100:TCP"= 34100:TCP:PORT_34100
"64790:TCP"= 64790:TCP:PORT_64790
"8712:TCP"= 8712:TCP:PORT_8712
"34615:TCP"= 34615:TCP:PORT_34615
"7824:TCP"= 7824:TCP:PORT_7824
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"57094:TCP"= 57094:TCP:Pando Media Booster
"57094:UDP"= 57094:UDP:Pando Media Booster

R2 HPFECP06;HPFECP06;c:\windows\SYSTEM32\DRIVERS\hpfecp06.sys [11/03/2005 3:29 PM 38176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 19:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\msiexec.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\MsiExec.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-12-20 20:02:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 01:02
ComboFix2.txt 2009-12-21 00:13

Pre-Run: 46,821,072,896 bytes free
Post-Run: 46,783,672,320 bytes free

- - End Of File - - 6B55B7A890F66DB4622A8707627A7BDB

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 21st December 2009, 7:08 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 22nd December 2009, 2:11 am

Thank you very much, everything seems to be working fine now.

I would also like to know if it's ok to uninstall both GMER and HijackThis, or it's better to keep them on my computer.

Happy holidays and a big thank you! =)

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 22nd December 2009, 5:57 pm

Uninstall both of them. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 22nd December 2009, 10:42 pm

GMER doesn't appear on my "Add or Remove Programs" list, is there any way to remove it?

Thanks again, and sorry for bothering you so much.

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 22nd December 2009, 11:08 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

start "C:\Windows\gmer_uninstall.cmd"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 22nd December 2009, 11:18 pm

When I try to uninstall it, it says;
"Windows cannot find 'start'. Make sure you typed the name correctly and then try again. To search for a file, click the Start button, and then click Search."

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 22nd December 2009, 11:28 pm

Okay, remove the start from it, then try this:

"C:\Windows\gmer_uninstall.cmd"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 23rd December 2009, 1:04 am

It doesn't work either, I get the same results as before.

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by Belahzur on 23rd December 2009, 1:06 am

Nevermind then, just delete gmer.exe from your Desktop.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Recurring 'DNSCharger' Trojan found on computer

Post by SilverSonata on 23rd December 2009, 1:08 am

Smile Thank you very much for all the help.

Happy Holidays!

SilverSonata
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-11-30
OS OS : Windows 7
Protection Protection : Norton Internet Security
Points Points : 26365
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum